feat: auto update nix repository

[nixith]

sets up auto-updating the nix flake whenever a release is made to the main repository. Should help to keep everyone in sync without manual intervention

[nixith]

This is the first chunk of work for updating the nix repository. While I've verified that I can get the individual components working together I haven't been able to test them locally (yay github actions!) and it's missing the part of actually sending a PR in, since there's a little work I need to do to understand setting up auto-merge's as described in #general > nix flake auto updates @ 💬 on the zulip.

[RobertCraigie]

In the past I've used https://github.com/peter-evans/create-pull-request for automatically creating PRs but from a brief skim it looks like it isn't designed for creating PRs in other repositories :/

For what it's worth I wouldn't block merging this PR on automatically creating the PR in glide.nix, as it'll still be very nice to have this automation just push to a branch as it's not too much work to just create the PR yourself :)

For pushing the code to a branch there's some prior art here.

For testing CI workflows I find workflow_dispatch invaluable, so I think it'd make sense to add an optional tag_name input to

glide/.github/workflows/post-release.yml

Line 4 in 0a6e0e8

workflow_dispatch:

and then update your job to use inputs.tag_name || github.event.release.tag_name.

Then the only discrepancy between your testing with workflow_dispatch and the "production" environment would be relying on github.event.release.tag_name.

[nixith]

In the past I've used https://github.com/peter-evans/create-pull-request for automatically creating PRs but from a brief skim it looks like it isn't designed for creating PRs in other repositories :/

I think the path parameter might actually let you make PRs to other github repositories. I did something similar to clone glide-browser/glide.nix in this PR

edit: looking at the source code I think you would have to override the GITHUB_WORKSPACE environment variable, which probably isn't a good idea lol

[nixith]

I think I'm being a bit daft scratching my head for a solution. We already have gh on the container, that can create the PR we need easily with a github token.

[nixith]

I haven't gotten the time yet but I'm going to try and isolate these changes in some personal repos soon™ for testing

[RobertCraigie]

Thanks again for working on this :)

[RobertCraigie]

GITHUB_TOKEN isn't set in the secrets for this repo, I think this should work

Suggested change

	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	GH_TOKEN: ${{ secrets.REPO_ACCESS_TOKEN }}

[RobertCraigie]

should all be in the script now?

Suggested change

	# edit version in package.nix
	sed -i 's/version = ".*"/version = "$VERSION"/' package.nix
	#x86 linux
	RELEASE_LINK="https://github.com/glide-browser/glide/releases/download/$VERSION/glide.linux-x86_64.tar.xz"
	NEW_HASH=$(nix hash to-sri --type sha256 $(nix-prefetch-url "$RELEASE_LINK"))
	sed -zi 's/sha256 = ".*"/sha256 = "$NEW_HASH"/1m' package.nix
	#aarch64 linux
	RELEASE_LINK="https://github.com/glide-browser/glide/releases/download/$VERSION/glide.linux-aarch64.tar.xz"
	NEW_HASH=$(nix hash to-sri --type sha256 $(nix-prefetch-url "$RELEASE_LINK"))
	sed -zi 's/sha256 = ".*"/sha256 = "$NEW_HASH"/2m' package.nix
	#x86 macos
	RELEASE_LINK="https://github.com/glide-browser/glide/releases/download/$VERSION/glide.macos-x86_64.dmg"
	NEW_HASH=$(nix hash to-sri --type sha256 $(nix-prefetch-url "$RELEASE_LINK"))
	sed -zi 's/sha256 = ".*"/sha256 = "$NEW_HASH"/3m' package.nix
	#aarch64 macos
	RELEASE_LINK="https://github.com/glide-browser/glide/releases/download/$VERSION/glide.macos-aarch64.dmg"
	NEW_HASH=$(nix hash to-sri --type sha256 $(nix-prefetch-url "$RELEASE_LINK"))
	sed -zi 's/sha256 = ".*"/sha256 = "$NEW_HASH"/4m' package.nix

[RobertCraigie]

actually just realised this won't work because you're only checking out the glide.nix repo.

either the script could live in glide.nix or you'd have to checkout the glide repo and glide.nix to different directories

[nixith]

Do we actually need any data from the glide repo? It could always live in glide.nix (and would make this easier). There would just have to be a trigger on the glide.nix side, either a webhook from here or some other github actions knowledge I'm unfamiliar with

[RobertCraigie]

Yeah I think it'd make sense for the script to live in glide.nix at a minimum.

I'm not aware of a nice builtin way to do cross-repo webhooks without having to host a server in the middle.

So the options in my mind are:

1. Move script to glide.nix, keep the workflow that runs the script / creates the PR in this repo
2. Move script to glide.nix, this post-release workflow then invokes a workflow defined in glide.nix (you could do this with workflow_dispatch, maybe even workflow_call I'd need to double check)

[nixith]

looking into this I think the best bet we have is moving forward with option 2 (simplified my work a lot, I can use the actions you mentioned) and using the github cli to do workflow_dispatch. workflow_call could work, but there's some need for orginizational level changes there and I'm not entirely sure what context this sort of thing executes in (i.e. would the pull action pull from here, or from glide.nix)

[RobertCraigie]

I think this won't push the branch for you because you're passing --head, so you need

Suggested change

	gh -R "glide-browser/glide.nix" pr create --title "update to version $VERSION" --body "" --head "$update-$VERSION"
	git push origin "update-$VERSION"
	gh -R "glide-browser/glide.nix" pr create --title "update to version $VERSION" --body "" --head "update-$VERSION"

[nixith]

Sorry for being a bit slow on this, school caught up with me. For reference the script should work fine right now, the rest of the work is all github actions. I'll see if I can take a look at this over the weekend.