ci: add workflows for flake and automerge, update flake config

.github/settings.yml

@@ -22,38 +22,6 @@ repository:
  enable_automated_security_fixes: true
  enable_vulnerability_alerts: true
 
-labels:
- - name: bug
- color: d73a4a
- description: Something isn't working
- - name: duplicate
- color: cfd3d7
- description: This issue or pull request already exists
- - name: enhancement
- color: a2eeef
- description: New feature or request
- - name: good first issue
- color: 7057ff
- description: Good for newcomers
- - name: help wanted
- color: 008672
- description: Extra attention is needed
- - name: invalid
- color: e4e669
- description: This doesn't seem right
- - name: question
- color: d876e3
- description: Further information is requested
- - name: renovate
- color: e99695
- description: Automated action from Renovate
- - name: wontfix
- color: ffffff
- description: This will not be worked on
- - name: outdated
- color: cccccc
- description: This is out of scope and outdated
-
 branches:
  - name: master
  protection:
@@ -65,6 +33,7 @@ branches:
  enforce_admins: false
  restrictions:
  apps:
+ - webhippie
  - renovate
  users: []
  teams:

.github/workflows/automerge.yml

@@ -0,0 +1,49 @@
+---
+name: automerge
+
+"on":
+ workflow_dispatch:
+ pull_request:
+ branches:
+ - master
+
+permissions:
+ contents: write
+ pull-requests: write
+
+jobs:
+ dependabot:
+ runs-on: ubuntu-latest
+ if: github.actor == 'dependabot[bot]'
+
+ steps:
+ - name: Generate token
+ id: token
+ uses: tibdex/github-app-token@v2
+ with:
+ app_id: ${{ secrets.TOKEN_EXCHANGE_APP }}
+ installation_retrieval_mode: id
+ installation_retrieval_payload: ${{ secrets.TOKEN_EXCHANGE_INSTALL }}
+ private_key: ${{ secrets.TOKEN_EXCHANGE_KEY }}
+ permissions: >-
+ {"contents": "write", "pull_requests": "write", "issues": "write"}
+
+ - name: Fetch metadata
+ id: metadata
+ uses: dependabot/fetch-metadata@v2
+ with:
+ github-token: ${{ secrets.GITHUB_TOKEN }}
+
+ - name: Approve request
+ id: approve
+ run: gh pr review --approve "${{github.event.pull_request.html_url}}"
+ env:
+ GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+ - name: Enable automerge
+ id: automerge
+ run: gh pr merge --rebase --auto "${{github.event.pull_request.html_url}}"
+ env:
+ GH_TOKEN: ${{ steps.token.outputs.token }}
+
+...

.github/workflows/flake.yml

@@ -0,0 +1,56 @@
+---
+name: flake
+
+"on":
+ workflow_dispatch:
+ schedule:
+ - cron: "0 8 * * 1"
+
+permissions:
+ contents: write
+ pull-requests: write
+
+jobs:
+ flake:
+ runs-on: ubuntu-latest
+
+ steps:
+ - name: Generate token
+ id: token
+ uses: tibdex/github-app-token@v2
+ with:
+ app_id: ${{ secrets.TOKEN_EXCHANGE_APP }}
+ installation_retrieval_mode: id
+ installation_retrieval_payload: ${{ secrets.TOKEN_EXCHANGE_INSTALL }}
+ private_key: ${{ secrets.TOKEN_EXCHANGE_KEY }}
+ permissions: >-
+ {"contents": "write", "pull_requests": "write"}
+
+ - name: Checkout source
+ id: source
+ uses: actions/checkout@v4
+
+ - name: Install nix
+ id: nix
+ uses: cachix/install-nix-action@v27
+
+ - name: Update flake
+ id: flake
+ uses: DeterminateSystems/update-flake-lock@v23
+ with:
+ commit-msg: "chore(flake): updated lockfile"
+ pr-title: "chore: automated flake update"
+ pr-body: "New flakelock generated, automerge should handle that!"
+ pr-labels: renovate
+ git-author-name: GitHub Actions
+ git-author-email: [email protected]
+ token: ${{ steps.token.outputs.token }}
+
+ - name: Enable automerge
+ id: automerge
+ if: steps.flake.outputs.pull-request-operation == 'created'
+ run: gh pr merge --rebase --auto "${{ steps.flake.outputs.pull-request-number }}"
+ env:
+ GH_TOKEN: ${{ steps.token.outputs.token }}
+
+...

.gitignore

@@ -1,4 +1,6 @@
-.direnv/
+.direnv
+.devenv
+
 coverage.out
 
 /bin