Skip to content
Snippets Groups Projects
Select Git revision
  • production protected
  • develop default protected
  • nixpkgs-upgrade-2024-12-23
  • 190-our-regular-updates-fill-up-the-servers-boot-partitions
  • nixpkgs-upgrade-2024-10-14
  • hro-cloud protected
  • 162.flexible-grafana-module
  • nixpkgs-upgrade-2024-05-13
  • nixpkgs-upgrade-2024-04-22
  • nixpkgs-upgrade-2024-03-25
  • nixpkgs-upgrade-2024-03-18
  • nixpkgs-upgrade-2024-03-11
  • nixpkgs-upgrade-2024-03-04
  • 163.jp-to-ben-for-prod
  • nixpkgs-upgrade-2024-02-26
  • 164.grafana-alert-rules
  • 157.authorize-new-hro-key
  • nixpkgs-upgrade-2024-02-19
  • nixpkgs-upgrade-2024-02-12
  • make-sure-we-run-a-openzfs-compatible-kernel
20 results
Blame Permalink
update-nixpkgs 2.74 KiB 
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p nixUnstable git openssh curl python3

# ^^
# we get nixUnstable for the diff-closures command, mostly.
# we need git to commit and push our changes
# we need openssh for ssh-agent to authenticate the push
# we need curl to create the gitlab MR
# we need python to format the data as json

set -eux -o pipefail

HOST="whetstone.private.storage"

__cleanup_ssh () {
    ssh-agent -k
}

setup_ssh() {
    # -s makes the output sh compatible, in case it can't detect this for
    # itself.
    #
    # -t sets a limit on how long the key will be kept in memory.  we try to
    # kill the agent when we're done but we can't be sure we'll always
    # succeed.  The value is a number of seconds.
    eval $(ssh-agent -s -t 300)

    # On shell exit, run a function to kill the agent.
    trap __cleanup_ssh EXIT

    # A GitLab CI/CD variable set for us to use.
    echo "${UPDATE_NIXPKGS_PRIVATE_SSHKEY_BASE64}" | base64 -d | ssh-add -

    # We may not know the git/ssh server's host key yet.  In that case, learn
    # it and proceed.
    export GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=accept-new"
}

setup_git() {
    git config --global user.email "update-bot@private.storage"
    git config --global user.name "Update Bot"
}

setup_ssh
setup_git

export SOURCE_BRANCH="nixpkgs-upgrade-$(date +%Y-%m-%d)"

# Avoid messing with the checkout we're running from.
git clone . working-copy
cd working-copy
git remote add upstream gitlab@whetstone.private.storage:PrivateStorage/PrivateStorageio.git
git fetch upstream develop
git branch -D "${SOURCE_BRANCH}" || true
git checkout -B "${SOURCE_BRANCH}" upstream/develop

echo '{}' > morph/grid/local/public-keys/users.nix
nix-build -A morph -o result-before

# Spawn *another* nix-shell that has the *other* update-nixpkgs tool.  Should
# sort out this mess sooner rather than later...
nix-shell ../shell.nix --run 'update-nixpkgs ${PWD}/nixpkgs.json'

# Show us what we did
if git diff --exit-code; then
    echo "No changes."
    exit 0
fi

nix-build -A morph -o result-after
DIFF=$(nix --extra-experimental-features nix-command store diff-closures ./result-before/ ./result-after/)

git commit -am "bump nixpkgs version"
git push --force upstream "${SOURCE_BRANCH}:${SOURCE_BRANCH}"

BODY=$(python3 -c '
import os, sys, json
print(json.dumps({
    "id": os.environ["CI_PROJECT_ID"],
    "source_branch": os.environ["SOURCE_BRANCH"],
    "target_branch": "develop",
    "remove_source_branch": True,
    "title": "bump nixpkgs version",
    "description": f"```\n{sys.argv[1]}\n```",
}))
' "${DIFF}")

curl --verbose -X POST --data "${BODY}" --header "Content-Type: application/json" --header "PRIVATE-TOKEN: ${UPDATE_NIXPKGS_PRIVATE_TOKEN}" "https://${HOST}/api/v4/projects/${CI_PROJECT_ID}/merge_requests"