name: Update flake.lock

on:
  workflow_call:
    inputs:
      commit-message:
        description: "Summary for lockfile commit"
        required: true
        type: string
      flake-inputs:
        description: "Flake inputs to update"
        required: false
        default: ""
        type: string
    secrets:
      PRIVATE_KEY:
        description: GitHub Bot Application client secret
        required: true

jobs:
  update:
    name: Update & make PR

    runs-on: ubuntu-latest

    steps:
      - name: Generate GitHub App token
        uses: actions/create-github-app-token@v1
        id: app-token
        with:
          app-id: ${{ vars.APP_ID }}
          private-key: ${{ secrets.PRIVATE_KEY }}

      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          token: ${{ steps.app-token.outputs.token }}

      - name: Install Nix
        uses: cachix/install-nix-action@v31

      - name: Update flake.lock
        run: |
          nix flake update ${{ inputs.flake-inputs }}

      - name: Create Pull request
        id: pull-request
        uses: peter-evans/create-pull-request@v7
        with:
          branch: update-flake-lock
          commit-message: ${{ inputs.commit-message }}
          title: ${{ inputs.commit-message }}
          token: ${{ steps.app-token.outputs.token }}
          sign-commits: true

      - name: Enable auto-merge
        shell: bash
        if: ${{ env.PR_ID != '' }}
        run: gh pr merge --auto --rebase "$PR_ID"
        env:
          PR_ID: ${{ steps.pull-request.outputs.pull-request-number }}
          GH_TOKEN: ${{ steps.app-token.outputs.token }}