nixpkgs-bump.yml

  1name: Nixpkgs Bump PR
  2
  3# Triggers on stable release publish. Opens PR against NixOS/nixpkgs
  4# bumping pkgs/by-name/ma/matcha/package.nix to the new version.
  5# Requires:
  6#   - Fork floatpane/nixpkgs to exist
  7#   - NIXPKGS_BUMP_TOKEN secret: PAT with `repo` scope on floatpane/nixpkgs
  8#     and permission to open PRs against NixOS/nixpkgs
  9#   - Initial matcha package already merged into nixpkgs (this workflow updates, not inits)
 10
 11on:
 12  release:
 13    types: [published]
 14  workflow_dispatch:
 15    inputs:
 16      version:
 17        description: "Version to bump to (without v prefix)"
 18        required: true
 19
 20permissions:
 21  contents: read
 22
 23jobs:
 24  bump:
 25    runs-on: ubuntu-latest
 26    steps:
 27      - name: Determine version
 28        id: ver
 29        run: |
 30          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
 31            VERSION="${{ inputs.version }}"
 32          else
 33            TAG="${{ github.event.release.tag_name }}"
 34            VERSION="${TAG#v}"
 35          fi
 36          # Skip nightly / preview tags
 37          if [[ "$VERSION" == nightly* || "$VERSION" == preview* ]]; then
 38            echo "Skipping non-stable release: $VERSION"
 39            echo "skip=true" >> $GITHUB_OUTPUT
 40          else
 41            echo "skip=false" >> $GITHUB_OUTPUT
 42          fi
 43          echo "version=$VERSION" >> $GITHUB_OUTPUT
 44
 45      - name: Install Nix
 46        if: steps.ver.outputs.skip != 'true'
 47        uses: cachix/install-nix-action@v31
 48        with:
 49          extra_nix_config: |
 50            experimental-features = nix-command flakes
 51
 52      - name: Checkout nixpkgs fork
 53        if: steps.ver.outputs.skip != 'true'
 54        uses: actions/checkout@v6
 55        with:
 56          repository: floatpane/nixpkgs
 57          token: ${{ secrets.HOMEBREW_GITHUB_TOKEN }}
 58          path: nixpkgs
 59          fetch-depth: 0
 60
 61      - name: Sync fork with upstream master
 62        if: steps.ver.outputs.skip != 'true'
 63        working-directory: nixpkgs
 64        run: |
 65          git config user.name "Floatpane Bot"
 66          git config user.email "us@floatpane.com"
 67          git remote add upstream https://github.com/NixOS/nixpkgs.git
 68          git fetch upstream master
 69          git checkout master
 70          git reset --hard upstream/master
 71          git push origin master --force-with-lease
 72
 73      - name: Create bump branch
 74        if: steps.ver.outputs.skip != 'true'
 75        working-directory: nixpkgs
 76        run: |
 77          BRANCH="matcha-${{ steps.ver.outputs.version }}"
 78          git checkout -b "$BRANCH"
 79          echo "BRANCH=$BRANCH" >> $GITHUB_ENV
 80
 81      - name: Get current version
 82        if: steps.ver.outputs.skip != 'true'
 83        id: current
 84        working-directory: nixpkgs
 85        run: |
 86          PKG=pkgs/by-name/ma/matcha/package.nix
 87          OLD=$(grep -E '^\s*version\s*=\s*"' "$PKG" | head -1 | sed -E 's/.*"([^"]+)".*/\1/')
 88          echo "old=$OLD" >> $GITHUB_OUTPUT
 89
 90      - name: Bump version and reset hashes
 91        if: steps.ver.outputs.skip != 'true'
 92        working-directory: nixpkgs
 93        run: |
 94          PKG=pkgs/by-name/ma/matcha/package.nix
 95          NEW="${{ steps.ver.outputs.version }}"
 96          # Replace version line
 97          sed -i -E "s/(version\s*=\s*\")[^\"]+(\")/\1$NEW\2/" "$PKG"
 98          # Reset src hash + vendorHash to fakeHash so nix build prints real ones
 99          sed -i -E 's|hash = "sha256-[A-Za-z0-9+/=]+"|hash = lib.fakeHash|' "$PKG"
100          sed -i -E 's|vendorHash = "sha256-[A-Za-z0-9+/=]+"|vendorHash = lib.fakeHash|' "$PKG"
101
102      - name: Build to extract src hash
103        if: steps.ver.outputs.skip != 'true'
104        id: src_hash
105        working-directory: nixpkgs
106        run: |
107          set +e
108          OUT=$(nix-build -A matcha --no-out-link 2>&1)
109          RC=$?
110          echo "$OUT"
111          HASH=$(echo "$OUT" | grep -A1 "got:" | tail -1 | tr -d ' ')
112          if [ -z "$HASH" ]; then
113            echo "Failed to extract src hash"; exit 1
114          fi
115          echo "hash=$HASH" >> $GITHUB_OUTPUT
116          sed -i -E "s|hash = lib.fakeHash|hash = \"$HASH\"|" pkgs/by-name/ma/matcha/package.nix
117
118      - name: Build to extract vendorHash
119        if: steps.ver.outputs.skip != 'true'
120        working-directory: nixpkgs
121        run: |
122          set +e
123          OUT=$(nix-build -A matcha --no-out-link 2>&1)
124          RC=$?
125          echo "$OUT"
126          HASH=$(echo "$OUT" | grep -A1 "got:" | tail -1 | tr -d ' ')
127          if [ -z "$HASH" ]; then
128            echo "Failed to extract vendorHash"; exit 1
129          fi
130          sed -i -E "s|vendorHash = lib.fakeHash|vendorHash = \"$HASH\"|" pkgs/by-name/ma/matcha/package.nix
131
132      - name: Final build (sanity check)
133        if: steps.ver.outputs.skip != 'true'
134        working-directory: nixpkgs
135        run: nix-build -A matcha --no-out-link
136
137      - name: Commit and push
138        if: steps.ver.outputs.skip != 'true'
139        working-directory: nixpkgs
140        run: |
141          git add pkgs/by-name/ma/matcha/package.nix
142          git commit -m "matcha: ${{ steps.current.outputs.old }} -> ${{ steps.ver.outputs.version }}"
143          git push -u origin "$BRANCH" --force-with-lease
144
145      - name: Open PR against NixOS/nixpkgs
146        if: steps.ver.outputs.skip != 'true'
147        env:
148          GH_TOKEN: ${{ secrets.HOMEBREW_GITHUB_TOKEN }}
149        working-directory: nixpkgs
150        run: |
151          BODY=$(cat <<EOF
152          ## Description
153
154          Automated version bump for \`matcha\` email client.
155
156          - Old: ${{ steps.current.outputs.old }}
157          - New: ${{ steps.ver.outputs.version }}
158          - Upstream release: https://github.com/floatpane/matcha/releases/tag/v${{ steps.ver.outputs.version }}
159
160          ## Things done
161
162          - Built on \`x86_64-linux\` via GitHub Actions
163          - Hashes regenerated from upstream tarball
164          - No package metadata changes beyond version + hashes
165
166          cc maintainer for review.
167          EOF
168          )
169          gh pr create \
170            --repo NixOS/nixpkgs \
171            --base master \
172            --head "floatpane:$BRANCH" \
173            --title "matcha: ${{ steps.current.outputs.old }} -> ${{ steps.ver.outputs.version }}" \
174            --body "$BODY"