A GitHub Action that automatically discovers all flake.nix files in your repository and creates pull requests for each Nix flake input update.
New users: Follow these 3 steps to get started
- Create a GitHub App - Use our web interface to easily create a GitHub App with the correct permissions
- Configure Secrets - Save the App ID and private key as repository secrets (
APP_IDandAPP_PRIVATE_KEY) - Add Workflow File - Create
.github/workflows/update-flake-inputs.ymlusing the example below
Why do I need a GitHub App? To trigger CI workflows on the created pull requests, you need to use a GitHub App token instead of GITHUB_TOKEN (since GITHUB_TOKEN doesn't trigger workflows to prevent infinite loops).
For a basic setup without triggering CI workflows, see Basic Workflow File.
- Automatically discovers all
flake.nixfiles in the repository - Supports excluding specific flake files using glob patterns
- Parses each
flake.nixfile to identify all inputs - Creates a separate branch for each flake input update
- Updates each input individually using
nix flake update - Creates a pull request for each updated input
- Handles existing branches and pull requests gracefully
This basic setup works but won't trigger CI workflows on the created pull requests. For most users, we recommend using the GitHub App setup instead.
Create a workflow file (e.g., .github/workflows/update-flake-inputs.yml):
name: Update Flake Inputs
on:
schedule:
# Run weekly on Sundays at 2 AM UTC
- cron: '0 2 * * 0'
workflow_dispatch: # Allow manual triggering
jobs:
update-flake-inputs:
runs-on: ubuntu-slim
permissions:
contents: write
pull-requests: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Setup Nix
uses: cachix/install-nix-action@v31
- name: Update flake inputs
uses: mic92/update-flake-inputs@main
# github-token defaults to ${{ github.token }}
with:
# Optional: exclude specific files or inputs
# exclude-patterns: 'tests/**/flake.nix,examples/**/flake.nix#home-manager'
# Optional: add custom labels (default: 'dependencies')
# pr-labels: 'dependencies,automated'
# Optional: enable auto-merge (default: false)
# auto-merge: 'true'
# Optional: choose merge method when auto-merge is enabled (default: MERGE)
# auto-merge-method: 'SQUASH'This is the recommended setup for most users. It allows CI workflows to run on the created pull requests.
To trigger CI workflows on the created pull requests, you need to use a GitHub App token instead of GITHUB_TOKEN (since GITHUB_TOKEN doesn't trigger workflows to prevent infinite loops).
🚀 Use our web interface (Easy): 👉 Create GitHub App - Follow the on-screen instructions
The web interface will guide you through:
- Creating the GitHub App with correct permissions
- Installing it to your repository
- Configuring the secrets (Step 2 below)
After creating your GitHub App:
- Go to your app settings (link provided after creation)
- Copy the App ID and save it as
APP_IDin your repository secrets - Generate a private key and save it as
APP_PRIVATE_KEYin your repository secrets
Create .github/workflows/update-flake-inputs.yml with the following content:
name: Update Flake Inputs
on:
schedule:
- cron: '0 2 * * 0'
workflow_dispatch:
jobs:
update-flake-inputs:
runs-on: ubuntu-slim
permissions:
contents: write
pull-requests: write
steps:
- name: Generate GitHub App Token
id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
- name: Checkout repository
uses: actions/checkout@v4
with:
token: ${{ steps.app-token.outputs.token }}
- name: Setup Nix
uses: cachix/install-nix-action@v31
- name: Update flake inputs
uses: mic92/update-flake-inputs@main
with:
github-token: ${{ steps.app-token.outputs.token }}
# Optional: exclude specific files or inputs
# exclude-patterns: 'tests/**/flake.nix,examples/**/flake.nix#home-manager'
# Optional: add custom labels (default: 'dependencies')
# pr-labels: 'dependencies,automated'
# Optional: enable auto-merge (default: false)
# auto-merge: 'true'
# Optional: choose merge method when auto-merge is enabled (default: MERGE)
# auto-merge-method: 'SQUASH'That's it! Your workflow is now set up. It will:
- Run weekly on Sundays at 2 AM UTC
- Can be triggered manually from the Actions tab
- Create pull requests for each flake input update
- Trigger CI workflows on those PRs (thanks to the GitHub App token)
Manual GitHub App Creation (Advanced)
If you prefer not to use the web interface, you can create the GitHub App manually:
- Go to GitHub Settings > Developer settings > GitHub Apps > New GitHub App
- Fill in the required fields:
- App name: Choose a unique name
- Homepage URL: Your repository URL
- Webhook: Disable webhook (uncheck "Active")
- Set permissions:
- Repository permissions:
- Contents: Read & Write
- Pull requests: Read & Write
- Metadata: Read only (automatically set)
- Repository permissions:
- Create the app and install it to your repository
- Follow Step 2 above to configure secrets
The GitHub App needs the following repository permissions:
- Contents: Write (to create branches and commits)
- Pull requests: Write (to create pull requests)
- Metadata: Read (to access repository information)
| Input | Description | Required | Default |
|---|---|---|---|
github-token |
GitHub token for creating pull requests | No | ${{ github.token }} |
exclude-patterns |
Comma-separated list of glob patterns to exclude flake.nix files or specific inputs using pattern#inputname syntax |
No | '' |
pr-labels |
Comma-separated list of labels to add to created pull requests (labels will be created if they don't exist) | No | 'dependencies' |
auto-merge |
Enable auto-merge for created pull requests (requires auto-merge to be enabled in repository settings) | No | 'false' |
auto-merge-method |
Merge strategy used when auto-merge is enabled (MERGE, SQUASH, or REBASE) |
No | 'MERGE' |
delete-branch |
Delete branch after pull request is merged | No | 'true' |
signoff |
Add sign-off to commits | No | 'true' |
git-author-name |
Git author name for commits | No | 'github-actions[bot]' |
git-author-email |
Git author email for commits | No | '41898282+github-actions[bot]@users.noreply.github.com' |
git-committer-name |
Git committer name for commits | No | 'github-actions[bot]' |
git-committer-email |
Git committer email for commits | No | '41898282+github-actions[bot]@users.noreply.github.com' |
- Node.js 20+
- npm
- Nix with flakes enabled
-
Clone the repository
-
Install dependencies:
npm install
-
Build the action:
npm run build
The action will automatically discover all flake.nix files in your repository. It will:
- Scan the repository for all
flake.nixfiles (excludingnode_modulesand.gitdirectories) - Apply any exclude patterns you've specified
- For each discovered flake file, parse the inputs section
- For each input in each flake file, create a branch named
update-{input-name}(for main flake.nix) orupdate-{input-name}-{flake-path}(for subdirectories) - Update that specific input using
nix flake updatein the correct directory - Commit the changes and push the branch
- Create a pull request for the update
File-level exclusions (exclude entire flake files):
tests/**/flake.nix- Exclude all flake.nix files in any tests directoryexamples/**/flake.nix- Exclude all flake.nix files in any examples directory**/template/flake.nix- Exclude flake.nix files in template directoriesvendor/**- Exclude everything in vendor directories
Input-level exclusions (exclude specific inputs from matching files):
**/flake.nix#nixpkgs- Exclude thenixpkgsinput from all flake.nix filesexamples/**/flake.nix#home-manager- Exclude thehome-managerinput from flake.nix files in examples directoriestests/**/flake.nix#devshell- Exclude thedevshellinput from flake.nix files in tests directories
MIT