tom: run runners as separate user with permission to resart app #653
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update depended packages | |
| on: | |
| pull_request: | |
| schedule: | |
| - cron: "0 12 * * *" | |
| workflow_dispatch: | |
| jobs: | |
| stablearhtns: | |
| name: Check for broken evolutions | |
| runs-on: tim | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Checkout this repo | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: true | |
| - name: Configure git credentials | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| git config user.name '@theorderingmachine' | |
| git config user.email 'tom@deorr.co' | |
| git remote set-url origin git@github.com:zimeg/.DOTFILES.git | |
| - name: Reflect existing Nix | |
| run: | | |
| nix --version | |
| fastfetch | |
| - name: Update to the latest | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| nix flake update | |
| - name: Save the flake locks | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| git rev-parse --verify --quiet origin/update >/dev/null && | |
| [ "$(git rev-list --count origin/main..origin/update 2>/dev/null)" -ne 1 ] && | |
| exit 1 | |
| git switch --force-create update origin/main | |
| git commit --all --message "chore(deps): automatic version bump to the most recent packages" | |
| git push -f origin update | |
| - name: Confirm darwin server builds | |
| run: | | |
| nix build .#darwinConfigurations.eztim25.local.system | |
| - name: Confirm darwin laptop builds | |
| run: | | |
| nix build .#darwinConfigurations.ezmbp24.local.system | |
| - name: Confirm darwin workstation builds | |
| run: | | |
| nix build .#darwinConfigurations.edenzim-ltmbn8v.internal.salesforce.com.system | |
| updateronimo: | |
| name: Snapshot upstream releases | |
| needs: stablearhtns | |
| runs-on: tom | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Checkout the changes | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: true | |
| ref: ${{ github.event.pull_request.head.ref || 'update' }} | |
| - name: Reflect existing Nix | |
| run: | | |
| uname -a | grep NixOS | |
| fastfetch | |
| - name: Write remembered commit | |
| run: | | |
| cat flake.lock | |
| - name: Insure nixos builds | |
| run: | | |
| nix build .#nixosConfigurations.tom.config.system.build.toplevel | |
| - name: Save changed version | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| git checkout main | |
| git merge update | |
| git push -u origin main | |
| git push origin --delete update |