update-flake-lock.yaml

---
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: update-flake-lock

on:
  workflow_dispatch:
  # schedule:
  #   - cron: '37 0 * * *'

permissions:
  actions: write
  contents: write
  pull-requests: write

jobs:
  lockfile:
    runs-on: ubuntu-latest
    steps:
      # https://github.com/marketplace/actions/create-github-app-token
      - name: Generate Token
        uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
        # if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
        id: app-token
        with:
          app-id: ${{ secrets.BOT_APP_ID }}
          private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}

      # https://github.com/marketplace/actions/checkout
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          token: "${{ steps.app-token.outputs.token }}"

      # https://github.com/marketplace/actions/the-determinate-nix-installer
      - name: Install nix
        uses: DeterminateSystems/nix-installer-action@e50d5f73bfe71c2dd0aa4218de8f4afa59f8f81d # v16

      # https://github.com/marketplace/actions/magic-nix-cache
      - name: Use cache
        uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8

      # https://github.com/marketplace/actions/update-nix-flake-lock
      - name: Update flake.lock
        id: update
        uses: DeterminateSystems/update-flake-lock@a2bbe0274e3a0c4194390a1e445f734c597ebc37 # v24
        with:
          path-to-flake-dir: infra/nixos
          token: ${{ steps.app-token.outputs.token }}

      # - name: Enable automerge
      #   if: ${{ steps.update.outputs.pull-request-number != '' }}
      #   run: gh pr merge --squash --auto ${{ steps.update.outputs.pull-request-number }}
      #   env:
      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: diff
        run: git diff