update-flake-lock/action.yml

name: 'Update flake.lock'
description: 'Update your flake.lock and send a PR'
inputs:
  inputs:
    description: 'A space-separated list of inputs to update. Leave empty to update all inputs.'
    required: false
    default: ''
  token:
    description: 'GITHUB_TOKEN or a `repo` scoped Personal Access Token (PAT)'
    required: false
    default: ${{ github.token }}
  commit-with-token:
    description: 'Set to "true" to produce a verified commit with token'
    required: false
    default: ''
  commit-msg:
    description: 'The message provided with the commit'
    required: false
    default: "flake.lock: Update"
  branch:
    description: 'The branch of the PR to be created'
    required: false
    default: "update_flake_lock_action"
  path-to-flake-dir:
    description: 'The path of the directory containing `flake.nix` file within your repository. Useful when `flake.nix` cannot reside at the root of your repository.'
    required: false
    default: ''
  pr-title:
    description: 'The title of the PR to be created'
    required: false
    default: "flake.lock: Update"
  pr-body:
    description: 'The body of the PR to be created'
    required: false
    default: |
      Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action.

      ```
      {{ env.GIT_COMMIT_MESSAGE }}
      ```

      ### Running GitHub Actions on this PR

      GitHub Actions will not run workflows on pull requests which are opened by a GitHub Action.

      To run GitHub Actions workflows on this PR, run:

      ```sh
      git branch -D update_flake_lock_action
      git fetch origin
      git checkout update_flake_lock_action
      git commit --amend --no-edit
      git push origin update_flake_lock_action --force
      ```

  pr-labels:
    description: 'A comma or newline separated list of labels to set on the Pull Request to be created'
    required: false
    default: ''
  sign-commits:
    description: 'Set to true if the action should sign the commit with GPG'
    required: false
    default: 'false'
  gpg-private-key:
    description: 'GPG Private Key with which to sign the commits in the PR to be created'
    required: false
    default: ''
  gpg-fingerprint:
    description: 'Fingerprint of specific GPG subkey to use'
    required: false
  gpg-passphrase:
    description: 'GPG Private Key Passphrase for the GPG Private Key with which to sign the commits in the PR to be created'
    required: false
    default: ''
outputs:
  pull-request-number:
    description: 'The number of the opened pull request'
    value: ${{ steps.create-pr.outputs.pull-request-number }}
runs:
  using: "composite"
  steps:
    - name: Import bot's GPG key for signing commits
      if: ${{ inputs.sign-commits == 'true' }}
      id: import-gpg
      uses: crazy-max/ghaction-import-gpg@v5
      with:
        gpg_private_key: ${{ inputs.gpg-private-key }}
        fingerprint: ${{ inputs.gpg-fingerprint }}
        passphrase: ${{ inputs.gpg-passphrase }}
        git_config_global: true
        git_user_signingkey: true
        git_commit_gpgsign: true
    - name: Set environment variables (signed commits)
      if: ${{ inputs.sign-commits == 'true' }}
      shell: bash
      env:
        GIT_AUTHOR_NAME: ${{ steps.import-gpg.outputs.name }}
        GIT_AUTHOR_EMAIL: ${{ steps.import-gpg.outputs.email }}
        GIT_COMMITTER_NAME: ${{ steps.import-gpg.outputs.name }}
        GIT_COMMITTER_EMAIL: ${{ steps.import-gpg.outputs.email }}
        TARGETS: ${{ inputs.inputs }}
      run: |
        echo "GIT_AUTHOR_NAME=$GIT_AUTHOR_NAME" >> $GITHUB_ENV
        echo "GIT_AUTHOR_EMAIL=<$GIT_AUTHOR_EMAIL>" >> $GITHUB_ENV
        echo "GIT_COMMITTER_NAME=$GIT_COMMITTER_NAME" >> $GITHUB_ENV
        echo "GIT_COMMITTER_EMAIL=<$GIT_COMMITTER_EMAIL>" >> $GITHUB_ENV
    - name: Set environment variables (unsigned commits)
      if: ${{ inputs.sign-commits != 'true' }}
      shell: bash
      run: |
        echo "GIT_AUTHOR_NAME=github-actions[bot]" >> $GITHUB_ENV
        echo "GIT_AUTHOR_EMAIL=<github-actions[bot]@users.noreply.github.com>" >> $GITHUB_ENV
        echo "GIT_COMMITTER_NAME=github-actions[bot]" >> $GITHUB_ENV
        echo "GIT_COMMITTER_EMAIL=<github-actions[bot]@users.noreply.github.com>" >> $GITHUB_ENV
    - name: Run update-flake-lock.sh
      run: $GITHUB_ACTION_PATH/update-flake-lock.sh
      shell: bash
      env:
        GIT_AUTHOR_NAME: ${{ env.GIT_AUTHOR_NAME }}
        GIT_AUTHOR_EMAIL: ${{ env.GIT_AUTHOR_EMAIL }}
        GIT_COMMITTER_NAME: ${{ env.GIT_COMMITTER_NAME }}
        GIT_COMMITTER_EMAIL: ${{ env.GIT_COMMITTER_EMAIL }}
        TARGETS: ${{ inputs.inputs }}
        COMMIT_MSG: ${{ inputs.commit-msg }}
        PATH_TO_FLAKE_DIR: ${{ inputs.path-to-flake-dir }}
        COMMIT_WITH_TOKEN: ${{ inputs.commit-with-token }}

    - name: Commit changes
      if: ${{ inputs.commit-with-token == 'true' }}
      env:
        GITHUB_TOKEN: ${{ inputs.token }}
        FILE_TO_COMMIT: flake.lock
        DESTINATION_BRANCH: ${{ inputs.branch }}
      shell: bash
      run: |
        set -x
        export CONTENT=$( base64 -i $FILE_TO_COMMIT )
        export BASE=$DESTINATION_BRANCH
        if gh api --method GET /repos/:owner/:repo/git/refs/heads/$DESTINATION_BRANCH; then
          git fetch origin $DESTINATION_BRANCH
        else
          export BASE=$(gh repo view --json defaultBranchRef --template '{{ .defaultBranchRef.name }}' ${{github.repository}})
          export BASE_SHA=$( git rev-parse origin/$BASE )
          gh api --method POST /repos/:owner/:repo/git/refs \
            --field ref=refs/heads/$DESTINATION_BRANCH \
            --field sha=$BASE_SHA
        fi
        export BASE_SHA=$( git rev-parse origin/$BASE )
        export SHA=$( git rev-parse origin/$BASE:$FILE_TO_COMMIT )
        gh api --method PUT /repos/:owner/:repo/contents/$FILE_TO_COMMIT \
          --field message="${{inputs.commit-msg}}" \
          --field content="$CONTENT" \
          --field encoding="base64" \
          --field branch="$DESTINATION_BRANCH" \
          --field sha="$SHA"
    - name: Save PR Body as file
      uses: DamianReeves/write-file-action@v1.1
      with:
        path: pr_body.template
        contents: ${{ inputs.pr-body }}
      env: {}
    - name: Set additional env variables (GIT_COMMIT_MESSAGE)
      shell: bash
      run: |
        GIT_COMMIT_MESSAGE="$(git log --format=%b -n 1)"
        GIT_COMMIT_MESSAGE="${GIT_COMMIT_MESSAGE//'%'/'%25'}"
        GIT_COMMIT_MESSAGE="${GIT_COMMIT_MESSAGE//$'\n'/'%0A'}"
        GIT_COMMIT_MESSAGE="${GIT_COMMIT_MESSAGE//$'\r'/'%0D'}"
        echo "GIT_COMMIT_MESSAGE=$GIT_COMMIT_MESSAGE" >> $GITHUB_ENV
        echo "GIT_COMMIT_MESSAGE is: ${GIT_COMMIT_MESSAGE}"
    - name: Interpolate PR Body
      uses: pedrolamas/handlebars-action@v2.0.0
      with:
        files: 'pr_body.template'
        output-filename: 'pr_body.txt'
    - name: Read pr_body.txt
      id: pr_body
      uses: andstor/file-reader-action@v1
      with:
        path: "pr_body.txt"
    # We need to remove the pr_body files so that the
    # peter-evans/create-pull-request action does not commit it (the
    # action commits all new and modified files).
    - name: Remove PR body template files
      shell: bash
      run: rm -f pr_body.txt pr_body.template
    - name: Create PR
      id: create-pr
      uses: peter-evans/create-pull-request@v3
      with:
        branch: ${{ inputs.branch }}
        delete-branch: true
        committer: ${{ env.GIT_COMMITTER_NAME }} ${{ env.GIT_COMMITTER_EMAIL }}
        author: ${{ env.GIT_AUTHOR_NAME }} ${{ env.GIT_AUTHOR_EMAIL }}
        title: ${{ inputs.pr-title }}
        token: ${{ inputs.token }}
        labels: ${{ inputs.pr-labels }}
        body: ${{ steps.pr_body.outputs.contents }}