openclaw/nix-openclaw
openclaw/nix-openclaw
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
main
nix-openclaw/.github/workflows/yolo-update.yml
joshp123 44ae6995de Trigger CI after yolo promotion 
What:
- let the yolo promote job dispatch the CI workflow after pushing main
- grant the promote job actions:write for workflow_dispatch

Why:
- GitHub suppresses push-triggered workflows created by GITHUB_TOKEN, so yolo-promoted commits otherwise lack a CI run on the final main SHA

Tests:
- scripts/check-flake-lock-owners.sh
- node scripts/select-openclaw-release.test.mjs
- bash -n scripts/update-pins.sh
- ruby -e 'require "yaml"; ARGV.each { |f| YAML.load_file(f) }' .github/workflows/*.yml
- GITHUB_ACTIONS=true scripts/update-pins.sh select
- nix flake show --accept-flake-config

Co-authored-by: Codex <noreply@openai.com>
2026-05-07 11:04:00 +02:00

258 lines
8.8 KiB
YAML
Raw Permalink Blame History

name: Yolo Update Pins
on:
schedule:
- cron: "5 * * * *"
workflow_dispatch: {}
concurrency:
group: yolo-update-pins
cancel-in-progress: false
permissions:
contents: read
jobs:
select:
runs-on: ubuntu-latest
timeout-minutes: 15
outputs:
has_update: ${{ steps.select.outputs.has_update }}
source_tag: ${{ steps.select.outputs.source_tag }}
source_sha: ${{ steps.select.outputs.source_sha }}
source_version: ${{ steps.select.outputs.source_version }}
app_tag: ${{ steps.select.outputs.app_tag }}
app_url: ${{ steps.select.outputs.app_url }}
app_version: ${{ steps.select.outputs.app_version }}
latest_stable_tag: ${{ steps.select.outputs.latest_stable_tag }}
app_lag_releases: ${{ steps.select.outputs.app_lag_releases }}
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Select release
id: select
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail
selection="$(scripts/update-pins.sh select)"
while IFS='=' read -r key value; do
echo "${key}=${value}" >> "$GITHUB_OUTPUT"
done <<<"$selection"
has_update="$(printf '%s\n' "$selection" | awk -F= '$1 == "has_update" { print $2; exit }')"
source_tag="$(printf '%s\n' "$selection" | awk -F= '$1 == "source_tag" { print $2; exit }')"
app_tag="$(printf '%s\n' "$selection" | awk -F= '$1 == "app_tag" { print $2; exit }')"
latest_stable_tag="$(printf '%s\n' "$selection" | awk -F= '$1 == "latest_stable_tag" { print $2; exit }')"
app_lag_releases="$(printf '%s\n' "$selection" | awk -F= '$1 == "app_lag_releases" { print $2; exit }')"
{
echo "### OpenClaw release selection"
echo
echo "- Latest stable upstream release: \`${latest_stable_tag:-unknown}\`"
echo "- Selected source release: \`${source_tag:-unknown}\`"
echo "- Selected macOS app artifact: \`${app_tag:-preserve-current}\`"
echo "- Update needed: \`${has_update:-unknown}\`"
if [[ -n "${app_lag_releases:-}" ]]; then
echo "- macOS app asset lagging source release(s): \`${app_lag_releases}\`"
fi
} >> "$GITHUB_STEP_SUMMARY"
validate-linux:
needs: select
if: needs.select.outputs.has_update == 'true'
runs-on: ubuntu-latest
timeout-minutes: 60
outputs:
materialization_digest: ${{ steps.materialization.outputs.materialization_digest }}
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Install Nix
uses: cachix/install-nix-action@v31
- name: Materialize selected release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
scripts/update-pins.sh apply \
"${{ needs.select.outputs.source_tag }}" \
"${{ needs.select.outputs.source_sha }}" \
"${{ needs.select.outputs.app_tag }}" \
"${{ needs.select.outputs.app_url }}"
- name: Record materialized diff digest
id: materialization
run: |
set -euo pipefail
digest="$(
git diff --binary -- \
nix/sources/openclaw-source.nix \
nix/packages/openclaw-app.nix \
nix/generated/openclaw-config-options.nix \
| shasum -a 256 \
| awk '{ print $1 }'
)"
echo "materialization_digest=${digest}" >> "$GITHUB_OUTPUT"
- name: Verify flake.lock owners
run: scripts/check-flake-lock-owners.sh
- name: Run Linux CI aggregator
run: timeout --foreground 50m nix build .#checks.x86_64-linux.ci --accept-flake-config
- name: Dump failing source check log
if: failure()
run: |
drv="$(nix eval --raw .#checks.x86_64-linux.source-checks.drvPath --accept-flake-config)"
nix log "$drv" | tail -n 400 || true
validate-macos:
needs: select
if: needs.select.outputs.has_update == 'true'
runs-on: macos-14
timeout-minutes: 40
outputs:
materialization_digest: ${{ steps.materialization.outputs.materialization_digest }}
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@v22
- name: Materialize selected release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
scripts/update-pins.sh apply \
"${{ needs.select.outputs.source_tag }}" \
"${{ needs.select.outputs.source_sha }}" \
"${{ needs.select.outputs.app_tag }}" \
"${{ needs.select.outputs.app_url }}"
- name: Record materialized diff digest
id: materialization
run: |
set -euo pipefail
digest="$(
git diff --binary -- \
nix/sources/openclaw-source.nix \
nix/packages/openclaw-app.nix \
nix/generated/openclaw-config-options.nix \
| shasum -a 256 \
| awk '{ print $1 }'
)"
echo "materialization_digest=${digest}" >> "$GITHUB_OUTPUT"
- name: Build Darwin CI aggregator
timeout-minutes: 25
run: nix build .#checks.aarch64-darwin.ci --accept-flake-config
- name: Run HM activation
timeout-minutes: 10
run: scripts/hm-activation-macos.sh
promote:
needs:
- select
- validate-linux
- validate-macos
if: needs.select.outputs.has_update == 'true'
runs-on: ubuntu-latest
timeout-minutes: 30
permissions:
actions: write
contents: write
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@v22
- name: Promote selected release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
LINUX_MATERIALIZATION_DIGEST: ${{ needs.validate-linux.outputs.materialization_digest }}
MACOS_MATERIALIZATION_DIGEST: ${{ needs.validate-macos.outputs.materialization_digest }}
run: |
set -euo pipefail
git config user.name "openclaw-ci"
git config user.email "ci@openclaw.local"
if [[ -z "$LINUX_MATERIALIZATION_DIGEST" || -z "$MACOS_MATERIALIZATION_DIGEST" ]]; then
echo "Missing validation materialization digest." >&2
exit 1
fi
if [[ "$LINUX_MATERIALIZATION_DIGEST" != "$MACOS_MATERIALIZATION_DIGEST" ]]; then
echo "Linux and macOS materialized different release diffs." >&2
echo "Linux: $LINUX_MATERIALIZATION_DIGEST" >&2
echo "macOS: $MACOS_MATERIALIZATION_DIGEST" >&2
exit 1
fi
scripts/update-pins.sh apply \
"${{ needs.select.outputs.source_tag }}" \
"${{ needs.select.outputs.source_sha }}" \
"${{ needs.select.outputs.app_tag }}" \
"${{ needs.select.outputs.app_url }}"
if git diff --quiet -- \
nix/sources/openclaw-source.nix \
nix/packages/openclaw-app.nix \
nix/generated/openclaw-config-options.nix; then
echo "No pin changes detected."
exit 0
fi
promote_digest="$(
git diff --binary -- \
nix/sources/openclaw-source.nix \
nix/packages/openclaw-app.nix \
nix/generated/openclaw-config-options.nix \
| shasum -a 256 \
| awk '{ print $1 }'
)"
if [[ "$promote_digest" != "$LINUX_MATERIALIZATION_DIGEST" ]]; then
echo "Promote materialized a different release diff than validation." >&2
echo "Validated: $LINUX_MATERIALIZATION_DIGEST" >&2
echo "Promote: $promote_digest" >&2
exit 1
fi
git add \
nix/sources/openclaw-source.nix \
nix/packages/openclaw-app.nix \
nix/generated/openclaw-config-options.nix
git commit -F - <<EOF
🤖 codex: mirror OpenClaw stable source ${{ needs.select.outputs.source_tag }}
What:
- update nix-openclaw to the latest stable OpenClaw source release
- refresh generated config options from that source
- keep the macOS app pin on the newest public app artifact
Why:
- keep source-built OpenClaw current without blocking on public macOS app asset lag
Tests:
- nix build .#checks.x86_64-linux.ci --accept-flake-config
- nix build .#checks.aarch64-darwin.ci --accept-flake-config
- scripts/hm-activation-macos.sh
EOF
git fetch origin main
git rebase origin/main
git push origin HEAD:main
gh workflow run ci.yml --ref main
Reference in New Issue View Git Blame Copy Permalink