feat: add gpg signs capability

selfuryon · Mar 14, 2023 · 61334c9 · 61334c9
1 parent e0e5663
commit 61334c9
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 14 deletions.
diff --git a/README.md b/README.md
@@ -1,3 +1,3 @@
-# Update packages
+# nix-update-action
 
-This action uses `nix-update` to update flake output packages
+This action uses `nix-update` to update flake packages
diff --git a/action.yaml b/action.yaml
@@ -1,4 +1,5 @@
 ---
+# Inspired by https://github.com/DeterminateSystems/update-flake-lock
 name: 'nix-update action'
 description: 'A GitHub action that detects and updates flake outputs via nix-update tool'
 inputs:
@@ -10,14 +11,14 @@ inputs:
     description: 'A list of dependencies, comma separated, to skip from updating.'
     required: false
     default: ''
-  ignore_errors:
-    description: 'If `true`, will ignore all updating errors'
-    required: false
-    default: false
   branch:
     description: 'The branch of the PR to be created'
     required: false
     default: "chore/nix_update_actions"
+  path-to-flake-dir:
+    description: 'The path of the directory containing `flake.nix` file within your repository.'
+    required: false
+    default: ''
   pr-title:
     description: 'The title of the PR to be created'
     required: false
@@ -55,6 +56,21 @@ inputs:
     description: 'Committer email used for commit.'
     required: false
     default: 'github-actions[bot]@users.noreply.github.com'
+  sign-commits:
+    description: 'Set to true if the action should sign the commit with GPG'
+    required: false
+    default: 'false'
+  gpg-private-key:
+    description: 'GPG Private Key with which to sign the commits in the PR to be created'
+    required: false
+    default: ''
+  gpg-fingerprint:
+    description: 'Fingerprint of specific GPG subkey to use'
+    required: false
+  gpg-passphrase:
+    description: 'GPG Private Key Passphrase for the GPG Private Key with which to sign the commits in the PR to be created'
+    required: false
+    default: ''
 outputs:
   pull-request-number:
     description: 'The number of the opened pull request'
@@ -66,7 +82,33 @@ runs:
       with:
         packages: "nix-update,jq"
         inputs-from: nixpkgs
-    - name: Set environment variables
+    - name: Import bot's GPG key for signing commits
+      if: ${{ inputs.sign-commits == 'true' }}
+      id: import-gpg
+      uses: crazy-max/ghaction-import-gpg@v5
+      with:
+        gpg_private_key: ${{ inputs.gpg-private-key }}
+        fingerprint: ${{ inputs.gpg-fingerprint }}
+        passphrase: ${{ inputs.gpg-passphrase }}
+        git_config_global: true
+        git_user_signingkey: true
+        git_commit_gpgsign: true
+    - name: Set environment variables (signed commits)
+      if: ${{ inputs.sign-commits == 'true' }}
+      shell: bash
+      env:
+        GIT_AUTHOR_NAME: ${{ steps.import-gpg.outputs.name }}
+        GIT_AUTHOR_EMAIL: ${{ steps.import-gpg.outputs.email }}
+        GIT_COMMITTER_NAME: ${{ steps.import-gpg.outputs.name }}
+        GIT_COMMITTER_EMAIL: ${{ steps.import-gpg.outputs.email }}
+        TARGETS: ${{ inputs.inputs }}
+      run: |
+        echo "GIT_AUTHOR_NAME=$GIT_AUTHOR_NAME" >> $GITHUB_ENV
+        echo "GIT_AUTHOR_EMAIL=<$GIT_AUTHOR_EMAIL>" >> $GITHUB_ENV
+        echo "GIT_COMMITTER_NAME=$GIT_COMMITTER_NAME" >> $GITHUB_ENV
+        echo "GIT_COMMITTER_EMAIL=<$GIT_COMMITTER_EMAIL>" >> $GITHUB_ENV
+    - name: Set environment variables (unsigned commits)
+      if: ${{ inputs.sign-commits != 'true' }}
       shell: bash
       run: |
         echo "GIT_AUTHOR_NAME=${{ inputs.git-author-name }}" >> $GITHUB_ENV
@@ -79,11 +121,11 @@ runs:
       env:
         PACKAGES: ${{ inputs.inputs }}
         BLACKLIST: ${{ inputs.blacklist }}
-        IGNORE_ERRORS: ${{ inputs.ignore_errors }}
         GIT_AUTHOR_NAME: ${{ env.GIT_AUTHOR_NAME }}
         GIT_AUTHOR_EMAIL: ${{ env.GIT_AUTHOR_EMAIL }}
         GIT_COMMITTER_NAME: ${{ env.GIT_COMMITTER_NAME }}
         GIT_COMMITTER_EMAIL: ${{ env.GIT_COMMITTER_EMAIL }}
+        PATH_TO_FLAKE_DIR: ${{ inputs.path-to-flake-dir }}
     - name: Create PR
       id: create-pr
       uses: peter-evans/create-pull-request@v4

diff --git a/nix-update.sh b/nix-update.sh
@@ -1,7 +1,12 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-# This function will modify all INPUT_* variables so that they don't contain any garbage
+enterFlakeFolder() {
+  if [[ -n "$PATH_TO_FLAKE_DIR" ]]; then
+    cd "$PATH_TO_FLAKE_DIR"
+  fi
+}
+
 sanitizeInputs() {
   # remove all whitespace
   PACKAGES="${PACKAGES// /}"
@@ -16,11 +21,6 @@ determinePackages() {
 }
 
 updatePackages() {
-  # Check tolerance to failed updates
-  if [[ $IGNORE_ERRORS == 'true' ]]; then
-    set +euo pipefail
-  fi
-
   # update packages
   for PACKAGE in ${PACKAGES//,/ }; do
     if [[ ",$BLACKLIST," == *",$PACKAGE,"* ]]; then
@@ -32,6 +32,7 @@ updatePackages() {
   done
 }
 
+enterFlakeFolder
 sanitizeInputs
 determinePackages
 updatePackages