update flake-cron ci

.envrc

@@ -9,3 +9,4 @@ if [[ -e trusted/trusted/flake.nix ]]; then
 fi
 
 use flake
+watch_file flake.lock

.github/workflows/flake-update.yml

@@ -3,7 +3,6 @@ env:
   CI_ALLOW_ROOT: '1'
   CI_CONFIG: ./ci/flake-cron.nix
   CI_PLATFORM: gh-actions
-  OPENSSH_PRIVATE_KEY: ${{ secrets.OPENSSH_PRIVATE_KEY }}
 jobs:
   ci-check:
     name: flake-update check
@@ -11,21 +10,22 @@ jobs:
     steps:
     - id: checkout
       name: git clone
-      uses: actions/checkout@v1
+      uses: actions/checkout@v2
       with:
+        fetch-depth: 0
         submodules: false
     - id: nix-install
       name: nix install
-      uses: arcnmx/ci/actions/nix/install@nix2.4
+      uses: arcnmx/ci/actions/nix/install@nix2.4-broken
     - id: ci-action-build
       name: nix build ci.gh-actions.configFile
-      uses: arcnmx/ci/actions/nix/build@nix2.4
+      uses: arcnmx/ci/actions/nix/build@nix2.4-broken
       with:
         attrs: ci.gh-actions.configFile
         out-link: .ci/workflow.yml
     - id: ci-action-compare
       name: gh-actions compare
-      uses: arcnmx/ci/actions/nix/run@nix2.4
+      uses: arcnmx/ci/actions/nix/run@nix2.4-broken
       with:
         args: -u .github/workflows/flake-update.yml .ci/workflow.yml
         attrs: nixpkgs.diffutils
@@ -36,15 +36,16 @@ jobs:
     steps:
     - id: checkout
       name: git clone
-      uses: actions/checkout@v1
+      uses: actions/checkout@v2
       with:
+        fetch-depth: 0
         submodules: false
     - id: nix-install
       name: nix install
-      uses: arcnmx/ci/actions/nix/install@nix2.4
+      uses: arcnmx/ci/actions/nix/install@nix2.4-broken
     - id: ci-setup
       name: nix setup
-      uses: arcnmx/ci/actions/nix/run@nix2.4
+      uses: arcnmx/ci/actions/nix/run@nix2.4-broken
       with:
         attrs: ci.job.flake-update.run.bootstrap
         quiet: false
@@ -55,7 +56,7 @@ jobs:
         '
     - id: ci-dirty
       name: nix test dirty
-      uses: arcnmx/ci/actions/nix/run@nix2.4
+      uses: arcnmx/ci/actions/nix/run@nix2.4-broken
       with:
         attrs: ci.job.flake-update.run.test
         command: ci-build-dirty
@@ -63,7 +64,7 @@ jobs:
         stdout: ${{ runner.temp }}/ci.build.dirty
     - id: ci-test
       name: nix test build
-      uses: arcnmx/ci/actions/nix/run@nix2.4
+      uses: arcnmx/ci/actions/nix/run@nix2.4-broken
       with:
         attrs: ci.job.flake-update.run.test
         command: ci-build-realise
@@ -74,7 +75,7 @@ jobs:
         CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }}
       id: ci-summary
       name: nix test results
-      uses: arcnmx/ci/actions/nix/run@nix2.4
+      uses: arcnmx/ci/actions/nix/run@nix2.4-broken
       with:
         attrs: ci.job.flake-update.run.test
         command: ci-build-summarise
@@ -86,7 +87,7 @@ jobs:
       id: ci-cache
       if: always()
       name: nix test cache
-      uses: arcnmx/ci/actions/nix/run@nix2.4
+      uses: arcnmx/ci/actions/nix/run@nix2.4-broken
       with:
         attrs: ci.job.flake-update.run.test
         command: ci-build-cache

.github/workflows/nodes.yml

@@ -9,21 +9,21 @@ jobs:
     steps:
     - id: checkout
       name: git clone
-      uses: actions/checkout@v1
+      uses: actions/checkout@v2
       with:
         submodules: false
     - id: nix-install
       name: nix install
-      uses: arcnmx/ci/actions/nix/install@nix2.4
+      uses: arcnmx/ci/actions/nix/install@nix2.4-broken
     - id: ci-action-build
       name: nix build ci.gh-actions.configFile
-      uses: arcnmx/ci/actions/nix/build@nix2.4
+      uses: arcnmx/ci/actions/nix/build@nix2.4-broken
       with:
         attrs: ci.gh-actions.configFile
         out-link: .ci/workflow.yml
     - id: ci-action-compare
       name: gh-actions compare
-      uses: arcnmx/ci/actions/nix/run@nix2.4
+      uses: arcnmx/ci/actions/nix/run@nix2.4-broken
       with:
         args: -u .github/workflows/nodes.yml .ci/workflow.yml
         attrs: nixpkgs.diffutils
@@ -34,15 +34,15 @@ jobs:
     steps:
     - id: checkout
       name: git clone
-      uses: actions/checkout@v1
+      uses: actions/checkout@v2
       with:
         submodules: false
     - id: nix-install
       name: nix install
-      uses: arcnmx/ci/actions/nix/install@nix2.4
+      uses: arcnmx/ci/actions/nix/install@nix2.4-broken
     - id: ci-setup
       name: nix setup
-      uses: arcnmx/ci/actions/nix/run@nix2.4
+      uses: arcnmx/ci/actions/nix/run@nix2.4-broken
       with:
         attrs: ci.job.tewi.run.bootstrap
         quiet: false
@@ -53,7 +53,7 @@ jobs:
         '
     - id: ci-dirty
       name: nix test dirty
-      uses: arcnmx/ci/actions/nix/run@nix2.4
+      uses: arcnmx/ci/actions/nix/run@nix2.4-broken
       with:
         attrs: ci.job.tewi.run.test
         command: ci-build-dirty
@@ -61,7 +61,7 @@ jobs:
         stdout: ${{ runner.temp }}/ci.build.dirty
     - id: ci-test
       name: nix test build
-      uses: arcnmx/ci/actions/nix/run@nix2.4
+      uses: arcnmx/ci/actions/nix/run@nix2.4-broken
       with:
         attrs: ci.job.tewi.run.test
         command: ci-build-realise
@@ -72,7 +72,7 @@ jobs:
         CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }}
       id: ci-summary
       name: nix test results
-      uses: arcnmx/ci/actions/nix/run@nix2.4
+      uses: arcnmx/ci/actions/nix/run@nix2.4-broken
       with:
         attrs: ci.job.tewi.run.test
         command: ci-build-summarise
@@ -84,7 +84,7 @@ jobs:
       id: ci-cache
       if: always()
       name: nix test cache
-      uses: arcnmx/ci/actions/nix/run@nix2.4
+      uses: arcnmx/ci/actions/nix/run@nix2.4-broken
       with:
         attrs: ci.job.tewi.run.test
         command: ci-build-cache

ci/flake-cron.nix

@@ -1,11 +1,13 @@
 { lib, channels, config, ... }:
-with lib; {
+with lib; let
+  gitBranch = "arc";
+in {
   name = "flake-update";
 
   nixpkgs.args.localSystem = "x86_64-linux";
 
   ci = {
-    version = "nix2.4";
+    version = "nix2.4-broken";
     gh-actions = {
       enable = true;
       export = true;
@@ -13,7 +15,6 @@ with lib; {
   };
 
 
-  gh-actions.env.OPENSSH_PRIVATE_KEY = "\${{ secrets.OPENSSH_PRIVATE_KEY }}";
   gh-actions.env.CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}";
 
 
@@ -89,21 +90,14 @@ with lib; {
           enable = false;
         };
         displayName = "flake update build";
-        environment = [ "OPENSSH_PRIVATE_KEY" "CACHIX_SIGNING_KEY" "GITHUB_REF" ];
+        environment = [ "CACHIX_SIGNING_KEY" "GITHUB_REF" ];
         command =
           let
-            main = (import ../.);
             filteredHosts = [ "tewi" ];
             nodeBuildString = concatMapStringsSep " && " (node: "nix build -Lf . network.nodes.nixos.${node}.deploy.system -o result-${node} && nix-collect-garbage -d") filteredHosts;
           in
           ''
             # ${toString builtins.currentTime}
-            if [[ -n $OPENSSH_PRIVATE_KEY ]]; then
-              mkdir ~/.ssh
-              echo "$OPENSSH_PRIVATE_KEY" > ~/.ssh/id_rsa
-              chmod 0600 ~/.ssh/id_rsa
-            fi
-
             nix flake update
 
             if git status --porcelain | grep -qF flake.lock; then
@@ -114,15 +108,12 @@ with lib; {
                   cachix push kittywitch result*/ &
                   CACHIX_PUSH=$!
                 fi
-                if [[ -n $OPENSSH_PRIVATE_KEY ]]; then
+                git add flake.lock
-                  git add flake.lock
+                export GIT_{COMMITTER,AUTHOR}_EMAIL=github@kittywit.ch
-                  export GIT_{COMMITTER,AUTHOR}_EMAIL=github@kittywit.ch
+                export GIT_{COMMITTER,AUTHOR}_NAME="flake cron job"
-                  export GIT_{COMMITTER,AUTHOR}_NAME="flake cron job"
+                git commit --message="ci: flake update"
-                  git commit --message="ci: flake update"
+                if [[ $GITHUB_REF = refs/heads/${gitBranch} ]]; then
-                  if [[ $GITHUB_REF = refs/heads/main ]]; then
+                  git push origin HEAD:${gitBranch}
-                    GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" \
-                      git push ssh://gitea@git.kittywit.ch:62954/kat/nixfiles.git HEAD:main
-                  fi
                 fi
 
                 wait ''${CACHIX_PUSH-}
@@ -135,7 +126,10 @@ with lib; {
       };
   };
 
-  ci.gh-actions.checkoutOptions.submodules = false;
+  ci.gh-actions.checkoutOptions = {
+    submodules = false;
+    fetch-depth = 0;
+  };
 
   cache.cachix = {
     arc = {

ci/nodes.nix

@@ -4,7 +4,7 @@
   nixpkgs.args.localSystem = "x86_64-linux";
 
   ci = {
-    version = "nix2.4";
+    version = "nix2.4-broken";
     gh-actions = {
       enable = true;
       export = true;

flake.lock

@@ -20,16 +20,16 @@
     "ci": {
       "flake": false,
       "locked": {
-        "lastModified": 1668974663,
+        "lastModified": 1668974694,
-        "narHash": "sha256-HnZEJNJfXAVJsk/0r5NB/vPmQ5aj7OMiEBFnJrV8LIU=",
+        "narHash": "sha256-usfZB+CIVltVzkGUNXIdp0L+Nuaa6+gjLxbHT+1THiA=",
         "owner": "arcnmx",
         "repo": "ci",
-        "rev": "21b6f5f3bfafb1fc41c01d151be1b7515f83a1af",
+        "rev": "56a0b866c1c2fedc25eac788fcead8cd229cb2b2",
         "type": "github"
       },
       "original": {
         "owner": "arcnmx",
-        "ref": "nix2.4",
+        "ref": "nix2.4-broken",
         "repo": "ci",
         "type": "github"
       }
@@ -665,11 +665,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1681821469,
+        "lastModified": 1681821695,
-        "narHash": "sha256-CoEr/MiWFzLkC+BI8rC4naJobsOYTccx3D4kUvABsg8=",
+        "narHash": "sha256-uwyBGo/9IALi97AfMuzkJroQQhV6hkybaZVdw6pRNG4=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "edb40ecd6734c7f4daab74e9fa6c08e524bb629a",
+        "rev": "5698b06b0731a2c15ff8c2351644427f8ad33993",
         "type": "github"
       },
       "original": {

flake.nix

@@ -7,7 +7,7 @@
       flake = false;
     };
     ci = {
-      url = "github:arcnmx/ci/nix2.4";
+      url = "github:arcnmx/ci/nix2.4-broken";
       flake = false;
     };
     home-manager = {