From e033a0048d383f744f78d1e53503d0e83a1cd354 Mon Sep 17 00:00:00 2001
From: Jesse Hallett <jesse@sitr.us>
Date: Fri, 8 Mar 2024 11:59:38 -0800
Subject: [PATCH] ci: automatically update npm dependencies hash in dependabot
 PRs (#100)

---
 .github/workflows/dependabot-post.yml | 49 +++++++++++++++++++++++++++
 flake.nix                             | 12 +++++++
 2 files changed, 61 insertions(+)
 create mode 100644 .github/workflows/dependabot-post.yml

diff --git a/.github/workflows/dependabot-post.yml b/.github/workflows/dependabot-post.yml
new file mode 100644
index 0000000..8219245
--- /dev/null
+++ b/.github/workflows/dependabot-post.yml
@@ -0,0 +1,49 @@
+# Due to the Nix configuration we need to update a hash in test/test.nix when
+# npm dependencies change. This workflow runs on dependabot branches, and runs
+# a script that makes the necessary update after each dependabot push.
+name: Dependabot-post
+
+on:
+  push:
+    branches:
+      - "dependabot/npm_and_yarn/*"
+
+jobs:
+  update_npm_deps_hash:
+    name: Update NPM dependencies hash
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]' || github.actor == 'dependabot-preview[bot]'
+    steps:
+      - name: Check Out Code
+        uses: actions/checkout@v3
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+
+      - name: Configure Cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: Update Hash
+        run: nix run .#update-npm-deps-hash
+
+      - name: Set up Git Config
+        run: |
+          git config user.name "${GITHUB_ACTOR}"
+          git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"
+          git remote set-url origin https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+
+      # NOTE: Prefixing/appending commit messages with `[dependabot skip]`
+      # allows dependabot to rebase/update the pull request, force-pushing
+      # over any changes
+      - name: Commit changes
+        run: |
+          git add .
+          if [[ $(git status -s) ]]; then
+            git commit -m "build(deps): update npm dependencies hash [dependabot skip]" --no-verify
+            git push
+            echo "Pushed an update to npm dependencies hash"
+          else
+            echo "Npm dependencies hash was not changed"
+          fi
diff --git a/flake.nix b/flake.nix
index c3fc682..059c822 100644
--- a/flake.nix
+++ b/flake.nix
@@ -12,6 +12,18 @@
     {
       packages = eachSystem (pkgs: {
         default = pkgs.callPackage ./packages/git-format-staged.nix { };
+
+        # When npm dependencies change we need to update the dependencies hash
+        # in test/test.nix
+        update-npm-deps-hash = pkgs.writeShellApplication {
+          name = "update-npm-deps-hash";
+          runtimeInputs = with pkgs; [ prefetch-npm-deps nix gnused ];
+          text = ''
+            hash=$(prefetch-npm-deps package-lock.json 2>/dev/null)
+            echo "updated npm dependency hash: $hash" >&2
+            sed -i "s|sha256-[A-Za-z0-9+/=]\+|$hash|" test/test.nix
+          '';
+        };
       });
 
       devShells = eachSystem (pkgs: {