{"id":13688654,"url":"https://github.com/DeterminateSystems/update-flake-lock","last_synced_at":"2025-05-01T19:31:19.856Z","repository":{"id":37022825,"uuid":"418625766","full_name":"DeterminateSystems/update-flake-lock","owner":"DeterminateSystems","description":"Automatically refresh your Nix Flakes.","archived":false,"fork":false,"pushed_at":"2025-04-27T17:54:23.000Z","size":3513,"stargazers_count":300,"open_issues_count":24,"forks_count":35,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-04-30T02:01:51.328Z","etag":null,"topics":["nix","nix-flake"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DeterminateSystems.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-10-18T18:39:57.000Z","updated_at":"2025-04-28T19:26:03.000Z","dependencies_parsed_at":"2022-07-11T15:22:20.848Z","dependency_job_id":"51246c1b-b8f5-439e-b1a1-8864f06d4d32","html_url":"https://github.com/DeterminateSystems/update-flake-lock","commit_stats":{"total_commits":126,"total_committers":24,"mean_commits":5.25,"dds":0.7619047619047619,"last_synced_commit":"965531f33224d3e24e8168f9b35da1d9d6ad042c"},"previous_names":[],"tags_count":24,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DeterminateSystems%2Fupdate-flake-lock","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DeterminateSystems%2Fupdate-flake-lock/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DeterminateSystems%2Fupdate-flake-lock/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DeterminateSystems%2Fupdate-flake-lock/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DeterminateSystems","download_url":"https://codeload.github.com/DeterminateSystems/update-flake-lock/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251895475,"owners_count":21661343,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["nix","nix-flake"],"created_at":"2024-08-02T15:01:18.814Z","updated_at":"2025-05-01T19:31:19.849Z","avatar_url":"https://github.com/DeterminateSystems.png","language":"TypeScript","funding_links":[],"categories":["GitHub","TypeScript","Github Actions"],"sub_categories":[],"readme":"# update-flake-lock\n\nThis is a GitHub Action that updates the [`flake.lock`][lockfile] file for your [Nix flake][flakes] whenever it is run.\n\n\u003e [!NOTE]\n\u003e As of v3, this action no longer automatically installs [Determinate Nix][det-nix] to the action runner.\n\u003e You **must** set up Nix with flakes support enabled prior to running this action or your workflow will not function as expected.\n\n## Example\n\nHere's an example GitHub Action workflow using this Action:\n\n```yaml\nname: update-flake-lock\n\non:\n  workflow_dispatch: # allows manual triggering\n  schedule:\n    - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00\n\njobs:\n  lockfile:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout repository\n        uses: actions/checkout@v4\n      - name: Install Determinate Nix\n        uses: DeterminateSystems/nix-installer-action@main\n        with:\n          determinate: true\n      - name: Update flake.lock\n        uses: DeterminateSystems/update-flake-lock@main\n        with:\n          pr-title: \"Update flake.lock\" # Title of PR to be created\n          pr-labels: |                  # Labels to be set on the PR\n            dependencies\n            automated\n```\n\n## Example updating specific input(s)\n\n\u003e [!NOTE]\n\u003e If any inputs have a stale reference (e.g. the lockfile thinks a git input wants its \"ref\" to be \"nixos-unstable\", but the flake.nix specifies \"nixos-unstable-small\"), they are also updated. At this time, there is no known workaround.\n\nIt's also possible to update specific [flake inputs][inputs] by specifying them in a space-separated list:\n\n```yaml\nname: update-flake-lock\n\non:\n  workflow_dispatch: # allows manual triggering\n  schedule:\n    - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00\n\njobs:\n  lockfile:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout repository\n        uses: actions/checkout@v4\n      - name: Install Determinate Nix\n        uses: DeterminateSystems/nix-installer-action@main\n        with:\n          determinate: true\n      - name: Update flake.lock\n        uses: DeterminateSystems/update-flake-lock@main\n        with:\n          inputs: input1 input2 input3\n```\n\n## Example adding options to nix command\n\nIt's also possible to use specific options to the `nix` command in a space-separated list:\n\n```yaml\nname: update-flake-lock\non:\n  workflow_dispatch: # allows manual triggering\n  schedule:\n    - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00\n\njobs:\n  lockfile:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout repository\n        uses: actions/checkout@v4\n      - name: Install Determinate Nix\n        uses: DeterminateSystems/nix-installer-action@main\n        with:\n          determinate: true\n      - name: Update flake.lock\n        uses: DeterminateSystems/update-flake-lock@main\n        with:\n          nix-options: --debug --log-format raw\n```\n\n## Example that prints the number of the created PR\n\n```yaml\nname: update-flake-lock\non:\n  workflow_dispatch: # allows manual triggering\n  schedule:\n    - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00\n\njobs:\n  lockfile:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout repository\n        uses: actions/checkout@v4\n      - name: Install Determinate Nix\n        uses: DeterminateSystems/nix-installer-action@main\n        with:\n          determinate: true\n      - name: Update flake.lock\n        id: update\n        uses: DeterminateSystems/update-flake-lock@main\n        with:\n          inputs: input1 input2 input3\n      - name: Print PR number\n        run: echo Pull request number is ${{ steps.update.outputs.pull-request-number }}.\n```\n\n## Example that doesn't run on PRs\n\nIf you were to run this action as a part of your CI workflow, you may want to prevent it from running against Pull Requests.\n\n```yaml\nname: update-flake-lock\non:\n  workflow_dispatch: # allows manual triggering\n  pull_request: # triggers on every Pull Request\n  schedule:\n    - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00\n\njobs:\n  lockfile:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout repository\n        uses: actions/checkout@v4\n      - name: Install Determinate Nix\n        uses: DeterminateSystems/nix-installer-action@main\n        with:\n          determinate: true\n      - name: Update flake.lock\n        if: ${{ github.event_name != 'pull_request' }}\n        uses: DeterminateSystems/update-flake-lock@main\n        with:\n          inputs: input1 input2 input3\n          path-to-flake-dir: 'nix/' # in this example our flake doesn't sit at the root of the repository, it sits under 'nix/flake.nix'\n```\n\n## Example using a different Git user\n\nIf you want to change the author and / or committer of the flake.lock update commit, you can tweak the `git-{author,committer}-{name,email}` options:\n\n```yaml\nname: update-flake-lock\non:\n  workflow_dispatch: # allows manual triggering\n  schedule:\n    - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00\n\njobs:\n  lockfile:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout repository\n        uses: actions/checkout@v4\n      - name: Install Determinate Nix\n        uses: DeterminateSystems/nix-installer-action@main\n        with:\n          determinate: true\n      - name: Update flake.lock\n        uses: DeterminateSystems/update-flake-lock@main\n        with:\n          git-author-name: Jane Author\n          git-author-email: github-actions[bot]@users.noreply.github.com\n          git-committer-name: John Committer\n          git-committer-email: github-actions[bot]@users.noreply.github.com\n```\n\n## Running GitHub Actions CI\n\nGitHub Actions doesn't run workflows when a branch is pushed by or a PR is opened by a GitHub Action.\nThere are two ways to have GitHub Actions CI run on a PR submitted by this action.\n\n### Without a Personal Authentication Token\n\nWithout using a Personal Authentication Token, close and reopen the pull request manually to kick off CI.\n\n### With a Personal Authentication Token\n\nBy providing a Personal Authentication Token, the PR is submitted in a way that bypasses this limitation (GitHub essentially thinks it's the owner of the PAT submitting the PR, and not an Action).\nYou can create a token by visiting https://github.com/settings/tokens and select at least the `repo` scope. For the new fine-grained tokens, you need to enable read and write access for \"Contents\" and \"Pull Requests\" permissions. Then, store this token in your repository secrets (i.e. `https://github.com/\u003cUSER\u003e/\u003cREPO\u003e/settings/secrets/actions`) as `GH_TOKEN_FOR_UPDATES` and set up your workflow file like the following:\n\n```yaml\nname: update-flake-lock\non:\n  workflow_dispatch: # allows manual triggering\n  schedule:\n    - cron: '0 0 * * 1,4' # Run twice a week\n\njobs:\n  lockfile:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout repository\n        uses: actions/checkout@v4\n      - name: Install Determinate Nix\n        uses: DeterminateSystems/nix-installer-action@main\n        with:\n          determinate: true\n      - name: Update flake.lock\n        uses: DeterminateSystems/update-flake-lock@main\n        with:\n          token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}\n```\n\n## With GPG commit signing\n\nIt's possible for the bot to produce GPG-signed commits.\nAssociating a GPG public key to a GitHub user account isn't required but it *is* necessary if you want the signed commits to appear as verified in Github.\nThis can be a compliance requirement in some cases.\n\nYou can follow [GitHub's guide to creating and/or adding a new GPG key to an user account](https://docs.github.com/en/authentication/managing-commit-signature-verification/adding-a-new-gpg-key-to-your-github-account).\nUsing a specific GitHub user account for the bot can be a good security measure to dissociate this bot's actions and commits from your personal GitHub account.\n\nFor the bot to produce signed commits, you need to provide the GPG private keys to this action's input parameters. You can safely do that with [Github secrets as explained here](https://github.com/crazy-max/ghaction-import-gpg#prerequisites).\n\nWhen using commit signing, the commit author name and email for the commits produced by this bot would correspond to the ones associated to the GPG Public Key.\n\nIf you want to sign using a subkey, you must specify the subkey fingerprint using the `gpg-fingerprint` input parameter.\n\nHere's an example of how to using this action with commit signing:\n\n```yaml\nname: update-flake-lock\n\non:\n  workflow_dispatch: # allows manual triggering\n  schedule:\n    - cron: '0 0 * * 1,4' # Run twice a week\n\njobs:\n  lockfile:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout repository\n        uses: actions/checkout@v4\n      - name: Install Determinate Nix\n        uses: DeterminateSystems/nix-installer-action@main\n        with:\n          determinate: true\n      - name: Update flake.lock\n        uses: DeterminateSystems/update-flake-lock@main\n        with:\n          sign-commits: true\n          gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}\n          gpg-fingerprint: ${{ secrets.GPG_FINGERPRINT }} # specify subkey fingerprint (optional)\n          gpg-passphrase: ${{ secrets.GPG_PASSPHRASE }}\n```\n\n## Custom PR Body\n\nBy default, the generated PR body uses this template:\n\n````handlebars\nAutomated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action.\n\n````\n{{ env.GIT_COMMIT_MESSAGE }}\n````\n```\n\n### Running GitHub Actions on this PR\n\nGitHub Actions doesn't run workflows on pull requests that are opened by a GitHub Action.\n\nTo run GitHub Actions workflows on this PR, run:\n\n```sh\ngit branch -D update_flake_lock_action\ngit fetch origin\ngit checkout update_flake_lock_action\ngit commit --amend --no-edit\ngit push origin update_flake_lock_action --force\n```\n````\n\nYou can customize it, however, using variable interpolation performed with [Handlebars].\nThis enables you to customize the template with these variables:\n\n- `env.GIT_AUTHOR_NAME`\n- `env.GIT_AUTHOR_EMAIL`\n- `env.GIT_COMMITTER_NAME`\n- `env.GIT_COMMITTER_EMAIL`\n- `env.GIT_COMMIT_MESSAGE`\n\n## Add assignees or reviewers\n\nYou can assign the PR to or request a review from one or more GitHub users with `pr-assignees` and `pr-reviewers`, respectively.\nThese properties expect a comma or newline separated list of GitHub usernames:\n\n```yaml\nname: update-flake-lock\non:\n  workflow_dispatch: # allows manual triggering\n  schedule:\n    - cron: '0 0 * * 1,4' # Run twice a week\n\njobs:\n  lockfile:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout repository\n        uses: actions/checkout@v4\n      - name: Install Determinate Nix\n        uses: DeterminateSystems/nix-installer-action@main\n        with:\n          determinate: true\n      - name: Update flake.lock\n        uses: DeterminateSystems/update-flake-lock@main\n        with:\n          pr-assignees: SomeGitHubUsername\n          pr-reviewers: SomeOtherGitHubUsername,SomeThirdGitHubUsername\n```\n\n## Contributing\n\nFeel free to send a PR or open an issue if you find that something functions unexpectedly!\nPlease make sure to test your changes and update any related documentation before submitting your PR.\n\n### How to test changes\n\nIn order to more easily test your changes to this action, we have created a template repository that should point you in the right direction: https://github.com/DeterminateSystems/update-flake-lock-test-template.\nPlease see the README in that repository for instructions on testing your changes.\n\n[det-nix]: https://docs.determinate.systems/determinate-nix\n[flakes]: https://zero-to-nix.com/concepts/flakes\n[handlebars]: https://handlebarsjs.com\n[inputs]: https://zero-to-nix.com/concepts/flakes/#inputs\n[lockfile]: https://zero-to-nix.com/concepts/flakes/#lockfile\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FDeterminateSystems%2Fupdate-flake-lock","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FDeterminateSystems%2Fupdate-flake-lock","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FDeterminateSystems%2Fupdate-flake-lock/lists"}