1name: Nixpkgs Bump PR
2
3# Triggers on stable release publish. Opens PR against NixOS/nixpkgs
4# bumping pkgs/by-name/ma/matcha/package.nix to the new version.
5# Requires:
6# - Fork floatpane/nixpkgs to exist
7# - NIXPKGS_BUMP_TOKEN secret: PAT with `repo` scope on floatpane/nixpkgs
8# and permission to open PRs against NixOS/nixpkgs
9# - Initial matcha package already merged into nixpkgs (this workflow updates, not inits)
10
11on:
12 release:
13 types: [published]
14 workflow_dispatch:
15 inputs:
16 version:
17 description: "Version to bump to (without v prefix)"
18 required: true
19
20permissions:
21 contents: read
22
23jobs:
24 bump:
25 runs-on: ubuntu-latest
26 steps:
27 - name: Determine version
28 id: ver
29 run: |
30 if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
31 VERSION="${{ inputs.version }}"
32 else
33 TAG="${{ github.event.release.tag_name }}"
34 VERSION="${TAG#v}"
35 fi
36 # Skip nightly / preview tags
37 if [[ "$VERSION" == nightly* || "$VERSION" == preview* ]]; then
38 echo "Skipping non-stable release: $VERSION"
39 echo "skip=true" >> $GITHUB_OUTPUT
40 else
41 echo "skip=false" >> $GITHUB_OUTPUT
42 fi
43 echo "version=$VERSION" >> $GITHUB_OUTPUT
44
45 - name: Install Nix
46 if: steps.ver.outputs.skip != 'true'
47 uses: cachix/install-nix-action@v31
48 with:
49 extra_nix_config: |
50 experimental-features = nix-command flakes
51
52 - name: Checkout nixpkgs fork
53 if: steps.ver.outputs.skip != 'true'
54 uses: actions/checkout@v6
55 with:
56 repository: floatpane/nixpkgs
57 token: ${{ secrets.HOMEBREW_GITHUB_TOKEN }}
58 path: nixpkgs
59 fetch-depth: 0
60
61 - name: Sync fork with upstream master
62 if: steps.ver.outputs.skip != 'true'
63 working-directory: nixpkgs
64 run: |
65 git config user.name "Floatpane Bot"
66 git config user.email "us@floatpane.com"
67 git remote add upstream https://github.com/NixOS/nixpkgs.git
68 git fetch upstream master staging
69 git checkout master
70 git reset --hard upstream/master
71 git push origin master --force-with-lease
72
73 - name: Get current version (from master)
74 if: steps.ver.outputs.skip != 'true'
75 id: current
76 working-directory: nixpkgs
77 run: |
78 PKG=pkgs/by-name/ma/matcha/package.nix
79 OLD=$(grep -E '^\s*version\s*=\s*"' "$PKG" | head -1 | sed -E 's/.*"([^"]+)".*/\1/')
80 echo "old=$OLD" >> $GITHUB_OUTPUT
81
82 - name: Write go overlay from staging
83 if: steps.ver.outputs.skip != 'true'
84 working-directory: nixpkgs
85 run: |
86 # master nixpkgs heavily cached. Staging has go_1_26 = 1.26.3.
87 # Overlay swaps only go_1_26 → minimal rebuild.
88 STAGING_REV=$(git rev-parse upstream/staging)
89 echo "STAGING_REV=$STAGING_REV" >> $GITHUB_ENV
90 cat > /tmp/go-overlay.nix <<EOF
91 let
92 staging = import (builtins.fetchTarball
93 "https://github.com/NixOS/nixpkgs/archive/$STAGING_REV.tar.gz") {};
94 in final: prev: {
95 go_1_26 = staging.go_1_26;
96 go = staging.go_1_26;
97 buildGoModule = prev.buildGoModule.override { go = staging.go_1_26; };
98 }
99 EOF
100 cat /tmp/go-overlay.nix
101
102 - name: Create bump branch
103 if: steps.ver.outputs.skip != 'true'
104 working-directory: nixpkgs
105 run: |
106 BRANCH="matcha-${{ steps.ver.outputs.version }}"
107 git checkout -b "$BRANCH"
108 echo "BRANCH=$BRANCH" >> $GITHUB_ENV
109
110 - name: Bump version and reset hashes
111 if: steps.ver.outputs.skip != 'true'
112 working-directory: nixpkgs
113 run: |
114 PKG=pkgs/by-name/ma/matcha/package.nix
115 NEW="${{ steps.ver.outputs.version }}"
116 # Replace version line
117 sed -i -E "s/(version\s*=\s*\")[^\"]+(\")/\1$NEW\2/" "$PKG"
118 # Reset src hash + vendorHash to fakeHash so nix build prints real ones
119 sed -i -E 's|hash = "sha256-[A-Za-z0-9+/=]+"|hash = lib.fakeHash|' "$PKG"
120 sed -i -E 's|vendorHash = "sha256-[A-Za-z0-9+/=]+"|vendorHash = lib.fakeHash|' "$PKG"
121
122 - name: Prefetch src hash (no build)
123 if: steps.ver.outputs.skip != 'true'
124 id: src_hash
125 working-directory: nixpkgs
126 run: |
127 NEW="${{ steps.ver.outputs.version }}"
128 URL="https://github.com/floatpane/matcha/archive/refs/tags/v$NEW.tar.gz"
129 # --unpack matches fetchFromGitHub (NAR hash of unpacked tarball)
130 BASE32=$(nix-prefetch-url --unpack "$URL")
131 HASH=$(nix hash to-sri --type sha256 "$BASE32")
132 echo "Resolved SRI hash: $HASH"
133 echo "hash=$HASH" >> $GITHUB_OUTPUT
134 sed -i -E "s|hash = lib.fakeHash|hash = \"$HASH\"|" pkgs/by-name/ma/matcha/package.nix
135
136 - name: Build to extract vendorHash
137 if: steps.ver.outputs.skip != 'true'
138 working-directory: nixpkgs
139 run: |
140 set +e
141 nix-build ./. -A matcha --no-out-link \
142 --arg overlays "[ (import /tmp/go-overlay.nix) ]" \
143 2>&1 | tee /tmp/build-vendor.log
144 HASH=$(grep -oE 'got:[[:space:]]+sha256-[A-Za-z0-9+/=]+' /tmp/build-vendor.log | head -1 | awk '{print $2}')
145 if [ -z "$HASH" ]; then
146 echo "Failed to extract vendorHash"; exit 1
147 fi
148 sed -i -E "s|vendorHash = lib.fakeHash|vendorHash = \"$HASH\"|" pkgs/by-name/ma/matcha/package.nix
149
150 - name: Final build (sanity check)
151 if: steps.ver.outputs.skip != 'true'
152 working-directory: nixpkgs
153 run: |
154 nix-build ./. -A matcha --no-out-link \
155 --arg overlays "[ (import /tmp/go-overlay.nix) ]"
156
157 - name: Commit and push
158 if: steps.ver.outputs.skip != 'true'
159 working-directory: nixpkgs
160 run: |
161 git add pkgs/by-name/ma/matcha/package.nix
162 git commit -m "matcha: ${{ steps.current.outputs.old }} -> ${{ steps.ver.outputs.version }}"
163 git push -u origin "$BRANCH" --force-with-lease
164
165 - name: Open PR against NixOS/nixpkgs
166 if: steps.ver.outputs.skip != 'true'
167 env:
168 GH_TOKEN: ${{ secrets.HOMEBREW_GITHUB_TOKEN }}
169 working-directory: nixpkgs
170 run: |
171 BODY=$(cat <<EOF
172 ## Description
173
174 Automated version bump for \`matcha\` email client.
175
176 - Old: ${{ steps.current.outputs.old }}
177 - New: ${{ steps.ver.outputs.version }}
178 - Upstream release: https://github.com/floatpane/matcha/releases/tag/v${{ steps.ver.outputs.version }}
179
180 ## Things done
181
182 - Built on \`x86_64-linux\` via GitHub Actions
183 - Hashes regenerated from upstream tarball
184 - No package metadata changes beyond version + hashes
185
186 cc maintainer for review.
187 EOF
188 )
189 gh pr create \
190 --repo NixOS/nixpkgs \
191 --base master \
192 --head "floatpane:$BRANCH" \
193 --title "matcha: ${{ steps.current.outputs.old }} -> ${{ steps.ver.outputs.version }}" \
194 --body "$BODY"