Instead Auto-update SRI hash when a change lands on main, file a PR

This should ensure that dependabot PRs can land (because their SRI hash doesn't get checked), while still ensuring that the SRI hash doesn't get forgotten.
boinkor-net · Aug 11, 2023 · 64c0072 · 64c0072
1 parent 6494c6d
commit 64c0072
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 70 deletions.
diff --git a/.github/workflows/auto_update_sri_pr.yml b/.github/workflows/auto_update_sri_pr.yml
@@ -0,0 +1,55 @@
+# This action is suuuuper ripped off from tailscale's:
+# https://github.com/tailscale/tailscale/blob/main/.github/workflows/update-flake.yml
+
+name: "File PR for updated SRI hash"
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - go.mod
+      - go.sum
+      - .github/workflows/auto_update_sri_pr.yml
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  update_sri_hash:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Generate token
+        id: generate-token
+        uses: tibdex/github-app-token@v1
+        with:
+          app_id: ${{ vars.PR_FIXUP_APP_ID }}
+          private_key: ${{ secrets.PR_FIXUP_APP_PRIVATE_KEY }}
+      - uses: actions/checkout@v3.5.3
+        with:
+          token: ${{secrets.REPO_CONTENT_UPDATE_TOKEN}}
+          fetch-depth: 0 # otherwise, you will failed to push refs to dest repo
+      - name: Cache install Nix packages
+        uses: mtoohey31/cache-flake-attrs@v2
+        with:
+          key: ${{ runner.os }}-nix-${{ hashFiles('./flake.nix') }}
+          flake_paths: ".#regenSRI"
+      - name: re-generate SRI
+        run: "nix --extra-experimental-features nix-command --extra-experimental-features flakes run .#regenSRI"
+
+      - name: File pull request
+        uses: peter-evans/create-pull-request@v5
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+          author: Flakes Updater <noreply+flakes-updater@boinkor.net>
+          committer: Flakes Updater <noreply+flakes-updater@boinkor.net>
+          branch: auto-update-sri
+          commit-message: "tsnsrv.sri: update SRI hash for go module changes"
+          title: "tsnsrv.sri: update SRI hash for go module changes"
+          body: Triggered by ${{ github.repository }}@${{ github.sha }}
+          signoff: true
+          delete-branch: true
+          reviewers: antifuchs
diff --git a/.github/workflows/dispatch_update_sri.yml b/.github/workflows/dispatch_update_sri.yml
diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml
@@ -17,46 +17,3 @@ jobs:
       - uses: actions/checkout@v3.5.3
       - uses: cachix/install-nix-action@v22
       - run: nix flake check path:.
-
-  # less expensive than running a full flake package build, but
-  # validates the thing we care about:
-  sri_check:
-    runs-on: ubuntu-latest
-    if: github.event_name == 'pull_request'
-    steps:
-      - name: Generate token
-        id: issue_update
-        uses: tibdex/github-app-token@v1
-        with:
-          app_id: ${{ vars.PR_FIXUP_APP_ID }}
-          private_key: ${{ secrets.PR_FIXUP_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v3.5.3
-      - name: Cache install Nix packages
-        uses: mtoohey31/cache-flake-attrs@v2
-        with:
-          key: ${{ runner.os }}-nix-${{ hashFiles('./flake.nix') }}
-          flake_paths: ".#regenSRI"
-      - name: re-generate SRI
-        run: "nix --extra-experimental-features nix-command --extra-experimental-features flakes run .#regenSRI"
-      - run: git diff --exit-code
-        id: up_to_date
-      - run: '(echo "diff<<EOF" ; git diff ; echo EOF) >> $GITHUB_OUTPUT'
-        if: always() && steps.up_to_date.outcome == 'failure'
-        id: diff
-      - name: Leave a PR comment
-        uses: thollander/actions-comment-pull-request@v2
-        if: always()
-        with:
-          message: |
-            # SRI tag needs updating
-
-            It looks like the generated SRI hash on the go modules in this repo is outdated. This usually happens when the go module structure / version changes, and will break the build of nix packages. Here's the diff:
-
-            ```diff
-            ${{steps.diff.outputs.diff}}
-            ```
-
-            To update the SRI hash easily, a repo admin can run the [`Update SRI hash` action](https://github.com/boinkor-net/tsnsrv/actions/workflows/dispatch_update_sri.yml) on this branch, or you can invoke `regenSRI` on the nix dev shell and commit & push.
-          comment_tag: execution
-          mode: "${{ steps.up_to_date.outcome == 'failure' && 'upsert' || 'delete' }}"
-          GITHUB_TOKEN: ${{ steps.issue_update.outputs.token }}