mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-05-01 01:51:44 +00:00
18f585f091
* ci(nix): auto-fix stale npm hashes on push to main When a PR merges to main with updated package-lock.json or package.json in ui-tui/ or web/, the new auto-fix-main job detects stale npmDepsHash values and pushes a fix commit directly to main. This eliminates the recurring manual hash-bump PRs (#15420, #15314, #15272, #15244) by reusing the existing fix-lockfiles --apply pipeline. The fix commit only touches nix/*.nix files, which are outside the push path filter (package-lock.json / package.json), so it cannot re-trigger itself. Closes #15314 * fix(ci): use GitHub App token for auto-fix-main push GITHUB_TOKEN commits are invisible to workflow triggers (GitHub's infinite-loop prevention). The auto-fix-main job pushes directly to main, so the fix commit never triggered downstream nix.yml verification. Mint a short-lived token via the repo's GitHub App (daimon-nous, APP_ID + APP_PRIVATE_KEY secrets) so the push is treated as a real event and nix.yml fires to verify the corrected hashes. Tested via workflow_dispatch dry-run: app token minted successfully, checkout with app token succeeded, fix job correctly gated. Resolves review feedback from Bugbot (r3144569551). * ci(nix): rename lockfile check job for required status check Rename 'check' → 'nix-lockfile-check' so the status check name is unambiguous when added as a required check on main. * fix(ci): harden auto-fix-main against races, loops, and silent failures Address adversarial review findings: 1. Race condition (#1): Job-level concurrency with cancel-in-progress collapses back-to-back pushes; ref: main checkout always gets latest branch state; explicit push target (origin HEAD:main). 2. Loop prevention (#2): File-whitelist check before commit aborts if any file outside nix/{tui,web}.nix was modified, preventing accidental self-triggering. 3. Silent infra failures (#8): nix-lockfile-check now fails explicitly when fix-lockfiles exits without reporting stale status (catches nix setup failures, network errors, script bugs that bypass continue-on-error). 4. Commit traceability (#11): Auto-fix commits include source SHA and workflow run URL in the commit body. 5. Explicit push target (#12): git push origin HEAD:main instead of bare git push. --------- Co-authored-by: alt-glitch <alt-glitch@users.noreply.github.com>
74 lines
2.7 KiB
YAML
74 lines
2.7 KiB
YAML
name: Nix Lockfile Check
|
|
|
|
on:
|
|
pull_request:
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: read
|
|
pull-requests: write
|
|
|
|
concurrency:
|
|
group: nix-lockfile-check-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
nix-lockfile-check:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 20
|
|
steps:
|
|
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
|
|
|
- uses: ./.github/actions/nix-setup
|
|
|
|
- name: Resolve head SHA
|
|
id: sha
|
|
shell: bash
|
|
run: |
|
|
FULL="${{ github.event.pull_request.head.sha || github.sha }}"
|
|
echo "full=$FULL" >> "$GITHUB_OUTPUT"
|
|
echo "short=${FULL:0:7}" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Check lockfile hashes
|
|
id: check
|
|
continue-on-error: true
|
|
env:
|
|
LINK_SHA: ${{ steps.sha.outputs.full }}
|
|
run: nix run .#fix-lockfiles -- --check
|
|
|
|
- name: Fail if check crashed without reporting
|
|
if: steps.check.outputs.stale != 'true' && steps.check.outputs.stale != 'false'
|
|
run: |
|
|
echo "::error::fix-lockfiles exited without reporting stale status — likely an infrastructure or script failure"
|
|
exit 1
|
|
|
|
- name: Post sticky PR comment (stale)
|
|
if: steps.check.outputs.stale == 'true' && github.event_name == 'pull_request'
|
|
uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 # v2.9.1
|
|
with:
|
|
header: nix-lockfile-check
|
|
message: |
|
|
### ⚠️ npm lockfile hash out of date
|
|
|
|
Checked against commit [`${{ steps.sha.outputs.short }}`](${{ github.server_url }}/${{ github.repository }}/commit/${{ steps.sha.outputs.full }}) (PR head at check time).
|
|
|
|
The `hash = "sha256-..."` line in these nix files no longer matches the committed `package-lock.json`:
|
|
|
|
${{ steps.check.outputs.report }}
|
|
|
|
#### Apply the fix
|
|
|
|
- [ ] **Apply lockfile fix** — tick to push a commit with the correct hashes to this PR branch
|
|
- Or [run the Nix Lockfile Fix workflow](${{ github.server_url }}/${{ github.repository }}/actions/workflows/nix-lockfile-fix.yml) manually (pass PR `#${{ github.event.pull_request.number }}`)
|
|
- Or locally: `nix run .#fix-lockfiles -- --apply` and commit the diff
|
|
|
|
- name: Clear sticky PR comment (resolved)
|
|
if: steps.check.outputs.stale == 'false' && github.event_name == 'pull_request'
|
|
uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 # v2.9.1
|
|
with:
|
|
header: nix-lockfile-check
|
|
delete: true
|
|
|
|
- name: Fail if stale
|
|
if: steps.check.outputs.stale == 'true'
|
|
run: exit 1
|