deps(deps): bump github.com/getsops/sops/v3 from 3.12.1 to 3.12.2 #15
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update Nix Vendor Hash | |
| on: | |
| pull_request: | |
| paths: | |
| - 'go.mod' | |
| - 'go.sum' | |
| push: | |
| branches: | |
| - master | |
| paths: | |
| - 'go.mod' | |
| - 'go.sum' | |
| permissions: | |
| contents: write | |
| jobs: | |
| update-nix-hash: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| ref: ${{ github.event_name == 'pull_request' && github.head_ref || github.ref_name }} | |
| - uses: cachix/install-nix-action@v31 | |
| with: | |
| github_access_token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Update vendorHash | |
| id: update | |
| run: | | |
| echo "Attempting to build and check for hash mismatch..." | |
| # Try to build. If it fails, capture the output. | |
| set +e | |
| OUTPUT=$(nix build --no-link 2>&1) | |
| EXIT_CODE=$? | |
| set -e | |
| if [ $EXIT_CODE -eq 0 ]; then | |
| echo "Build successful, no hash update needed." | |
| exit 0 | |
| fi | |
| # Check if failure is due to hash mismatch | |
| if echo "$OUTPUT" | grep -q "hash mismatch"; then | |
| echo "Detected hash mismatch. Extracting new hash..." | |
| # Extract the 'got:' hash. | |
| # The output format usually contains: | |
| # got: sha256-...........................................= | |
| # or | |
| # got: sha256-...........................................= | |
| # Handle variable whitespace before and after "got:" | |
| NEW_HASH=$(echo "$OUTPUT" | grep -E "^\s*got:" | head -n1 | sed 's/.*got:\s*//' | xargs) | |
| if [ -n "$NEW_HASH" ]; then | |
| echo "Found new hash: $NEW_HASH" | |
| # Read current hash for comparison log | |
| CURRENT_HASH=$(grep "vendorHash =" flake.nix | cut -d'"' -f2) | |
| echo "Current hash: $CURRENT_HASH" | |
| if [ "$NEW_HASH" != "$CURRENT_HASH" ]; then | |
| # Update flake.nix | |
| # Only match lines starting with optional whitespace followed by "vendorHash =" | |
| # This prevents accidentally matching comments or other occurrences | |
| sed -i '/^\s*vendorHash = /s|vendorHash = ".*"|vendorHash = "'$NEW_HASH'"|' flake.nix | |
| echo "flake.nix updated." | |
| echo "updated=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "Hash extracted matches current hash. Weird." | |
| exit 1 | |
| fi | |
| else | |
| echo "Could not extract new hash from output." | |
| echo "Full output:" | |
| echo "$OUTPUT" | |
| exit 1 | |
| fi | |
| else | |
| echo "Build failed for reason other than hash mismatch." | |
| echo "Full output:" | |
| echo "$OUTPUT" | |
| # Don't fail the workflow if it's a legitimate build error, | |
| # as this workflow's sole purpose is updating hashes. | |
| # Real CI will catch actual build errors. | |
| exit 0 | |
| fi | |
| - name: Commit changes | |
| if: steps.update.outputs.updated == 'true' | |
| uses: stefanzweifel/git-auto-commit-action@v7 | |
| with: | |
| commit_message: "chore(nix): update vendorHash" | |
| file_pattern: flake.nix |