nixos/.forgejo/workflows/update.yml

name: Update flake inputs

on:
  schedule:
    - cron: '0 4 * * *'  # Daily at 4am UTC
  workflow_dispatch:       # Allow manual trigger from the Actions tab

jobs:
  update:
    runs-on: fred-nix
    permissions:
      contents: write

    steps:
      - name: Checkout repo
        uses: actions/checkout@v6

      - name: Install Nix
        run: |
          set -euxo pipefail
          # The Nix install script refuses to run cleanly as root unless the
          # nixbld group + users exist, even with --no-daemon. The runner's
          # catthehacker image runs jobs as root, so create them first.
          groupadd -r nixbld || true
          for i in $(seq 1 10); do
            useradd -r -g nixbld -G nixbld -d /var/empty -s /sbin/nologin \
              -c "Nix build user $i" "nixbld$i" || true
          done
          curl --proto '=https' --tlsv1.2 -sSfL https://nixos.org/nix/install | sh -s -- --no-daemon
          echo "$HOME/.nix-profile/bin" >> "$GITHUB_PATH"
          mkdir -p ~/.config/nix
          echo 'experimental-features = nix-command flakes' >> ~/.config/nix/nix.conf

      - name: Update flake inputs
        run: nix flake update

      - name: Commit and push
        run: |
          set -euxo pipefail
          if git diff --quiet flake.lock; then
            echo "No changes to flake.lock — skipping commit."
            exit 0
          fi
          git config user.name 'forgejo-actions[bot]'
          git config user.email 'actions@forg.gregersen.it'
          git add flake.lock
          git commit -m 'flake: update inputs'
          git push
2026-03-28 19:27:53 +00:00			`name: Update flake inputs`
workflow: drop GitHub-only actions for the update job Replaces cachix/install-nix-action and stefanzweifel/git-auto-commit-action with inline shell so the workflow no longer touches github.com. Still pulls the runner image from Docker Hub and the install script from nixos.org — those are deliberately left for now and can be cut in a follow-up. actions/checkout stays because it's mirrored on data.forgejo.org and the runner already resolves it there. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-05-01 18:52:37 +01:00
2026-03-28 19:27:53 +00:00			`on:`
			`schedule:`
			`- cron: '0 4 * * *' # Daily at 4am UTC`
workflow: drop GitHub-only actions for the update job Replaces cachix/install-nix-action and stefanzweifel/git-auto-commit-action with inline shell so the workflow no longer touches github.com. Still pulls the runner image from Docker Hub and the install script from nixos.org — those are deliberately left for now and can be cut in a follow-up. actions/checkout stays because it's mirrored on data.forgejo.org and the runner already resolves it there. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-05-01 18:52:37 +01:00			`workflow_dispatch: # Allow manual trigger from the Actions tab`

2026-03-28 19:27:53 +00:00			`jobs:`
			`update:`
runner: add Forgejo Actions runner on the mediaserver Adds services/forgejo-runner.nix as a host-gated module on the mediaserver and switches the flake-update workflow from runs-on: ubuntu-latest to the self-hosted fred-nix label, mapped to catthehacker/ubuntu:act-latest for GitHub-action compatibility. Token lives at /var/secrets/forgejo-runner-token so it stays out of the Nix store. Also drops the stray result/ build symlink from the worktree. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-05-01 15:58:24 +01:00			`runs-on: fred-nix`
2026-03-28 19:27:53 +00:00			`permissions:`
			`contents: write`
workflow: drop GitHub-only actions for the update job Replaces cachix/install-nix-action and stefanzweifel/git-auto-commit-action with inline shell so the workflow no longer touches github.com. Still pulls the runner image from Docker Hub and the install script from nixos.org — those are deliberately left for now and can be cut in a follow-up. actions/checkout stays because it's mirrored on data.forgejo.org and the runner already resolves it there. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-05-01 18:52:37 +01:00
2026-03-28 19:27:53 +00:00			`steps:`
			`- name: Checkout repo`
Bump GitHub Actions to Node.js 24 compatible versions - actions/checkout v4 -> v6 - cachix/install-nix-action v27 -> v31 (also patches CVE-2026-39860) - stefanzweifel/git-auto-commit-action v5 -> v7 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-04-08 19:52:48 +01:00			`uses: actions/checkout@v6`

2026-03-28 19:27:53 +00:00			`- name: Install Nix`
workflow: drop GitHub-only actions for the update job Replaces cachix/install-nix-action and stefanzweifel/git-auto-commit-action with inline shell so the workflow no longer touches github.com. Still pulls the runner image from Docker Hub and the install script from nixos.org — those are deliberately left for now and can be cut in a follow-up. actions/checkout stays because it's mirrored on data.forgejo.org and the runner already resolves it there. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-05-01 18:52:37 +01:00			`run: \|`
			`set -euxo pipefail`
workflow: pre-create nixbld group so the Nix install can run as root The catthehacker runner image runs jobs as root and Nix's install script refuses to do a clean root install without the nixbld group + build users already in place — even with --no-daemon. Adding them inline keeps the workflow self-contained without swapping to a Nix-prebuilt container image. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-05-01 19:14:20 +01:00			`# The Nix install script refuses to run cleanly as root unless the`
			`# nixbld group + users exist, even with --no-daemon. The runner's`
			`# catthehacker image runs jobs as root, so create them first.`
			`groupadd -r nixbld \|\| true`
			`for i in $(seq 1 10); do`
			`useradd -r -g nixbld -G nixbld -d /var/empty -s /sbin/nologin \`
			`-c "Nix build user $i" "nixbld$i" \|\| true`
			`done`
workflow: drop GitHub-only actions for the update job Replaces cachix/install-nix-action and stefanzweifel/git-auto-commit-action with inline shell so the workflow no longer touches github.com. Still pulls the runner image from Docker Hub and the install script from nixos.org — those are deliberately left for now and can be cut in a follow-up. actions/checkout stays because it's mirrored on data.forgejo.org and the runner already resolves it there. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-05-01 18:52:37 +01:00			`curl --proto '=https' --tlsv1.2 -sSfL https://nixos.org/nix/install \| sh -s -- --no-daemon`
			`echo "$HOME/.nix-profile/bin" >> "$GITHUB_PATH"`
			`mkdir -p ~/.config/nix`
			`echo 'experimental-features = nix-command flakes' >> ~/.config/nix/nix.conf`

2026-03-28 19:27:53 +00:00			`- name: Update flake inputs`
			`run: nix flake update`
workflow: drop GitHub-only actions for the update job Replaces cachix/install-nix-action and stefanzweifel/git-auto-commit-action with inline shell so the workflow no longer touches github.com. Still pulls the runner image from Docker Hub and the install script from nixos.org — those are deliberately left for now and can be cut in a follow-up. actions/checkout stays because it's mirrored on data.forgejo.org and the runner already resolves it there. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-05-01 18:52:37 +01:00
			`- name: Commit and push`
			`run: \|`
			`set -euxo pipefail`
			`if git diff --quiet flake.lock; then`
			`echo "No changes to flake.lock — skipping commit."`
			`exit 0`
			`fi`
			`git config user.name 'forgejo-actions[bot]'`
			`git config user.email 'actions@forg.gregersen.it'`
			`git add flake.lock`
			`git commit -m 'flake: update inputs'`
			`git push`