Update and Deploy Server #349
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update and Deploy Server | |
| permissions: read-all | |
| on: | |
| schedule: | |
| - cron: "45 1 * * *" | |
| workflow_dispatch: | |
| jobs: | |
| update-flake-lock: | |
| permissions: | |
| contents: write | |
| runs-on: ubuntu-latest | |
| outputs: | |
| previous_hash: ${{ steps.previous_commit.outputs.previous_hash }} | |
| current_hash: ${{ steps.current_commit.outputs.current_hash }} | |
| commit_message: ${{ steps.current_commit.outputs.commit_message }} | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
| with: | |
| egress-policy: audit | |
| - name: Ensure that the previous run was successfull, if run is unsupervised | |
| if: ${{ github.event_name == 'schedule' }} | |
| uses: noirbizarre/need-checks@6cac344b29ae24e28fc2542ce067a7756ea333af # main | |
| with: | |
| conclusions: success,skipped | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Save hash of HEAD | |
| id: previous_commit | |
| run: echo "previous_hash=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT" | |
| - name: Install nix | |
| uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # V30 | |
| - name: Update flake lock file | |
| run: nix flake update --no-warn-dirty | |
| working-directory: ./nixos/server | |
| - name: Commit changes to flake lock file | |
| uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5.0.1 | |
| with: | |
| commit_message: "[nixos/server] Bump flake.lock" | |
| commit_options: '--no-verify --signoff' | |
| file_pattern: nixos/server/flake.lock | |
| commit_user_name: Flake Bot | |
| commit_author: Flake Bot <[email protected]> | |
| skip_dirty_check: false | |
| skip_fetch: true | |
| - name: Save hash of HEAD | |
| id: current_commit | |
| run: | | |
| echo "current_hash=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT" | |
| echo "commit_message=$(git show -s --format=%s)" >> "$GITHUB_OUTPUT" | |
| deploy-server: | |
| needs: update-flake-lock | |
| if: | | |
| contains(needs.update-flake-lock.outputs.commit_message, '[nixos/server] Bump flake.lock') && | |
| needs.update-flake-lock.outputs.current_hash != needs.update-flake-lock.outputs.previous_hash | |
| uses: ./.github/workflows/deploy-server.yml | |
| secrets: inherit |