Fixes GitHub Actions workflows for package automation

[crdant]

TL;DR

Resolves multiple cascading failures in automated package update workflows by ensuring Python dependencies are available, properly handling VimR's app bundle architecture, authenticating GitHub API requests, and removing unnecessary validation steps.

Details

The automated package update workflows were experiencing systematic failures that prevented successful execution of VimR and other package updates. These issues emerged after recent workflow enhancements and manifested as four distinct but interconnected problems that needed coordinated resolution.

The Python update scripts require the requests library to interact with GitHub's API for checking release information, but GitHub Actions runners provide only a minimal Python installation without this module. This caused immediate ModuleNotFoundError failures in all package update workflows. The solution wraps Python invocations with nix-shell -p python3 python3Packages.requests, ensuring the required dependency is available through Nix rather than relying on system Python packages.

VimR presents unique challenges as a macOS application bundle that installs to Applications/VimR.app rather than providing command-line binaries in PATH. The test script was attempting to verify a vimr binary existence and failed consistently. The fix adds VimR-specific handling with an empty BINARY_NAME, causing the script to skip binary availability checks while still validating the app bundle structure through platform-specific verification.

GitHub API authentication was missing from the update check steps, causing workflows to hit the unauthenticated rate limit of 60 requests per hour almost immediately. By exposing secrets.GITHUB_TOKEN to the Python scripts through environment variables, workflows now operate under the authenticated limit of 5000 requests per hour, essentially eliminating rate limit concerns for normal operation.

The home-manager rebuild tests were causing failures due to builtins.currentSystem being unavailable in pure evaluation mode, and represented unnecessary validation since package build tests already verify correctness. Per feedback that "we don't need to test the home manager configuration, it's sufficient to test the package", these steps were removed from all workflows, simplifying the validation pipeline and eliminating a fragile test dependency.

All changes maintain consistency across the five affected workflows (VimR, KOTS, Replicated, sbctl, and package status checks), ensuring uniform behavior and maintainability. The VimR workflow successfully executed end-to-end after these fixes, automatically creating PR #211 to update VimR from v0.58.0 to v0.59.0, demonstrating that the automation pipeline now functions reliably.

These fixes enable the automated package update system to operate without manual intervention, supporting the project's goal of keeping dependencies current through GitHub Actions automation rather than manual updates.

Related: PR #211 (VimR v0.59.0 update created by fixed workflow)

🤖 Generated with Claude Code

Summary by CodeRabbit

• Updates

  • VimR upgraded to v0.59.0

• Chores

  • Enhanced package testing framework to support app bundle configurations
  • Improved post-build validation error handling and messaging
  • Streamlined CI/CD workflows for more reliable dependency provisioning
  • Simplified automated testing pipeline by removing redundant verification steps

[coderabbitai]

Walkthrough

Adds app-bundle handling to the package test script, replaces direct Python calls in several GitHub workflows with nix-shell invocations (python3 + requests), removes home-manager rebuild test steps from update workflows, and bumps VimR to v0.59.0 with updated build and sha256.

Changes

Cohort / File(s)	Summary
Test script — app bundle support .github/scripts/test-package.sh	Added a case for non-CLI app bundle (vimr) that sets BINARY_NAME empty and flags app-bundle behavior; conditionalized binary checks; extended version/help probing (--version, version, --help) and adjusted error/warning messages; preserved macOS-specific app-bundle checks.
Workflow nix-shell migration .github/workflows/check-package-status.yml, .github/workflows/update-kots.yml, .github/workflows/update-replicated.yml, .github/workflows/update-sbctl.yml, .github/workflows/update-vimr.yml	Replaced direct python3 invocations with nix-shell -p python3 python3Packages.requests --run "python3 ..." and added GITHUB_TOKEN environment to relevant update steps.
Home-manager test removals & PR body cleanup .github/workflows/update-kots.yml, .github/workflows/update-replicated.yml, .github/workflows/update-sbctl.yml, .github/workflows/update-vimr.yml	Removed "Test home-manager rebuild" step blocks and eliminated corresponding validation lines from PR body/content; normalized trailing spaces and bullet phrasing in PR messages.
VimR package bump pkgs/vimr/default.nix	Bumped version v0.58.0 → v0.59.0, updated build timestamp, and replaced sha256 to match the new source tarball.

Sequence Diagram(s)

sequenceDiagram
    participant Workflow as GitHub Workflow
    participant nix as nix-shell
    participant Script as test-package.sh
    participant Package as Package (vimr or other)

    Workflow->>nix: run python checks via nix-shell (python3 + requests)
    Note right of nix `#d6f5d6`: ensures dependencies available
    nix->>Workflow: exit / output

    Workflow->>Script: invoke package tests
    Script->>Script: decide package type
    alt app bundle (vimr)
        Script->>Package: skip CLI binary checks
        Script->>Package: verify .app presence (macOS)
    else CLI binary
        Script->>Package: check BINARY_NAME exists
        Script->>Package: try --version / version / --help
    end
    Script->>Workflow: report pass/fail

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Areas needing closer review:
  • .github/scripts/test-package.sh — new branching for app-bundle, version/help probing, and error/warning semantics.
  • Each updated workflow — ensure nix-shell invocations preserve environment and secrets (GITHUB_TOKEN) usage and that removed home-manager steps are intentionally omitted.
  • pkgs/vimr/default.nix — verify the new sha256 corresponds to the updated source.

Possibly related PRs

• Implements automated package update workflows for custom packages #196 — modifies the same CI scripts and workflows; likely related to the test-package.sh and workflow nix-shell changes.
• Updates dependencies and tooling #202 — also updates pkgs/vimr/default.nix (version/hash), overlapping with the VimR bump in this PR.

Poem

🐇 I hopped through scripts with a curious twitch,
Wrapped Python in nix for a cleaner stitch.
VimR polished to v0.59 with a jaunty spin,
Bundles skip binaries — a new testing win! 🎉

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and specifically describes the main purpose of the PR: fixing GitHub Actions workflows used for automated package updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/crdant/corrects-vimr-automation

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e8a4464 and 2732bf6.

📒 Files selected for processing (3)

• .github/workflows/update-kots.yml (5 hunks)
• .github/workflows/update-replicated.yml (5 hunks)
• .github/workflows/update-sbctl.yml (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/update-kots.yml

🔇 Additional comments (5)

.github/workflows/update-replicated.yml (3)

25-30: ✅ GITHUB_TOKEN and nix-shell wrapper correctly added.

This resolves the critical issue flagged in the previous review. The GITHUB_TOKEN now enables authenticated GitHub API requests (5,000 requests/hour vs. 60 unauthenticated), and the nix-shell wrapper correctly provides python3 and python3Packages.requests dependencies that the update script requires.

---

54-57: ✅ nix-shell wrappers applied consistently across hash-calculation steps.

Both the darwin and linux vendor-hash calculations now properly invoke Python within nix-shell, ensuring the requests library is available.

Also applies to: 85-88

---

155-156: ✅ PR body validation text updated appropriately.

The removal of home-manager rebuild test references and the updated validation bullets reflect the workflow changes. Note: Minor formatting difference vs. update-sbctl.yml (replicated uses "both macOS and Linux" while sbctl lists platforms separately), but both approaches are valid.

.github/workflows/update-sbctl.yml (2)

30-35: ✅ GITHUB_TOKEN and nix-shell wrapper correctly added.

This resolves the critical issue flagged in the previous review. GITHUB_TOKEN enables authenticated GitHub API requests, and the nix-shell wrapper provides required Python dependencies (python3 and python3Packages.requests).

---

81-81: ✅ Home-manager rebuild test step removed and PR body validation updated.

The removal of the home-manager rebuild test and updated validation text (now explicitly platform-specific: "builds successfully on Linux", "builds successfully on macOS", "Installation tests passed on both platforms") properly reflect the workflow's simplified validation approach.

Also applies to: 103-105

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 51a313f and e8a4464.

📒 Files selected for processing (7)

• .github/scripts/test-package.sh (2 hunks)
• .github/workflows/check-package-status.yml (1 hunks)
• .github/workflows/update-kots.yml (5 hunks)
• .github/workflows/update-replicated.yml (5 hunks)
• .github/workflows/update-sbctl.yml (3 hunks)
• .github/workflows/update-vimr.yml (2 hunks)
• pkgs/vimr/default.nix (1 hunks)

🔇 Additional comments (17)

.github/workflows/update-vimr.yml (3)

26-27: LGTM! Authentication added to prevent rate limiting.

The GITHUB_TOKEN environment variable properly provides authentication for GitHub API calls in the update script.

---

29-29: LGTM! Python dependencies properly provisioned.

Using nix-shell to provide Python and the requests package ensures dependencies are available in the CI environment.

---

54-55: LGTM! Validation text updated correctly.

The PR validation section now accurately reflects the removed home-manager test step.

.github/workflows/update-replicated.yml (2)

28-28: LGTM! Python dependencies consistently provisioned.

All Python script invocations properly use nix-shell to provide python3 and python3Packages.requests.

Also applies to: 55-55, 86-86

---

153-154: LGTM! PR validation messages updated.

Validation text correctly reflects the current test coverage without home-manager tests.

.github/workflows/update-sbctl.yml (3)

30-33: Same GITHUB_TOKEN concern as in update-replicated.yml.

Similar to the comment on update-replicated.yml lines 25-28, verify if GITHUB_TOKEN should be added here to avoid rate limits when checking for updates.

---

33-33: LGTM! Python dependencies properly provisioned.

Using nix-shell to provide Python and the requests package ensures dependencies are available.

---

101-103: LGTM! Validation text updated correctly.

The PR body now accurately reflects the test coverage without home-manager tests.

.github/workflows/update-kots.yml (3)

25-28: Same GITHUB_TOKEN concern as in update-replicated.yml.

Similar to the comment on update-replicated.yml lines 25-28, verify if GITHUB_TOKEN should be added here to avoid rate limits.

---

28-28: LGTM! Python dependencies consistently provisioned.

All Python script invocations properly use nix-shell with python3 and python3Packages.requests.

Also applies to: 55-55, 86-86

---

153-154: LGTM! PR validation messages updated.

Validation text correctly reflects current test coverage.

.github/scripts/test-package.sh (3)

28-31: LGTM! VimR properly identified as app bundle.

Setting BINARY_NAME to empty for VimR correctly distinguishes it as a macOS app bundle rather than a CLI tool.

---

51-77: LGTM! Binary checks appropriately conditionalized.

The logic now properly skips binary availability checks for app bundles while maintaining comprehensive testing for CLI tools. The enhanced version/help checking with multiple fallback commands is thorough.

---

80-95: LGTM! VimR app bundle validation implemented.

The platform-specific checks for VimR properly verify:

• macOS-only constraint
• App bundle structure at the expected path

.github/workflows/check-package-status.yml (2)

26-26: LGTM! Python dependencies properly provisioned.

Using nix-shell to provide Python and requests package ensures dependencies are available for the package status check script.

---

92-93: Note: GH_TOKEN vs GITHUB_TOKEN naming.

This workflow uses GH_TOKEN while the update workflows use GITHUB_TOKEN. This is typically intentional—GH_TOKEN is the expected environment variable for the GitHub CLI (gh command), while Python scripts using the GitHub API typically use GITHUB_TOKEN. Verify this aligns with the tools being used in each context.

pkgs/vimr/default.nix (1)

5-6: LGTM! VimR updated to v0.59.0.

The version, build timestamp, and sha256 hash are all updated consistently for the VimR v0.59.0 release, as indicated in the PR objectives.

Also applies to: 10-10