ci: use github app for flake.lock PRs

1 files changed, 49 insertions, 0 deletions

diff --git a/.github/workflows/update-flake.yaml b/.github/workflows/update-flake.yaml
new file mode 100644
index 0000000..95e2e8f
--- /dev/null
+++ b/.github/workflows/update-flake.yaml
@@ -0,0 +1,49 @@
+name: Update flake.lock
+
+on:
+  schedule:
+    # run every saturday
+    - cron: "0 0 * * 6"
+  workflow_dispatch:
+
+jobs:
+  update:
+    name: Run update & create PR
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Generate GitHub App token
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v14
+
+      - name: Run update
+        run: nix flake update
+
+      - name: Create pull request
+        id: pull-request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          branch: update-flake-lock
+          commit-message: "flake: update inputs"
+          title: "flake: update inputs"
+          token: ${{ steps.app-token.outputs.token }}
+          sign-commits: true
+
+      - name: Enable auto-merge
+        if: ${{ env.PR_ID != '' }}
+        run: gh pr merge --auto --squash "$PR_ID"
+        env:
+          PR_ID: ${{ steps.pull-request.outputs.pull-request-number }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}