update zen browser to 1.19.2b

automated update of zen browser appimage version and hash

Co-authored-by: gitea actions <actions@localhost>
Reviewed-on: #5

.gitea/scripts/commit-update.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+: "${BRANCH:?BRANCH is required}"
+: "${FILE:?FILE is required}"
+: "${COMMIT_MESSAGE:?COMMIT_MESSAGE is required}"
+
+git config user.name "gitea actions"
+git config user.email "actions@localhost"
+
+git checkout -B "$BRANCH"
+git add "$FILE"
+
+if git diff --cached --quiet; then
+  echo "No staged changes for ${FILE}; skipping commit"
+  exit 0
+fi
+
+git commit -m "$COMMIT_MESSAGE"
+git push --force origin "$BRANCH"

.gitea/scripts/create-gitea-pr.sh

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+: "${GITEA_API:?GITEA_API is required}"
+: "${GITEA_TOKEN:?GITEA_TOKEN is required}"
+: "${BRANCH:?BRANCH is required}"
+: "${TITLE:?TITLE is required}"
+: "${BODY:?BODY is required}"
+
+owner_prefix="${HEAD_OWNER_PREFIX:-thomas}"
+
+existing=$(curl -fsS \
+  -H "Authorization: token ${GITEA_TOKEN}" \
+  "${GITEA_API}/pulls?state=open" \
+  | python -c 'import json,sys,os; d=json.load(sys.stdin); b=os.environ["BRANCH"]; print(next((str(pr["number"]) for pr in d if isinstance(pr,dict) and pr.get("head",{}).get("ref")==b), ""))')
+
+if [ -n "$existing" ]; then
+  echo "PR already exists: #$existing"
+  exit 0
+fi
+
+echo "Creating PR..."
+created="false"
+for head in "${BRANCH}" "${owner_prefix}:${BRANCH}"; do
+  echo "Trying head=${head}"
+  payload=$(HEAD_REF="$head" TITLE="$TITLE" BODY="$BODY" python -c 'import json,os; print(json.dumps({"title": os.environ["TITLE"], "head": os.environ["HEAD_REF"], "base": "main", "body": os.environ["BODY"]}))')
+  response=$(curl -sS -w '\n%{http_code}' -X POST \
+    -H "Authorization: token ${GITEA_TOKEN}" \
+    -H "Content-Type: application/json" \
+    "${GITEA_API}/pulls" \
+    -d "$payload")
+
+  body=$(printf '%s\n' "$response" | sed '$d')
+  code=$(printf '%s\n' "$response" | tail -n1)
+
+  echo "Create PR status: $code"
+  echo "$body"
+
+  if [ "$code" -ge 200 ] && [ "$code" -lt 300 ]; then
+    created="true"
+    break
+  fi
+done
+
+if [ "$created" != "true" ]; then
+  echo "PR creation failed"
+  exit 1
+fi

.gitea/scripts/update-appimage-nix.sh

@@ -0,0 +1,243 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+: "${FILE:?FILE is required}"
+: "${LATEST_RELEASE_URL:?LATEST_RELEASE_URL is required}"
+: "${DOWNLOAD_URL_TEMPLATE:?DOWNLOAD_URL_TEMPLATE is required}"
+: "${RELEASE_API_REPO:?RELEASE_API_REPO is required}"
+
+if command -v python >/dev/null 2>&1; then
+  PYTHON_BIN=python
+elif command -v python3 >/dev/null 2>&1; then
+  PYTHON_BIN=python3
+else
+  echo "python is required but was not found"
+  exit 1
+fi
+
+version_strip_prefix="${LATEST_VERSION_STRIP_PREFIX:-v}"
+release_tag_template="${RELEASE_TAG_TEMPLATE:-{version}}"
+release_tag_template="${release_tag_template//$'\r'/}"
+
+current_version=$($PYTHON_BIN - <<'PY'
+import re
+import os
+p=os.environ["FILE"]
+s=open(p).read()
+m=re.search(r'version\s*=\s*"([^"]+)";', s)
+print(m.group(1) if m else "")
+PY
+)
+
+latest_version=$(curl -fsSLI -o /dev/null -w '%{url_effective}' "$LATEST_RELEASE_URL" \
+  | sed -E 's#.*/##')
+
+if [ -n "$version_strip_prefix" ]; then
+  latest_version="${latest_version#${version_strip_prefix}}"
+fi
+
+echo "current=$current_version"
+echo "latest=$latest_version"
+
+if [ -z "$latest_version" ] || [ "$latest_version" = "$current_version" ]; then
+  echo "updated=false" >> "$GITHUB_OUTPUT"
+  exit 0
+fi
+
+download_url="${DOWNLOAD_URL_TEMPLATE//\{version\}/$latest_version}"
+new_hash=$(nix store prefetch-file --json "$download_url" | "$PYTHON_BIN" -c 'import json,sys; print(json.load(sys.stdin)["hash"])')
+
+export LATEST_VERSION="$latest_version"
+export NEW_HASH="$new_hash"
+
+"$PYTHON_BIN" - <<'PY'
+import os
+import re
+p=os.environ["FILE"]
+s=open(p).read()
+s=re.sub(r'version\s*=\s*"[^"]+"', f'version = "{os.environ["LATEST_VERSION"]}"', s, count=1)
+s=re.sub(r'hash\s*=\s*"[^"]+"', f'hash = "{os.environ["NEW_HASH"]}"', s, count=1)
+open(p,"w").write(s)
+PY
+
+echo "updated=true" >> "$GITHUB_OUTPUT"
+echo "version=$latest_version" >> "$GITHUB_OUTPUT"
+echo "previous_version=$current_version" >> "$GITHUB_OUTPUT"
+
+release_tag="${release_tag_template//\{version\}/$latest_version}"
+release_tag="${release_tag#\{}"
+release_tag="${release_tag%\}}"
+release_tag="${release_tag#\'}"
+release_tag="${release_tag%\'}"
+
+release_url="${LATEST_RELEASE_URL%/latest}/tag/${release_tag}"
+release_html=$(curl -fsSL "$release_url" || true)
+
+release_notes=""
+if [ -n "$release_html" ]; then
+  release_notes=$(printf '%s' "$release_html" | "$PYTHON_BIN" -c '
+import re
+import sys
+from html.parser import HTMLParser
+
+html = sys.stdin.read()
+
+m = re.search(r"<div[^>]*data-test-selector=\"body-content\"[^>]*class=\"[^\"]*markdown-body[^\"]*\"[^>]*>(.*?)</div>", html, re.S)
+if not m:
+  print("")
+  raise SystemExit(0)
+
+fragment = m.group(1)
+
+class MdExtractor(HTMLParser):
+  def __init__(self):
+    super().__init__()
+    self.out = []
+    self.list_depth = 0
+    self.in_pre = False
+    self.in_code_inline = False
+    self.link_stack = []
+
+  def _append(self, text):
+    self.out.append(text)
+
+  def _ensure_newline(self):
+    if not self.out:
+      return
+    if not self.out[-1].endswith("\n"):
+      self.out.append("\n")
+
+  def _ensure_blank_line(self):
+    if not self.out:
+      return
+    joined = "".join(self.out)
+    if joined.endswith("\n\n"):
+      return
+    if joined.endswith("\n"):
+      self.out.append("\n")
+    else:
+      self.out.append("\n\n")
+
+  def handle_starttag(self, tag, attrs):
+    attrs_d = dict(attrs)
+
+    if tag in ("h1", "h2", "h3", "h4", "h5", "h6"):
+      self._ensure_blank_line()
+      level = int(tag[1])
+      self._append("#" * level + " ")
+      return
+
+    if tag in ("p", "div"):
+      self._ensure_blank_line()
+      return
+
+    if tag in ("ul", "ol"):
+      self._ensure_blank_line()
+      self.list_depth += 1
+      return
+
+    if tag == "li":
+      self._ensure_newline()
+      indent = "  " * max(self.list_depth - 1, 0)
+      self._append(f"{indent}- ")
+      return
+
+    if tag == "br":
+      self._append("\n")
+      return
+
+    if tag == "pre":
+      self._ensure_blank_line()
+      self._append("```\n")
+      self.in_pre = True
+      return
+
+    if tag == "code":
+      if not self.in_pre:
+        self._append("`")
+        self.in_code_inline = True
+      return
+
+    if tag == "a":
+      href = attrs_d.get("href", "")
+      self.link_stack.append(href)
+      self._append("[")
+      return
+
+    if tag in ("strong", "b"):
+      self._append("**")
+      return
+
+    if tag in ("em", "i"):
+      self._append("*")
+      return
+
+  def handle_endtag(self, tag):
+    if tag in ("h1", "h2", "h3", "h4", "h5", "h6", "p", "div"):
+      self._ensure_blank_line()
+      return
+
+    if tag in ("ul", "ol"):
+      self.list_depth = max(self.list_depth - 1, 0)
+      self._ensure_blank_line()
+      return
+
+    if tag == "li":
+      self._ensure_newline()
+      return
+
+    if tag == "pre":
+      self._ensure_newline()
+      self._append("```\n\n")
+      self.in_pre = False
+      return
+
+    if tag == "code":
+      if not self.in_pre and self.in_code_inline:
+        self._append("`")
+        self.in_code_inline = False
+      return
+
+    if tag == "a":
+      href = self.link_stack.pop() if self.link_stack else ""
+      if href:
+        self._append("]("
+          + href
+          + ")")
+      else:
+        self._append("]")
+      return
+
+    if tag in ("strong", "b"):
+      self._append("**")
+      return
+
+    if tag in ("em", "i"):
+      self._append("*")
+      return
+
+  def handle_data(self, data):
+    if data:
+      self._append(data)
+
+parser = MdExtractor()
+parser.feed(fragment)
+text = "".join(parser.out)
+text = re.sub(r"\n{3,}", "\n\n", text)
+text = re.sub(r"[ \t]+\n", "\n", text)
+print(text.strip())
+' || true)
+else
+  echo "warning: failed to fetch release page ${release_url}"
+fi
+
+if [ -z "$release_notes" ]; then
+  release_notes="_No changelog found on upstream release page. Check ${release_url}._"
+fi
+
+delimiter="CHANGELOG_$(date +%s%N)"
+{
+  echo "changelog<<${delimiter}"
+  printf '%s\n' "$release_notes"
+  echo "${delimiter}"
+} >> "$GITHUB_OUTPUT"

.gitea/workflows/handy-update.yml

@@ -21,119 +21,55 @@ jobs:
 
       - name: check latest handy release and update file
         id: update
+        env:
+          FILE: modules/pkgs/handy.nix
+          LATEST_RELEASE_URL: https://github.com/cjpais/Handy/releases/latest
+          DOWNLOAD_URL_TEMPLATE: https://github.com/cjpais/Handy/releases/download/v{version}/Handy_{version}_amd64.AppImage
+          RELEASE_API_REPO: cjpais/Handy
+          RELEASE_TAG_TEMPLATE: v{version}
+          GITHUB_TOKEN: ${{ secrets.github_token || secrets.GITHUB_TOKEN }}
         shell: bash
-        run: |
+        run: bash .gitea/scripts/update-appimage-nix.sh
-          set -euo pipefail
-
-          FILE="modules/pkgs/handy.nix"
-
-          current_version=$(python - <<'PY'
-          import re
-          s=open('modules/pkgs/handy.nix').read()
-          m=re.search(r'version\s*=\s*"([^"]+)";', s)
-          print(m.group(1) if m else "")
-          PY
-          )
-
-          latest_version=$(curl -fsSLI -o /dev/null -w '%{url_effective}' \
-            'https://github.com/cjpais/Handy/releases/latest' \
-            | sed -E 's#.*/##' \
-            | sed 's/^v//')
-
-          echo "current=$current_version"
-          echo "latest=$latest_version"
-
-          if [ -z "$latest_version" ] || [ "$latest_version" = "$current_version" ]; then
-            echo "updated=false" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          url="https://github.com/cjpais/Handy/releases/download/v${latest_version}/Handy_${latest_version}_amd64.AppImage"
-          new_hash=$(nix store prefetch-file --json "$url" | python -c 'import json,sys; print(json.load(sys.stdin)["hash"])')
-
-          export LATEST_VERSION="$latest_version"
-          export NEW_HASH="$new_hash"
-
-          python - <<PY
-          import re
-          import os
-          p='modules/pkgs/handy.nix'
-          s=open(p).read()
-          s=re.sub(r'version\s*=\s*"[^"]+"', f'version = "{os.environ["LATEST_VERSION"]}"', s, count=1)
-          s=re.sub(r'hash\s*=\s*"[^"]+"', f'hash = "{os.environ["NEW_HASH"]}"', s, count=1)
-          open(p,'w').write(s)
-          PY
-
-          echo "updated=true" >> "$GITHUB_OUTPUT"
-          echo "version=$latest_version" >> "$GITHUB_OUTPUT"
 
       - name: create branch and commit
         if: steps.update.outputs.updated == 'true'
         shell: bash
         run: |
           set -euo pipefail
-          branch="bot/handy-${{ steps.update.outputs.version }}"
+          version="${{ steps.update.outputs.version }}"
 
-          git config user.name "gitea actions"
+          BRANCH="bot/handy-${version}" \
-          git config user.email "actions@localhost"
+          FILE="modules/pkgs/handy.nix" \
-
+          COMMIT_MESSAGE="update handy to ${version}" \
-          git checkout -B "$branch"
+          bash .gitea/scripts/commit-update.sh
-          git add modules/pkgs/handy.nix
-          git commit -m "update handy to ${{ steps.update.outputs.version }}"
-          git push --force origin "$branch"
 
       - name: open pull request
         if: steps.update.outputs.updated == 'true'
         env:
           GITEA_TOKEN: ${{ secrets.tea_token || secrets.TEA_TOKEN }}
+          CHANGELOG: ${{ steps.update.outputs.changelog }}
         shell: bash
         run: |
           set -euo pipefail
 
-          api="https://gitea.unrail.xyz/api/v1/repos/thomas/nixos-config"
+          version="${{ steps.update.outputs.version }}"
-          branch="bot/handy-${{ steps.update.outputs.version }}"
+          previous_version="${{ steps.update.outputs.previous_version }}"
+          release_url="https://github.com/cjpais/Handy/releases/tag/v${version}"
 
-          if [ -z "${GITEA_TOKEN:-}" ]; then
+          pr_body=$(cat <<EOF
-            echo "GITEA_TOKEN is empty (check repo secret tea_token/TEA_TOKEN)"
+          automated update of handy appimage version and hash
-            exit 1
-          fi
 
-          echo "Checking for existing PRs..."
+          ## changelog
-          existing=$(curl -fsS \
+          from \`${previous_version}\` to \`${version}\`
-            -H "Authorization: token ${GITEA_TOKEN}" \
-            "${api}/pulls?state=open" \
-            | python -c 'import json,sys; d=json.load(sys.stdin); b="'"$branch"'"; print(next((str(pr["number"]) for pr in d if isinstance(pr,dict) and pr.get("head",{}).get("ref")==b), ""))')
 
-          if [ -n "$existing" ]; then
+          upstream release: ${release_url}
-            echo "PR already exists: #$existing"
-            exit 0
-          fi
 
-          echo "Creating PR..."
+          ${CHANGELOG}
-          created="false"
+          EOF
-          for head in "${branch}" "thomas:${branch}"; do
+          )
-            echo "Trying head=${head}"
-            payload=$(printf '{"title":"update handy to %s","head":"%s","base":"main","body":"automated update of handy appimage version and hash"}' \
-              "${{ steps.update.outputs.version }}" "$head")
-            response=$(curl -sS -w '\n%{http_code}' -X POST \
-              -H "Authorization: token ${GITEA_TOKEN}" \
-              -H "Content-Type: application/json" \
-              "${api}/pulls" \
-              -d "$payload")
 
-            body=$(printf '%s\n' "$response" | sed '$d')
+          GITEA_API="https://gitea.unrail.xyz/api/v1/repos/thomas/nixos-config" \
-            code=$(printf '%s\n' "$response" | tail -n1)
+          BRANCH="bot/handy-${version}" \
-
+          TITLE="update handy to ${version}" \
-            echo "Create PR status: $code"
+          BODY="$pr_body" \
-            echo "$body"
+          bash .gitea/scripts/create-gitea-pr.sh
-
-            if [ "$code" -ge 200 ] && [ "$code" -lt 300 ]; then
-              created="true"
-              break
-            fi
-          done
-
-          if [ "$created" != "true" ]; then
-            echo "PR creation failed"
-            exit 1
-          fi

.gitea/workflows/helium-update.yml

@@ -21,120 +21,55 @@ jobs:
 
       - name: check latest helium release and update file
         id: update
+        env:
+          FILE: modules/pkgs/helium.nix
+          LATEST_RELEASE_URL: https://github.com/imputnet/helium-linux/releases/latest
+          DOWNLOAD_URL_TEMPLATE: https://github.com/imputnet/helium-linux/releases/download/{version}/helium-{version}-x86_64.AppImage
+          RELEASE_API_REPO: imputnet/helium-linux
+          RELEASE_TAG_TEMPLATE: '{version}'
+          GITHUB_TOKEN: ${{ secrets.github_token || secrets.GITHUB_TOKEN }}
         shell: bash
-        run: |
+        run: bash .gitea/scripts/update-appimage-nix.sh
-          set -euo pipefail
-
-          FILE="modules/pkgs/helium.nix"
-
-          current_version=$(python - <<'PY'
-          import re
-          p='modules/pkgs/helium.nix'
-          s=open(p).read()
-          m=re.search(r'version\s*=\s*"([^"]+)";', s)
-          print(m.group(1) if m else "")
-          PY
-          )
-
-          latest_version=$(curl -fsSLI -o /dev/null -w '%{url_effective}' \
-            'https://github.com/imputnet/helium-linux/releases/latest' \
-            | sed -E 's#.*/##' \
-            | sed 's/^v//')
-
-          echo "current=$current_version"
-          echo "latest=$latest_version"
-
-          if [ -z "$latest_version" ] || [ "$latest_version" = "$current_version" ]; then
-            echo "updated=false" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          url="https://github.com/imputnet/helium-linux/releases/download/${latest_version}/helium-${latest_version}-x86_64.AppImage"
-          new_hash=$(nix store prefetch-file --json "$url" | python -c 'import json,sys; print(json.load(sys.stdin)["hash"])')
-
-          export LATEST_VERSION="$latest_version"
-          export NEW_HASH="$new_hash"
-
-          python - <<PY
-          import re
-          import os
-          p='modules/pkgs/helium.nix'
-          s=open(p).read()
-          s=re.sub(r'version\s*=\s*"[^"]+"', f'version = "{os.environ["LATEST_VERSION"]}"', s, count=1)
-          s=re.sub(r'hash\s*=\s*"[^"]+"', f'hash = "{os.environ["NEW_HASH"]}"', s, count=1)
-          open(p,'w').write(s)
-          PY
-
-          echo "updated=true" >> "$GITHUB_OUTPUT"
-          echo "version=$latest_version" >> "$GITHUB_OUTPUT"
 
       - name: create branch and commit
         if: steps.update.outputs.updated == 'true'
         shell: bash
         run: |
           set -euo pipefail
-          branch="bot/helium-${{ steps.update.outputs.version }}"
+          version="${{ steps.update.outputs.version }}"
 
-          git config user.name "gitea actions"
+          BRANCH="bot/helium-${version}" \
-          git config user.email "actions@localhost"
+          FILE="modules/pkgs/helium.nix" \
-
+          COMMIT_MESSAGE="update helium to ${version}" \
-          git checkout -B "$branch"
+          bash .gitea/scripts/commit-update.sh
-          git add modules/pkgs/helium.nix
-          git commit -m "update helium to ${{ steps.update.outputs.version }}"
-          git push --force origin "$branch"
 
       - name: open pull request
         if: steps.update.outputs.updated == 'true'
         env:
           GITEA_TOKEN: ${{ secrets.tea_token || secrets.TEA_TOKEN }}
+          CHANGELOG: ${{ steps.update.outputs.changelog }}
         shell: bash
         run: |
           set -euo pipefail
 
-          api="https://gitea.unrail.xyz/api/v1/repos/thomas/nixos-config"
+          version="${{ steps.update.outputs.version }}"
-          branch="bot/helium-${{ steps.update.outputs.version }}"
+          previous_version="${{ steps.update.outputs.previous_version }}"
+          release_url="https://github.com/imputnet/helium-linux/releases/tag/${version}"
 
-          if [ -z "${GITEA_TOKEN:-}" ]; then
+          pr_body=$(cat <<EOF
-            echo "GITEA_TOKEN is empty (check repo secret tea_token/TEA_TOKEN)"
+          automated update of helium appimage version and hash
-            exit 1
-          fi
 
-          # Skip if PR for this branch already exists
+          ## changelog
-          existing=$(curl -fsS \
+          from \`${previous_version}\` to \`${version}\`
-            -H "Authorization: token ${GITEA_TOKEN}" \
-            "${api}/pulls?state=open" \
-            | python -c 'import json,sys; d=json.load(sys.stdin); b="'"$branch"'"; print(next((str(pr["number"]) for pr in d if pr.get("head",{}).get("ref")==b), ""))')
 
-          if [ -n "$existing" ]; then
+          upstream release: ${release_url}
-            echo "PR already exists: #$existing"
-            exit 0
-          fi
 
-          echo "Creating PR..."
+          ${CHANGELOG}
-          created="false"
+          EOF
-          for head in "${branch}" "thomas:${branch}"; do
+          )
-            echo "Trying head=${head}"
-            payload=$(printf '{"title":"update helium to %s","head":"%s","base":"main","body":"automated update of helium appimage version and hash"}' \
-              "${{ steps.update.outputs.version }}" "$head")
-            response=$(curl -sS -w '\n%{http_code}' -X POST \
-              -H "Authorization: token ${GITEA_TOKEN}" \
-              -H "Content-Type: application/json" \
-              "${api}/pulls" \
-              -d "$payload")
 
-            body=$(printf '%s\n' "$response" | sed '$d')
+          GITEA_API="https://gitea.unrail.xyz/api/v1/repos/thomas/nixos-config" \
-            code=$(printf '%s\n' "$response" | tail -n1)
+          BRANCH="bot/helium-${version}" \
-
+          TITLE="update helium to ${version}" \
-            echo "Create PR status: $code"
+          BODY="$pr_body" \
-            echo "$body"
+          bash .gitea/scripts/create-gitea-pr.sh
-
-            if [ "$code" -ge 200 ] && [ "$code" -lt 300 ]; then
-              created="true"
-              break
-            fi
-          done
-
-          if [ "$created" != "true" ]; then
-            echo "PR creation failed"
-            exit 1
-          fi

.gitea/workflows/zen-browser-update.yml

@@ -21,118 +21,55 @@ jobs:
 
       - name: check latest zen browser release and update file
         id: update
+        env:
+          FILE: modules/pkgs/zen-browser.nix
+          LATEST_RELEASE_URL: https://github.com/zen-browser/desktop/releases/latest
+          DOWNLOAD_URL_TEMPLATE: https://github.com/zen-browser/desktop/releases/download/{version}/zen-x86_64.AppImage
+          RELEASE_API_REPO: zen-browser/desktop
+          RELEASE_TAG_TEMPLATE: '{version}'
+          GITHUB_TOKEN: ${{ secrets.github_token || secrets.GITHUB_TOKEN }}
         shell: bash
-        run: |
+        run: bash .gitea/scripts/update-appimage-nix.sh
-          set -euo pipefail
-
-          FILE="modules/pkgs/zen-browser.nix"
-
-          current_version=$(python - <<'PY'
-          import re
-          s=open('modules/pkgs/zen-browser.nix').read()
-          m=re.search(r'version\s*=\s*"([^"]+)";', s)
-          print(m.group(1) if m else "")
-          PY
-          )
-
-          latest_version=$(curl -fsSLI -o /dev/null -w '%{url_effective}' \
-            'https://github.com/zen-browser/desktop/releases/latest' \
-            | sed -E 's#.*/##' \
-            | sed 's/^v//')
-
-          echo "current=$current_version"
-          echo "latest=$latest_version"
-
-          if [ -z "$latest_version" ] || [ "$latest_version" = "$current_version" ]; then
-            echo "updated=false" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          url="https://github.com/zen-browser/desktop/releases/download/${latest_version}/zen-x86_64.AppImage"
-          new_hash=$(nix store prefetch-file --json "$url" | python -c 'import json,sys; print(json.load(sys.stdin)["hash"])')
-
-          export LATEST_VERSION="$latest_version"
-          export NEW_HASH="$new_hash"
-
-          python - <<PY
-          import re
-          import os
-          p='modules/pkgs/zen-browser.nix'
-          s=open(p).read()
-          s=re.sub(r'version\s*=\s*"[^"]+"', f'version = "{os.environ["LATEST_VERSION"]}"', s, count=1)
-          s=re.sub(r'hash\s*=\s*"[^"]+"', f'hash = "{os.environ["NEW_HASH"]}"', s, count=1)
-          open(p,'w').write(s)
-          PY
-
-          echo "updated=true" >> "$GITHUB_OUTPUT"
-          echo "version=$latest_version" >> "$GITHUB_OUTPUT"
 
       - name: create branch and commit
         if: steps.update.outputs.updated == 'true'
         shell: bash
         run: |
           set -euo pipefail
-          branch="bot/zen-browser-${{ steps.update.outputs.version }}"
+          version="${{ steps.update.outputs.version }}"
 
-          git config user.name "gitea actions"
+          BRANCH="bot/zen-browser-${version}" \
-          git config user.email "actions@localhost"
+          FILE="modules/pkgs/zen-browser.nix" \
-
+          COMMIT_MESSAGE="update zen browser to ${version}" \
-          git checkout -B "$branch"
+          bash .gitea/scripts/commit-update.sh
-          git add modules/pkgs/zen-browser.nix
-          git commit -m "update zen browser to ${{ steps.update.outputs.version }}"
-          git push --force origin "$branch"
 
       - name: open pull request
         if: steps.update.outputs.updated == 'true'
         env:
           GITEA_TOKEN: ${{ secrets.tea_token || secrets.TEA_TOKEN }}
+          CHANGELOG: ${{ steps.update.outputs.changelog }}
         shell: bash
         run: |
           set -euo pipefail
 
-          api="https://gitea.unrail.xyz/api/v1/repos/thomas/nixos-config"
+          version="${{ steps.update.outputs.version }}"
-          branch="bot/zen-browser-${{ steps.update.outputs.version }}"
+          previous_version="${{ steps.update.outputs.previous_version }}"
+          release_url="https://github.com/zen-browser/desktop/releases/tag/${version}"
 
-          if [ -z "${GITEA_TOKEN:-}" ]; then
+          pr_body=$(cat <<EOF
-            echo "GITEA_TOKEN is empty (check repo secret tea_token/TEA_TOKEN)"
+          automated update of zen browser appimage version and hash
-            exit 1
-          fi
 
-          existing=$(curl -fsS \
+          ## changelog
-            -H "Authorization: token ${GITEA_TOKEN}" \
+          from \`${previous_version}\` to \`${version}\`
-            "${api}/pulls?state=open" \
-            | python -c 'import json,sys; d=json.load(sys.stdin); b="'"$branch"'"; print(next((str(pr["number"]) for pr in d if isinstance(pr,dict) and pr.get("head",{}).get("ref")==b), ""))')
 
-          if [ -n "$existing" ]; then
+          upstream release: ${release_url}
-            echo "PR already exists: #$existing"
-            exit 0
-          fi
 
-          echo "Creating PR..."
+          ${CHANGELOG}
-          created="false"
+          EOF
-          for head in "${branch}" "thomas:${branch}"; do
+          )
-            echo "Trying head=${head}"
-            payload=$(printf '{"title":"update zen browser to %s","head":"%s","base":"main","body":"automated update of zen browser appimage version and hash"}' \
-              "${{ steps.update.outputs.version }}" "$head")
-            response=$(curl -sS -w '\n%{http_code}' -X POST \
-              -H "Authorization: token ${GITEA_TOKEN}" \
-              -H "Content-Type: application/json" \
-              "${api}/pulls" \
-              -d "$payload")
 
-            body=$(printf '%s\n' "$response" | sed '$d')
+          GITEA_API="https://gitea.unrail.xyz/api/v1/repos/thomas/nixos-config" \
-            code=$(printf '%s\n' "$response" | tail -n1)
+          BRANCH="bot/zen-browser-${version}" \
-
+          TITLE="update zen browser to ${version}" \
-            echo "Create PR status: $code"
+          BODY="$pr_body" \
-            echo "$body"
+          bash .gitea/scripts/create-gitea-pr.sh
-
-            if [ "$code" -ge 200 ] && [ "$code" -lt 300 ]; then
-              created="true"
-              break
-            fi
-          done
-
-          if [ "$created" != "true" ]; then
-            echo "PR creation failed"
-            exit 1
-          fi

modules/development.nix

@@ -2,13 +2,16 @@
   flake.nixosModules.development = {pkgs, ...}: {
     environment.systemPackages = with pkgs; [
       nodejs_24
+      go
 
       nixfmt
       zellij
       nixd
       git
+      jujutsu
       lazygit
       pnpm
+      ni
 
       # LSPs and formatters (previously via Mason)
       stylua
@@ -16,7 +19,9 @@
       pyright
       vscode-langservers-extracted # includes css-lsp, eslint-lsp, html-lsp, json-lsp
       tailwindcss-language-server
+      svelte-language-server
       biome
+      typescript-go
 
       # Treesitter CLI + C compiler for building grammars
       tree-sitter

modules/hosts/nixos.nix

@@ -1,80 +1,100 @@
-{ inputs, self, config, ... }: {
+{
+  inputs,
+  self,
+  config,
+  ...
+}: {
+  flake.nixosModules.nixos-host = {pkgs, ...}: {
+    imports = [
+      ../../hardware-configuration.nix
+    ];
 
-flake.nixosModules.nixos-host = {pkgs, ...}: {
+    # Bootloader
-  imports = [
+    boot.loader.systemd-boot.enable = true;
-    ../../hardware-configuration.nix
+    boot.loader.efi.canTouchEfiVariables = true;
-  ];
 
-  # Bootloader
+    # Use latest kernel
-  boot.loader.systemd-boot.enable = true;
+    boot.kernelPackages = pkgs.linuxPackages_latest;
-  boot.loader.efi.canTouchEfiVariables = true;
 
-  # Use latest kernel
+    # Custom EDID override for Samsung 240Hz on DP-1
-  boot.kernelPackages = pkgs.linuxPackages_latest;
+    boot.kernelParams = ["drm.edid_firmware=DP-1:edid/g80.bin"];
+    hardware.firmware = [
+      (pkgs.runCommandNoCC "g80-edid-firmware" {} ''
+        install -Dm444 ${../assets/edid/g80.bin} $out/lib/firmware/edid/g80.bin
+      '')
+    ];
 
-  # Hostname
+    # Hostname
-  networking.hostName = "nixos";
+    networking.hostName = "nixos";
 
-  # Networking
+    # Networking
-  networking.networkmanager.enable = true;
+    networking.networkmanager.enable = true;
 
-  # Time zone
+    # Time zone
-  time.timeZone = "Europe/Lisbon";
+    time.timeZone = "Europe/Lisbon";
 
-  # Locale
+    # Locale
-  i18n.defaultLocale = "en_GB.UTF-8";
+    i18n.defaultLocale = "en_GB.UTF-8";
-  i18n.extraLocaleSettings = {
+    i18n.extraLocaleSettings = {
-    LC_ADDRESS = "pt_PT.UTF-8";
+      LC_ADDRESS = "pt_PT.UTF-8";
-    LC_IDENTIFICATION = "pt_PT.UTF-8";
+      LC_IDENTIFICATION = "pt_PT.UTF-8";
-    LC_MEASUREMENT = "pt_PT.UTF-8";
+      LC_MEASUREMENT = "pt_PT.UTF-8";
-    LC_MONETARY = "pt_PT.UTF-8";
+      LC_MONETARY = "pt_PT.UTF-8";
-    LC_NAME = "pt_PT.UTF-8";
+      LC_NAME = "pt_PT.UTF-8";
-    LC_NUMERIC = "pt_PT.UTF-8";
+      LC_NUMERIC = "pt_PT.UTF-8";
-    LC_PAPER = "pt_PT.UTF-8";
+      LC_PAPER = "pt_PT.UTF-8";
-    LC_TELEPHONE = "pt_PT.UTF-8";
+      LC_TELEPHONE = "pt_PT.UTF-8";
-    LC_TIME = "pt_PT.UTF-8";
+      LC_TIME = "pt_PT.UTF-8";
+    };
+
+    # Printing
+    services.printing.enable = true;
+
+    # Audio
+    services.pulseaudio.enable = false;
+    security.rtkit.enable = true;
+    services.pipewire = {
+      enable = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+    };
+
+    # SSH
+    services.openssh = {
+      enable = true;
+      settings = {
+        PermitRootLogin = "no";
+      };
+    };
+
+    # User account
+    users.users.${config.username} = {
+      isNormalUser = true;
+      description = "Thomas Gouveia Lopes";
+      extraGroups = ["networkmanager" "wheel"];
+    };
+
+    # Programs
+
+    # Allow unfree
+    nixpkgs.config.allowUnfree = true;
+
+    # Enable flakes
+    nix.settings.experimental-features = ["nix-command" "flakes"];
+
+    # Auto-unlock gnome-keyring on login
+    security.pam.services.login.enableGnomeKeyring = true;
+    security.pam.services.gdm.enableGnomeKeyring = true;
+    security.pam.services.gdm-password.enableGnomeKeyring = true;
+
+    # State version
+    system.stateVersion = "25.11";
+
+    fileSystems."/mnt/endeavour" = {
+      device = "/dev/disk/by-uuid/a32ca052-12a5-4355-bd3b-b4515d9ea4a5";
+      fsType = "ext4";
+      options = ["defaults" "noatime"];
+    };
   };
-
-  # Printing
-  services.printing.enable = true;
-
-  # Audio
-  services.pulseaudio.enable = false;
-  security.rtkit.enable = true;
-  services.pipewire = {
-    enable = true;
-    alsa.enable = true;
-    alsa.support32Bit = true;
-    pulse.enable = true;
-  };
-
-  # User account
-  users.users.${config.username} = {
-    isNormalUser = true;
-    description = "Thomas Gouveia Lopes";
-    extraGroups = [ "networkmanager" "wheel" ];
-  };
-
-  # Programs
-
-  # Allow unfree
-  nixpkgs.config.allowUnfree = true;
-
-  # Enable flakes
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
-
-  # Auto-unlock gnome-keyring on login
-  security.pam.services.login.enableGnomeKeyring = true;
-  security.pam.services.gdm.enableGnomeKeyring = true;
-  security.pam.services.gdm-password.enableGnomeKeyring = true;
-
-  # State version
-  system.stateVersion = "25.11";
-
-	fileSystems."/mnt/endeavour" = {
-	 device = "/dev/disk/by-uuid/a32ca052-12a5-4355-bd3b-b4515d9ea4a5";
-	 fsType = "ext4";
-	 options = [ "defaults" "noatime" ];
-	};
-};
 }

modules/packages.nix

@@ -1,8 +1,4 @@
-{
+{self, ...}: {
-  inputs,
-  self,
-  ...
-}: {
   flake.nixosModules.packages = {pkgs, ...}: {
     environment.systemPackages = with pkgs; [
       fd
@@ -12,6 +8,10 @@
       alacritty
       fzf
       autojump
+      yazi
+      ueberzugpp
+      chafa
+      wl-clipboard
       pulseaudio
       legcord
       quickshell
@@ -20,6 +20,10 @@
       feishin
       obsidian
       self.packages.${pkgs.stdenv.hostPlatform.system}.handy
+      mpv
+      ffmpeg
+      tmux
+      obs-studio
     ];
   };
 }

modules/pkgs/handy.nix

@@ -2,11 +2,11 @@
   perSystem = {pkgs, ...}: {
     packages.handy = pkgs.appimageTools.wrapType2 rec {
       pname = "handy";
-      version = "0.7.9";
+      version = "0.7.10";
 
       src = pkgs.fetchurl {
         url = "https://github.com/cjpais/Handy/releases/download/v${version}/Handy_${version}_amd64.AppImage";
-        hash = "sha256-iSibRpme8xJfumhjJ2LzkrtFwV8j9nHajMnBygBFLz4=";
+        hash = "sha256-vBOcXCCJr9D0u0h27nN4XLPPngx4m+toAfi6O6Fuojk=";
       };
 
       extraInstallCommands = let

modules/pkgs/zen-browser.nix

@@ -1,29 +1,41 @@
-{ ... }: {
+{lib, ...}: {
-  perSystem = { pkgs, ... }: {
+  perSystem = {pkgs, ...}: let
-    packages.zen-browser = pkgs.appimageTools.wrapType2 rec {
+    pname = "zen-browser";
-      pname = "zen-browser";
+    version = "1.19.2b";
-      version = "1.19.1b";
 
-      src = pkgs.fetchurl {
+    src = pkgs.fetchurl {
-        url = "https://github.com/zen-browser/desktop/releases/download/${version}/zen-x86_64.AppImage";
+      url = "https://github.com/zen-browser/desktop/releases/download/${version}/zen-x86_64.AppImage";
-        hash = "sha256-h3lza2C+SxptpcX897Uf/nM8dNILUBXScSNQZlvSIQg=";
+      hash = "sha256-lDn7rIYDgmyUnc3PdIASXfpXBXASL6TEdzyZfT716cI=";
-      };
+    };
 
-      extraInstallCommands = let
+    appimageContents = pkgs.appimageTools.extract {inherit pname version src;};
-        contents = pkgs.appimageTools.extract { inherit pname version src; };
+  in {
-      in ''
+    packages.zen-browser = pkgs.appimageTools.wrapType2 {
-        desktop_file=$(find ${contents} -name "*.desktop" | head -n1)
+      inherit pname version src;
+
+      extraPkgs = pkgs: [pkgs.ffmpeg-full];
+
+      extraInstallCommands = ''
+        desktop_file=$(find ${appimageContents} -name "*.desktop" | head -n1)
         if [ -n "$desktop_file" ]; then
           install -m 444 -D "$desktop_file" "$out/share/applications/${pname}.desktop"
-          # The desktop file uses 'zen' as the binary name
           substituteInPlace "$out/share/applications/${pname}.desktop" \
             --replace 'Exec=zen' 'Exec=${pname}'
         fi
 
-        if [ -d ${contents}/usr/share/icons ]; then
+        if [ -d ${appimageContents}/usr/share/icons ]; then
-          cp -r ${contents}/usr/share/icons $out/share
+          cp -r ${appimageContents}/usr/share/icons $out/share
         fi
+
+        ln -s $out/bin/${pname} $out/bin/zen
       '';
+
+      meta = {
+        description = "Experience tranquillity while browsing the web without people tracking you!";
+        homepage = "https://zen-browser.app";
+        license = lib.licenses.mpl20;
+        platforms = ["x86_64-linux"];
+      };
     };
   };
 }