fix(ci): Run nix-update before attempting to build the branch this would fail if FOD hashes are not up-to-date

Signed-off-by: Steffen Vogel <post@steffenvogel.de>

.github/workflows/build.yaml

@@ -19,10 +19,71 @@ permissions:
   contents: write
 
 jobs:
+  nix-update:
+    name: Update Nix hashes
+    runs-on: ubuntu-24.04
+
+    outputs:
+      tag-current: ${{ steps.tags.outputs.current }}
+      tag-next: ${{ steps.tags.outputs.next }}
+      changed: ${{ steps.nix-update-hashes.outputs.changed }}
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+      with:
+        ref: ${{ github.event.pull_request.head.ref }}
+        fetch-depth: 0
+        token: ${{ secrets.PAT }}
+
+    - name: Setup Nix
+      uses: DeterminateSystems/nix-installer-action@v16
+
+    - name: Setup Nix cache
+      uses: DeterminateSystems/magic-nix-cache-action@v8
+
+    - name: Setup Git
+      run: |
+        git config --global user.name 'github-actions[bot]'
+        git config --global user.email '41898282+github-actions[bot]@users.noreply.github.com'
+
+    - name: Get current and next tag
+      id: tags
+      run: |
+        nix develop .#ci --command sh <<'EOF' | tee "$GITHUB_OUTPUT"
+          # We always increment the patch version to ensure hashes of Nix derivations are updated
+          # by our GitHub actions tag workflow which runs nix-update
+          echo next=$(svu next)
+          echo current=$(svu current)
+        EOF
+
+    - name: Update version and vendor hashes in Nix derivation
+      id: nix-update-hashes
+      run: |
+        nix develop .#ci --command sh <<'EOF'
+            VERSION="${{ steps.tags.outputs.next || steps.tags.outputs.current }}"
+
+            nix-update --flake gocov-merger
+            nix-update --flake --version ${VERSION} cunicu
+            nix-update --flake --version ${VERSION} scripts
+            nix-update --flake --version ${VERSION} --subpackage yarnOfflineCache website
+        EOF
+
+        git diff --quiet || echo "changed=true" >> "$GITHUB_OUTPUT"
+
+    - name: Commit changes
+      id: git-commit
+      if: steps.nix-update-hashes.outputs.changed == 'true'
+      run: |
+        git commit --all --signoff --message "fix(nix): Update version and hashes"
+        git push
+
   build:
     name: Build for ${{ matrix.target_os }} on ${{ matrix.target_arch }}${{ matrix.target_arch == 'arm' && format('-v{0}', matrix.arm) || ''}}${{ matrix.target_arch == 'mips' && format('-{0}', matrix.mips) || ''}}
-    if: github.event.head_commit.committer.name != 'github-actions[bot]' # Skip builds triggered by GitHub Actions, e.g. the tagging job below
+    if: needs.nix-update.outputs.changed != 'true' # Skip build if we just pushed. We wait for the workflow to be retriggered.
     runs-on: ${{ matrix.runner || 'ubuntu-24.04' }}
+    needs:
+    - nix-update
 
     strategy:
       fail-fast: false
@@ -194,7 +255,9 @@ jobs:
     name: Tag
     needs:
     - build
-    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    - nix-update
+
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push' && needs.nix-update.outputs.tag-next != needs.nix-update.outputs.tag-current
     environment: release
     runs-on: ubuntu-24.04
 
@@ -205,49 +268,15 @@ jobs:
         fetch-depth: 0
         token: ${{ secrets.PAT }}
 
-    - name: Setup Nix
-      uses: DeterminateSystems/nix-installer-action@v16
-
-    - name: Setup Nix cache
-      uses: DeterminateSystems/magic-nix-cache-action@v8
-
     - name: Setup Git
       run: |
         git config --global user.name 'github-actions[bot]'
         git config --global user.email '41898282+github-actions[bot]@users.noreply.github.com'
 
-    - name: Get current and next tag
-      id: tags
-      run: |
-        nix develop .#ci --command sh <<'EOF' | tee "$GITHUB_OUTPUT"
-          echo next=$(svu next)
-          echo current=$(svu current)
-        EOF
-
-    - name: Update version and vendor hashes in Nix derivation
-      id: nix-update-hashes
-      run: |
-        nix develop .#ci --command sh <<'EOF'
-            VERSION="${{ steps.tags.outputs.next || steps.tags.outputs.current }}"
-
-            nix-update --flake gocov-merger
-            nix-update --flake --version ${VERSION} cunicu
-            nix-update --flake --version ${VERSION} scripts
-            nix-update --flake --version ${VERSION} --subpackage yarnOfflineCache website
-        EOF
-
-        git diff --quiet || echo "changed=true" >> "$GITHUB_OUTPUT"
-
-    - name: Commit changes
-      id: git-commit
-      if: steps.nix-update-hashes.outputs.changed == 'true'
-      run: |
-        git commit --all --signoff --message "fix(nix): Update version and hashes"
-        git push
-
     - name: Tag new release
       id: git-tag
       if: steps.tags.outputs.current != steps.tags.outputs.next
       run: |
-        git tag ${{ steps.tags.outputs.next }}
-        git push origin tag ${{ steps.tags.outputs.next }}
+        git tag ${{ needs.nix-update.outputs.tag-next }}
+        git push origin tag ${{ needs.nix-update.outputs.tag-next }}
+

.github/workflows/check.yaml

@@ -17,13 +17,11 @@ concurrency:
 
 jobs:
   reuse:
-    if: github.event.head_commit.committer.name != 'github-actions[bot]' # Skip builds triggered by GitHub Actions, e.g. the tagging job below
     uses: cunicu/.github/.github/workflows/reuse.yaml@v0.3.0
 
   flake:
     name: Check flake.lock
     runs-on: ubuntu-24.04
-    if: github.event.head_commit.committer.name != 'github-actions[bot]' # Skip builds triggered by GitHub Actions, e.g. the tagging job below
 
     steps:
     - name: Checkout