#!/usr/bin/env sh . ./common.sh direnv allow CMD=${1:-""} eval $(keychain --eval --agents ssh --inherit any) git config user.signingkey /run/secrets/ci_signing_ed25519_key git config commit.gpgsign true git config gpg.ssh.allowedSignersFile .allowed_signers start_ci trap ci_error INT TERM ci_branch=$(date +"%Y%m%dT%H%M%S%z") can_sign=0 for i in $(ssh-add -L | awk '{print $NF}'); do grep -q $i .allowed_signers && can_sign=1 done if [ $can_sign != 1 ]; then echo "Can't find signing key." exit 1 fi git checkout main || handle_co_fail "main" git pull || handle_pull_fail if [ "${1}" = "update" ]; then if ! git checkout -b "${ci_branch}"; then handle_co_fail "${ci_branch}" exit 1 fi bin/deploy watch update if ! git diff --exit-code >/dev/null; then git add pull_requests git commit -m 'watched: update watched pull requests' fi for inp in $(nix flake metadata --json | jq -r '.locks.nodes.root.inputs | keys[] as $k | $k'); do if ! git checkout -b "${ci_branch}_${inp}"; then handle_co_fail "${ci_branch}_${inp}" continue fi current_hash="$(git rev-parse HEAD)" if ! nix flake lock --commit-lock-file --update-input "$inp"; then handle_update_fail "$inp" continue fi maybe_new_hash="$(git rev-parse HEAD)" if [ "${current_hash}" != "${maybe_new_hash}" ]; then if ! nix flake check --print-build-logs; then handle_update_check_fail "$inp" continue fi else msg "No change in input, skipping checks." fi if ! git checkout "${ci_branch}"; then handle_co_fail "${ci_branch}" continue fi if ! git merge "${ci_branch}_${inp}"; then handle_merge_fail "${ci_branch}_${inp}" "${ci_branch}" continue fi done if ! nix flake check --print-build-logs; then handle_update_check_fail "$ci_branch" exit 1 fi if ! git checkout main; then handle_co_fail exit 1 fi if ! git merge "${ci_branch}"; then handle_merge_fail "${ci_branch}" "main" exit 1 fi # Agent is configured to forget keys after X, if that happens we need to re-add before push agentHasKey "$(cat /run/secrets/ci_ed25519_pub | awk '{print $2}')" || ssh-add /run/secrets/ci_ed25519_key if ! git push; then handle_push_fail exit 1 fi else if ! nix flake check --print-build-logs; then handle_check_fail exit 1 fi fi finish_ci