5 files changed, 78 insertions, 43 deletions

diff --git a/.github/workflows/autobot.yaml b/.github/workflows/autobot.yaml
deleted file mode 100644
index 760d835..0000000
--- a/.github/workflows/autobot.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-name: Auto-merge Dependabot
-
-on: pull_request
-
-jobs:
-  automerge:
-    name: Check and auto-merge
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: write
-      pull-requests: write
-
-    if: github.actor == 'dependabot[bot]'
-    steps:
-      - uses: dependabot/fetch-metadata@v2
-        id: metadata
-        with:
-          github-token: ${{ github.token }}
-
-      - name: Enable auto-merge
-        if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
-        run: gh pr merge --auto --rebase "$PR"
-        env:
-          GH_TOKEN: ${{ github.token }}
-          PR: ${{ github.event.pull_request.html_url }}
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
new file mode 100644
index 0000000..63a8080
--- /dev/null
+++ b/.github/workflows/ci.yaml
@@ -0,0 +1,65 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build outputs (${{ matrix.system }})
+
+    strategy:
+      matrix:
+        include:
+          - system: x86_64-linux
+            os: ubuntu-latest
+
+    runs-on: ${{ matrix.os }}
+
+    steps:
+        # https://github.com/actions/runner-images/issues/2840#issuecomment-790492173
+      - name: Clear disk space
+        run: |
+          sudo rm -rf /usr/share/dotnet
+          sudo rm -rf /opt/ghc
+          sudo rm -rf "/usr/local/share/boost"
+          sudo rm -rf "$AGENT_TOOLSDIRECTORY"
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v27
+
+      - name: Setup Cachix
+        uses: cachix/cachix-action@v15
+        with:
+          name: getchoo
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+
+      - name: Run build
+        env:
+          SYSTEM: ${{ matrix.system }}
+        run: |
+          nix run \
+            github:Mic92/nix-fast-build -- \
+            --no-nom \
+            --skip-cached \
+            --systems "$SYSTEM" \
+            --option allow-import-from-derivation false \
+            --flake '.#hydraJobs'
+
+  build-gate:
+    name: Build gate
+
+    if: ${{ always() }}
+    needs: build
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Exit with error
+        if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')
+        run: exit 1
diff --git a/.github/workflows/update-inputs.yaml b/.github/workflows/update-inputs.yaml
index 9e08a76..bd106a3 100644
--- a/.github/workflows/update-inputs.yaml
+++ b/.github/workflows/update-inputs.yaml
@@ -8,10 +8,7 @@ on:
 
 jobs:
   update:
-    permissions:
-      contents: write
-      pull-requests: write
-
     uses: ./.github/workflows/update-lock.yaml
     with:
       commit-msg: "flake: update all inputs"
+    secrets: inherit
diff --git a/.github/workflows/update-lock.yaml b/.github/workflows/update-lock.yaml
index 109d860..d042e9a 100644
--- a/.github/workflows/update-lock.yaml
+++ b/.github/workflows/update-lock.yaml
@@ -4,26 +4,28 @@ on:
   workflow_call:
     inputs:
       commit-msg:
-        description: summary for lockfile commit
+        description: "Summary for lockfile commit"
         required: true
         type: string
       inputs:
-        description: flake inputs to update
+        description: "Flake inputs to update"
         required: false
         default: ""
         type: string
+    secrets:
+      MERGE_TOKEN:
+        description: PAT to create and merge PR
+        required: true
 
 jobs:
   update:
     name: Update & make PR
-    runs-on: ubuntu-latest
 
-    permissions:
-      contents: write
-      pull-requests: write
+    runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@v4
 
       - name: Install Nix
         uses: DeterminateSystems/nix-installer-action@v11
@@ -35,11 +37,11 @@ jobs:
           commit-msg: ${{ inputs.commit-msg }}
           inputs: ${{ inputs.inputs }}
           pr-title: ${{ inputs.commit-msg }}
-          token: ${{ github.token }}
+          token: ${{ secrets.MERGE_TOKEN }}
 
       - name: Enable auto-merge
         shell: bash
         run: gh pr merge --auto --rebase "$PR_ID"
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ secrets.MERGE_TOKEN }}
           PR_ID: ${{ steps.update.outputs.pull-request-number }}
diff --git a/.github/workflows/update-nixpkgs.yaml b/.github/workflows/update-nixpkgs.yaml
index 2fd0ec5..db6bf63 100644
--- a/.github/workflows/update-nixpkgs.yaml
+++ b/.github/workflows/update-nixpkgs.yaml
@@ -8,11 +8,8 @@ on:
 
 jobs:
   update:
-    permissions:
-      contents: write
-      pull-requests: write
-
     uses: ./.github/workflows/update-lock.yaml
     with:
       commit-msg: "flake: update nixpkgs"
       inputs: "nixpkgs nixpkgs-stable"
+    secrets: inherit