ci: automatically update npm dependencies hash in dependabot PRs (#100)

hallettj · Mar 8, 2024 · 972b79c · 972b79c
1 parent ac359b1
commit 972b79c
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 0 deletions.
diff --git a/.github/workflows/dependabot-post.yml b/.github/workflows/dependabot-post.yml
@@ -0,0 +1,48 @@
+# Due to the Nix configuration we need to update a hash in test/test.nix when
+# npm dependencies change. This workflow runs on dependabot branches, and runs
+# a script that makes the necessary update after each dependabot push.
+name: Dependabot-post
+
+on:
+  push:
+    branches:
+      - "dependabot/npm_and_yarn/*"
+
+jobs:
+  update_npm_deps_hash:
+    name: Update NPM dependencies hash
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]' || github.actor == 'dependabot-preview[bot]'
+    permissions:
+      contents: write
+    steps:
+      - name: Check Out Code
+        uses: actions/checkout@v3
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+
+      - name: Configure Cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: Update Hash
+        run: nix run .#update-npm-deps-hash
+
+      - name: Set up Git Config
+        run: |
+          git config user.name "${GITHUB_ACTOR}"
+          git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"
+
+      # NOTE: Prefixing/appending commit messages with `[dependabot skip]`
+      # allows dependabot to rebase/update the pull request, force-pushing
+      # over any changes
+      - name: Commit changes
+        run: |
+          git add .
+          if [[ $(git status -s) ]]; then
+            git commit -m "build(deps): update npm dependencies hash [dependabot skip]" --no-verify
+            git push
+            echo "Pushed an update to npm dependencies hash"
+          else
+            echo "Npm dependencies hash was not changed"
+          fi
diff --git a/flake.nix b/flake.nix
@@ -12,6 +12,18 @@
     {
       packages = eachSystem (pkgs: {
         default = pkgs.callPackage ./packages/git-format-staged.nix { };
+
+        # When npm dependencies change we need to update the dependencies hash
+        # in test/test.nix
+        update-npm-deps-hash = pkgs.writeShellApplication {
+          name = "update-npm-deps-hash";
+          runtimeInputs = with pkgs; [ prefetch-npm-deps nix gnused ];
+          text = ''
+            hash=$(prefetch-npm-deps package-lock.json 2>/dev/null)
+            echo "updated npm dependency hash: $hash" >&2
+            sed -i "s|sha256-[A-Za-z0-9+/=]\+|$hash|" test/test.nix
+          '';
+        };
       });
 
       devShells = eachSystem (pkgs: {