add enrollment markdown message from core #57
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update pnpm deps Nix hash | |
| on: | |
| pull_request: | |
| paths: | |
| - pnpm-lock.yaml | |
| - new-ui/pnpm-lock.yaml | |
| concurrency: | |
| group: pnpm-hash-${{ github.event.pull_request.number }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: write | |
| jobs: | |
| update-pnpm-hash: | |
| runs-on: | |
| - codebuild-defguard-client-runner-${{ github.run_id }}-${{ github.run_attempt }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| submodules: recursive | |
| - uses: cachix/install-nix-action@v31 | |
| with: | |
| install_options: --no-daemon | |
| extra_nix_config: | | |
| experimental-features = nix-command flakes | |
| - name: Compute correct pnpm deps hashes | |
| id: hash | |
| run: | | |
| set -euo pipefail | |
| FAKE="sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" | |
| SYSTEM=$(nix eval --impure --raw --expr 'builtins.currentSystem') | |
| # Helper: extract the hash for a given attribute, swap in FAKE, | |
| # build it, capture the real hash, and write it back. | |
| update_hash() { | |
| local attr="$1" # e.g. "pnpmDeps" or "newUiPnpmDeps" | |
| local label="$2" # human-readable label for logging | |
| # Extract the current hash for this attribute. | |
| # Match the line containing "hash = " that follows the | |
| # attribute definition block (${attr} ... = fetchPnpmDeps). | |
| local CURRENT | |
| CURRENT=$(awk "/^[[:space:]]*${attr} = fetchPnpmDeps/,/^[[:space:]]*};[[:space:]]*\$/" nix/package.nix \ | |
| | sed -n 's/^[[:space:]]*hash = "\(sha256-[^"]*\)".*/\1/p' | head -1) | |
| if [ -z "$CURRENT" ]; then | |
| echo "::error::Could not extract current hash for ${attr} from nix/package.nix" | |
| exit 1 | |
| fi | |
| echo "${label} current hash: ${CURRENT}" | |
| echo "${attr}_current=${CURRENT}" >> "$GITHUB_OUTPUT" | |
| # Swap in the fake hash. | |
| sed -i "/^[[:space:]]*${attr} = fetchPnpmDeps/,/^[[:space:]]*};[[:space:]]*\$/{s|hash = \"${CURRENT}\"|hash = \"${FAKE}\"|}" nix/package.nix | |
| # Build only this fixed-output derivation. | |
| echo "building ${attr} for ${SYSTEM}..." | |
| local BUILD_LOG | |
| BUILD_LOG=$(nix build --no-link --no-write-lock-file \ | |
| ".#packages.${SYSTEM}.default.${attr}" 2>&1 || true) | |
| # Nix prints "got: sha256-..." in the hash mismatch error. | |
| local NEW | |
| NEW=$(printf '%s' "$BUILD_LOG" | sed -n 's/.*got:[[:space:]]*\(sha256-[^[:space:]]*\).*/\1/p' | head -1) | |
| if [ -z "$NEW" ]; then | |
| echo "::error::Could not extract the correct hash for ${attr} from nix output." | |
| echo "Full build log:" | |
| printf '%s\n' "$BUILD_LOG" | |
| exit 1 | |
| fi | |
| echo "${label} new hash: ${NEW}" | |
| echo "${attr}_new=${NEW}" >> "$GITHUB_OUTPUT" | |
| # Write the correct hash back. | |
| sed -i "/^[[:space:]]*${attr} = fetchPnpmDeps/,/^[[:space:]]*};[[:space:]]*\$/{s|hash = \"${FAKE}\"|hash = \"${NEW}\"|}" nix/package.nix | |
| # Track whether this hash changed. | |
| if [ "$CURRENT" != "$NEW" ]; then | |
| echo "${attr}_changed=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "${attr}_changed=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| } | |
| # Always attempt both hashes - the workflow trigger already ensures | |
| # at least one lockfile was modified. The commit step below only | |
| # fires when a hash actually changed, so there's no harm in | |
| # computing both every time. | |
| update_hash "pnpmDeps" "pnpm root" | |
| update_hash "newUiPnpmDeps" "pnpm new-ui" | |
| - name: Commit updated hashes | |
| if: > | |
| steps.hash.outputs.pnpmDeps_changed == 'true' || | |
| steps.hash.outputs.newUiPnpmDeps_changed == 'true' | |
| uses: actions/github-script@v9 | |
| with: | |
| script: | | |
| const fs = require('fs'); | |
| const content = fs.readFileSync('nix/package.nix', 'utf8'); | |
| const encoded = Buffer.from(content).toString('base64'); | |
| const parts = []; | |
| if ('${{ steps.hash.outputs.pnpmDeps_changed }}' === 'true') { | |
| parts.push('pnpm'); | |
| } | |
| if ('${{ steps.hash.outputs.newUiPnpmDeps_changed }}' === 'true') { | |
| parts.push('new-ui pnpm'); | |
| } | |
| const headline = `chore(nix): update ${parts.join(' and ')} deps hash`; | |
| await github.graphql(` | |
| mutation CreateCommit($input: CreateCommitOnBranchInput!) { | |
| createCommitOnBranch(input: $input) { | |
| commit { url } | |
| } | |
| } | |
| `, { | |
| input: { | |
| branch: { | |
| repositoryNameWithOwner: `${context.repo.owner}/${context.repo.repo}`, | |
| branchName: context.payload.pull_request.head.ref, | |
| }, | |
| message: { headline }, | |
| fileChanges: { | |
| additions: [{ path: 'nix/package.nix', contents: encoded }], | |
| }, | |
| expectedHeadOid: context.payload.pull_request.head.sha, | |
| }, | |
| }); |