commit 1a48ce045983887c1a1a5cbc6ec19c5999fa52a0
Author: dadada <dadada@dadada.li>
Date:   Wed Oct 18 17:43:31 2023 +0200

    Add gitlab template for updating flakes

diff --git a/gitlab-ci-nix-flake-update.yml b/gitlab-ci-nix-flake-update.yml
new file mode 100644
index 0000000..7f24d0a
--- /dev/null
+++ b/gitlab-ci-nix-flake-update.yml
@@ -0,0 +1,55 @@
+# # GitLab CI job template for `nix flake update --commit-lock-file`
+#
+# This requires a masked or protected variable `UPDATE_ACCESS_TOKEN` that contains a project access token with at least the scope `api` and `write_repository`.
+# The job is intended to be run from a scheduled pipeline. See https://docs.gitlab.com/ee/ci/pipelines/schedules.html
+#
+# ## Example
+#
+# ```
+# include:
+#   - https://gist.github.com/dadada/c9184fef6dc7b66c8e94ecf65783ce43/raw
+# nix-flake-update:
+#   variables:
+#     # The name of the branch that will have the updates.
+#     BRANCH: update-flake-inputs
+#     NOTIFY_USERS: "@admin"
+#   stage: update
+#   extends: .nix-flake-update
+# ```
+
+.nix-flake-update:
+  # NixOS Docker image
+  image: nixos/nix
+  script:
+    nix flake update --commit-lock-file
+  before_script:
+    # Enable support for flakes.
+    - echo "experimental-features = nix-command flakes" >> /etc/nix/nix.conf
+    # Use the vendored nixpkgs version.
+    - nix registry add nixpkgs path:$(readlink -f ${NIX_PATH%%:*}/nixpkgs)
+    # Install jq for processing MR.
+    - nix profile install nixpkgs#jq nixpkgs#gnused
+    # Set up git.
+    - git config user.email "noreply@${CI_SERVER_HOST}"
+    - git config user.name "Update Flakes"
+    - git remote remove gitlab_origin || true
+    - git remote add gitlab_origin "https://oauth2:${UPDATE_ACCESS_TOKEN}@${CI_SERVER_HOST}/${CI_PROJECT_PATH}.git"
+    - git fetch gitlab_origin main
+  after_script:
+    - |
+      if git diff --exit-code HEAD gitlab_origin/main
+      then
+        exit
+      fi
+      # Upload changes to merge request.
+      git push -f gitlab_origin HEAD:refs/heads/${BRANCH}
+      PROJECT_PATH="$(sed 's/\//%2F/g' <<< $CI_PROJECT_PATH)"
+      MR_ID=$(curl --silent --header "PRIVATE-TOKEN: ${UPDATE_ACCESS_TOKEN}" "${CI_API_V4_URL}/projects/${PROJECT_PATH}/merge_requests?source_branch=${BRANCH}&state=opened" | jq '.[0].id')
+      if [ "$MR_ID" = "null" ]
+      then
+        curl --fail --json "{\"source_branch\": \"$BRANCH\", \"target_branch\": \"main\", \"title\": \"Update inputs\", \"should_remove_source_branch\": true, \"description\": \"$NOTIFY_USERS\"}" --header "PRIVATE-TOKEN: ${UPDATE_ACCESS_TOKEN}" "${CI_API_V4_URL}/projects/${PROJECT_PATH}/merge_requests"
+      fi
+  rules:
+    # Only run on scheduled pipelines.
+    - if: $CI_PIPELINE_SOURCE == "schedule"
+