Skip to content

add enrollment markdown message from core #57

add enrollment markdown message from core

add enrollment markdown message from core #57

name: Update pnpm deps Nix hash
on:
pull_request:
paths:
- pnpm-lock.yaml
- new-ui/pnpm-lock.yaml
concurrency:
group: pnpm-hash-${{ github.event.pull_request.number }}
cancel-in-progress: true
permissions:
contents: write
jobs:
update-pnpm-hash:
runs-on:
- codebuild-defguard-client-runner-${{ github.run_id }}-${{ github.run_attempt }}
steps:
- uses: actions/checkout@v6
with:
ref: ${{ github.event.pull_request.head.sha }}
submodules: recursive
- uses: cachix/install-nix-action@v31
with:
install_options: --no-daemon
extra_nix_config: |
experimental-features = nix-command flakes
- name: Compute correct pnpm deps hashes
id: hash
run: |
set -euo pipefail
FAKE="sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
SYSTEM=$(nix eval --impure --raw --expr 'builtins.currentSystem')
# Helper: extract the hash for a given attribute, swap in FAKE,
# build it, capture the real hash, and write it back.
update_hash() {
local attr="$1" # e.g. "pnpmDeps" or "newUiPnpmDeps"
local label="$2" # human-readable label for logging
# Extract the current hash for this attribute.
# Match the line containing "hash = " that follows the
# attribute definition block (${attr} ... = fetchPnpmDeps).
local CURRENT
CURRENT=$(awk "/^[[:space:]]*${attr} = fetchPnpmDeps/,/^[[:space:]]*};[[:space:]]*\$/" nix/package.nix \
| sed -n 's/^[[:space:]]*hash = "\(sha256-[^"]*\)".*/\1/p' | head -1)
if [ -z "$CURRENT" ]; then
echo "::error::Could not extract current hash for ${attr} from nix/package.nix"
exit 1
fi
echo "${label} current hash: ${CURRENT}"
echo "${attr}_current=${CURRENT}" >> "$GITHUB_OUTPUT"
# Swap in the fake hash.
sed -i "/^[[:space:]]*${attr} = fetchPnpmDeps/,/^[[:space:]]*};[[:space:]]*\$/{s|hash = \"${CURRENT}\"|hash = \"${FAKE}\"|}" nix/package.nix
# Build only this fixed-output derivation.
echo "building ${attr} for ${SYSTEM}..."
local BUILD_LOG
BUILD_LOG=$(nix build --no-link --no-write-lock-file \
".#packages.${SYSTEM}.default.${attr}" 2>&1 || true)
# Nix prints "got: sha256-..." in the hash mismatch error.
local NEW
NEW=$(printf '%s' "$BUILD_LOG" | sed -n 's/.*got:[[:space:]]*\(sha256-[^[:space:]]*\).*/\1/p' | head -1)
if [ -z "$NEW" ]; then
echo "::error::Could not extract the correct hash for ${attr} from nix output."
echo "Full build log:"
printf '%s\n' "$BUILD_LOG"
exit 1
fi
echo "${label} new hash: ${NEW}"
echo "${attr}_new=${NEW}" >> "$GITHUB_OUTPUT"
# Write the correct hash back.
sed -i "/^[[:space:]]*${attr} = fetchPnpmDeps/,/^[[:space:]]*};[[:space:]]*\$/{s|hash = \"${FAKE}\"|hash = \"${NEW}\"|}" nix/package.nix
# Track whether this hash changed.
if [ "$CURRENT" != "$NEW" ]; then
echo "${attr}_changed=true" >> "$GITHUB_OUTPUT"
else
echo "${attr}_changed=false" >> "$GITHUB_OUTPUT"
fi
}
# Always attempt both hashes - the workflow trigger already ensures
# at least one lockfile was modified. The commit step below only
# fires when a hash actually changed, so there's no harm in
# computing both every time.
update_hash "pnpmDeps" "pnpm root"
update_hash "newUiPnpmDeps" "pnpm new-ui"
- name: Commit updated hashes
if: >
steps.hash.outputs.pnpmDeps_changed == 'true' ||
steps.hash.outputs.newUiPnpmDeps_changed == 'true'
uses: actions/github-script@v9
with:
script: |
const fs = require('fs');
const content = fs.readFileSync('nix/package.nix', 'utf8');
const encoded = Buffer.from(content).toString('base64');
const parts = [];
if ('${{ steps.hash.outputs.pnpmDeps_changed }}' === 'true') {
parts.push('pnpm');
}
if ('${{ steps.hash.outputs.newUiPnpmDeps_changed }}' === 'true') {
parts.push('new-ui pnpm');
}
const headline = `chore(nix): update ${parts.join(' and ')} deps hash`;
await github.graphql(`
mutation CreateCommit($input: CreateCommitOnBranchInput!) {
createCommitOnBranch(input: $input) {
commit { url }
}
}
`, {
input: {
branch: {
repositoryNameWithOwner: `${context.repo.owner}/${context.repo.repo}`,
branchName: context.payload.pull_request.head.ref,
},
message: { headline },
fileChanges: {
additions: [{ path: 'nix/package.nix', contents: encoded }],
},
expectedHeadOid: context.payload.pull_request.head.sha,
},
});