Skip to content

feat(ci): add reusable nix-hash-autofix workflow #153

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
JacobPEvans wants to merge 1 commit into from
Closed

feat(ci): add reusable nix-hash-autofix workflow #153

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
87 changes: 87 additions & 0 deletions .github/workflows/_nix-hash-autofix.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
# Reusable: Nix Hash Auto-Fix
# Fixes stale fetchFromGitHub hashes on Renovate PRs.
#
# Problem: Renovate's regex manager bumps version strings in .nix files
# but cannot update source/vendor hashes. This breaks builds.
#
# Solution: After Renovate bumps a version, this workflow runs nix-update
# to recalculate hashes and pushes a fixup commit.
#
# Usage in ci-gate.yml:
# nix-hash-autofix:
# needs: changes
# if: needs.changes.outputs.nix == 'true' && github.event.pull_request.user.login == 'jacobpevans-github-actions[bot]'
# uses: JacobPEvans/.github/.github/workflows/_nix-hash-autofix.yml@main
# with:
# packages: "gh-aw"
# secrets: inherit
Comment on lines +10 to +17
Copy link

Copilot AI Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The header "Usage" example indicates secrets: inherit, but the workflow implicitly requires GH_ACTION_JACOBPEVANS_APP_ID and GH_APP_PRIVATE_KEY to exist in the caller repo/org. Please document these required secrets (and what permissions the app needs) in the header, or expose them as explicit workflow_call.secrets entries so callers get a clearer validation/error message.

Copilot uses AI. Check for mistakes.
name: _nix-hash-autofix

on:
workflow_call:
inputs:
packages:
description: "Space-separated list of flake package attributes to update (e.g., 'gh-aw git-flow-next')"
required: true
type: string

permissions: {}

concurrency:
group: nix-hash-autofix-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
autofix:
name: Fix Nix Hashes
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: read
steps:
- name: Generate GitHub App Token
id: app-token
uses: actions/create-github-app-token@v3
with:
app-id: ${{ secrets.GH_ACTION_JACOBPEVANS_APP_ID }}
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
Copy link

Copilot AI Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

actions/create-github-app-token is invoked without scoping token permissions. In this repo, _release-please.yml uses permission-contents, permission-pull-requests, etc. to least-privilege the generated token; consider doing the same here (contents: write, pull-requests: read) to reduce blast radius if the token is misused/exposed.

Suggested change
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
permission-contents: write
permission-pull-requests: read

Copilot uses AI. Check for mistakes.

- name: Checkout PR branch
uses: actions/checkout@v6
with:
ref: ${{ github.head_ref }}
token: ${{ steps.app-token.outputs.token }}

Comment on lines +20 to +54
Copy link

Copilot AI Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow checks out and runs commands against the PR branch using inherited secrets, but it does not enforce that it’s running in a safe context (e.g., a same-repo pull_request from the expected bot). If a caller accidentally invokes this via pull_request_target or for a fork PR, this would run untrusted code with write-capable credentials. Add an explicit guard (job-level if: or an early step that fails) to require github.event_name == 'pull_request', github.event.pull_request.head.repo.full_name == github.repository, and (optionally) the expected PR author/actor before generating the app token/checkout.

Copilot uses AI. Check for mistakes.
- name: Install Nix
uses: DeterminateSystems/determinate-nix-action@v3

- name: Update package hashes
id: update
env:
PACKAGES: ${{ inputs.packages }}
run: |
for pkg in $PACKAGES; do
echo "::group::Updating $pkg"
# nix-update recalculates src hash and vendorHash
# --version=skip keeps Renovate's version bump, only fixes hashes
if nix run nixpkgs#nix-update -- --flake "$pkg" --version=skip 2>&1; then
echo "Updated $pkg"
else
echo "::warning::Failed to update $pkg (may already be correct)"
fi
echo "::endgroup::"
done
if [ -n "$(git diff --name-only)" ]; then
echo "changed=true" >> "$GITHUB_OUTPUT"
fi
Comment on lines +63 to +76
Copy link

Copilot AI Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The update loop converts any nix-update failure into a warning and still exits 0. If nix-update fails due to a real error (evaluation failure, network, etc.), the workflow will report success but won’t fix the hashes, leaving CI broken. Track failures and fail the job when one or more requested packages could not be updated (or at least fail when all updates fail and no diff is produced).

Copilot uses AI. Check for mistakes.

- name: Commit and push hash fixes
if: steps.update.outputs.changed == 'true'
run: |
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git add -A
git commit -m "fix(deps): auto-update Nix package hashes

nix-update recalculated hashes after Renovate version bump."
git push
Loading