Skip to content
Snippets Groups Projects
Select Git revision
  • production protected
  • develop default protected
  • nixpkgs-upgrade-2024-12-23
  • 190-our-regular-updates-fill-up-the-servers-boot-partitions
  • nixpkgs-upgrade-2024-10-14
  • hro-cloud protected
  • 162.flexible-grafana-module
  • nixpkgs-upgrade-2024-05-13
  • nixpkgs-upgrade-2024-04-22
  • nixpkgs-upgrade-2024-03-25
  • nixpkgs-upgrade-2024-03-18
  • nixpkgs-upgrade-2024-03-11
  • nixpkgs-upgrade-2024-03-04
  • 163.jp-to-ben-for-prod
  • nixpkgs-upgrade-2024-02-26
  • 164.grafana-alert-rules
  • 157.authorize-new-hro-key
  • nixpkgs-upgrade-2024-02-19
  • nixpkgs-upgrade-2024-02-12
  • make-sure-we-run-a-openzfs-compatible-kernel
20 results
Blame Permalink
update-nixpkgs 2.35 KiB 
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p nixUnstable git openssh curl python3

# ^^
# we get nixUnstable for the diff-closures command, mostly.
# we need git to commit and push our changes
# we need openssh for ssh-agent to authenticate the push
# we need curl to create the gitlab MR

set -eux -o pipefail

HOST="whetstone.private.storage"

setup_ssh() {
    export HOME="${PWD}"

    # -s makes the output sh compatible, in case it can't detect this for
    # itself.
    eval $(ssh-agent -s)

    # A GitLab CI/CD variable set for us to use.
    echo "${UPDATE_NIXPKGS_PRIVATE_SSHKEY_BASE64}" | base64 -d | ssh-add -

    # We may not know the git/ssh server's host key yet.  In that case, learn
    # it and proceed.
    export GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=accept-new"
}

setup_git() {
    git config --global user.email "update-bot@private.storage"
    git config --global user.name "Update Bot"
    git remote remove origin || true
    git remote add origin "gitlab@${HOST}:PrivateStorage/PrivateStorageio.git"
}

setup_ssh
setup_git

export TARGET_BRANCH="nixpkgs-upgrade-$(date +%Y-%m-%d)"

echo '{}' > morph/grid/local/public-keys/users.nix
nix-build -A morph -o result-before

git branch -D "${TARGET_BRANCH}" || true
git checkout -b "${TARGET_BRANCH}"

# Spawn *another* nix-shell that has the *other* update-nixpkgs tool.  Should
# sort out this mess sooner rather than later...
nix-shell ./shell.nix --run 'update-nixpkgs'

git fetch origin develop
git branch -a

# Show us what we did
if git diff --exit-code origin/develop...; then
    echo "No changes."
    exit 0
fi

nix-build -A morph -o result-after
DIFF=$(nix --extra-experimental-features nix-command store diff-closures ./result-before/ ./result-after/)

git commit -am "bump nixpkgs version"
git push --force origin "${TARGET_BRANCH}:${TARGET_BRANCH}"

BODY=$(python3 -c '
import os, sys, json
print("```")
print(json.dumps({
    "id": os.environ["CI_PROJECT_ID"],
    "source_branch": os.environ["CI_COMMIT_REF_NAME"],
    "target_branch": os.environ["TARGET_BRANCH"],
    "remove_source_branch": True,
    "title": "bump nixpkgs version",
    "description": sys.argv[1],
}))
print("```")
' "${DIFF}")

echo curl -X POST --data "${BODY}" --header "Content-Type: application/json" --header "PRIVATE-TOKEN: ${UPDATE_NIXPKGS_PRIVATE_TOKEN}" "https://${HOST}/api/v4/projects/${CI_PROJECT_ID}/merge_requests"