fix(nix): use shared nix-update-hash workflow#199
Conversation
|
Should the workflow be pushing to the feature branch where the go mod file is being changed? We should also consider moving this to the actions repo so we can reuse it across repos. |
|
Updated this branch to delegate to a new shared action in datum-cloud/actions#75 rather than inlining the workflow steps. A few things changed along the way: Target branch was not hard-coded — Fixed: hash PR now targets the triggering branch, not main — the original approach (and the earlier commit in this PR) would have opened the Prerequisite for the shared action — the calling repo must have a This PR should merge after datum-cloud/actions#75 since it references |
|
Why not push to the feature branch instead? We use use version references when referencing shared actions |
|
It should be pushing to wherever the changed go.mod is happening. What are you seeing? |
|
It's creating a PR like you mentioned in your comment above and the description on the actions repo PR. I would expect it to push a new commit to the branch of the existing PR instead of opening a new PR. - name: Create Pull Request
if: steps.git-check.outputs.changed == 'true'
uses: peter-evans/create-pull-request@v7
with:
token: ${{ secrets.GITHUB_TOKEN }}
commit-message: ${{ inputs.commit-message }}
branch: ${{ inputs.pr-branch }}
branch-suffix: timestamp
base: ${{ github.ref_name }}
title: ${{ inputs.pr-title }}
body: ${{ inputs.pr-body }} |
## Summary
- Adds `.github/workflows/nix-update-hash.yaml` as a reusable
`workflow_call` action that updates `vendorHash` in `flake.nix` when Go
dependencies change
- Opens a PR targeting the **triggering branch** (`base: ${{
github.ref_name }}`), so the hash fix travels with the dependency update
rather than landing separately on `main`
- Adds `docs/nix-update-hash/README.md` documenting inputs,
prerequisites (caller must provide a `Taskfile.yml` and update script),
and usage example
## Related
Extracted from datum-cloud/datumctl#199 as part of standardising this
pattern across repos.
|
If it's not part of a branch, then it should be a PR. But hmm, that might be too confusing. I was trying to avoid the race condition of pushing to main after merge. |
|
I wouldn't push to main, it should push to the feature branch of the PR. |
|
The current logic will create the PR every time, using whatever base makes sense given the changed go.mod. That seemed like a good compromise, though admittedly it's cumbersome to order the merges. |
|
Yes, if it's already on a feature branch I'd prefer it just push there. Let me see if we can do both. |
|
Probably makes sense to enable the setting on the repo to be up to date with its base branch before it's allowed to be merged. That way you can always make sure the nix hash is updated based on the latest changes in main + the changes in the feature branch. |
|
That's a good idea. Can I enforce that in the action? |
drewr
changed the title
|
That should just be a standard git operation to confirm the current branch isn't behind main at all. The other approach is part of the repo rulesets to prevent a PR being merged until status checks pass and the feature branch is up-to-date with the latest in the base branch. |
|
Won't let me do it. 
|
|
Got this to take 
|
Repository rules on main require changes via pull request. Switch from git push to peter-evans/create-pull-request@v7.
Replaces the inline workflow with a call to datum-cloud/actions/.github/workflows/nix-update-hash.yaml@main.
drewr
force-pushed
the
fix/nix-workflow-pr
branch
from
e2f4f70 to
1eaf412
Compare
|
Rebased out testing the hash update. |
3 participants
Update: Use the shared action instead.
Recent repository rule changes require all changes to main to go through pull requests. There is no secure way to bypass this for the github-actions[bot] — repository rules don't have a bypass mechanism like branch protection rules do.
This reverts the approach from #193 (commit 4acc066) which switched the workflow to direct push, and restores the original PR-based flow using
peter-evans/create-pull-request@v7.Why this matters: The nix-update-hash workflow has been failing on every run since the repository rules were enforced, because
git pushto main is rejected. Renovate PRs that update go.mod/go.sum are not getting their vendorHash updated automatically.