ci: use github app for flake.lock PRs

2 files changed, 49 insertions, 36 deletions

diff --git a/.github/workflows/update-flake.yaml b/.github/workflows/update-flake.yaml
new file mode 100644
index 0000000..95e2e8f
--- /dev/null
+++ b/.github/workflows/update-flake.yaml
@@ -0,0 +1,49 @@
+name: Update flake.lock
+
+on:
+  schedule:
+    # run every saturday
+    - cron: "0 0 * * 6"
+  workflow_dispatch:
+
+jobs:
+  update:
+    name: Run update & create PR
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Generate GitHub App token
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v14
+
+      - name: Run update
+        run: nix flake update
+
+      - name: Create pull request
+        id: pull-request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          branch: update-flake-lock
+          commit-message: "flake: update inputs"
+          title: "flake: update inputs"
+          token: ${{ steps.app-token.outputs.token }}
+          sign-commits: true
+
+      - name: Enable auto-merge
+        if: ${{ env.PR_ID != '' }}
+        run: gh pr merge --auto --squash "$PR_ID"
+        env:
+          PR_ID: ${{ steps.pull-request.outputs.pull-request-number }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
diff --git a/.github/workflows/update-lock.yaml b/.github/workflows/update-lock.yaml
deleted file mode 100644
index d38808e..0000000
--- a/.github/workflows/update-lock.yaml
+++ /dev/null
@@ -1,36 +0,0 @@
-name: Update flake.lock
-
-on:
-  schedule:
-    # run every saturday
-    - cron: "0 0 * * 6"
-  workflow_dispatch:
-
-jobs:
-  update:
-    name: Update
-
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Install Nix
-        uses: DeterminateSystems/nix-installer-action@v14
-
-      - name: Update lockfile & make PR
-        uses: DeterminateSystems/update-flake-lock@v24
-        id: update
-        with:
-          commit-msg: "flake: update inputs"
-          pr-title: "flake: update inputs"
-          token: ${{ secrets.MERGE_TOKEN }}
-
-      - name: Enable auto-merge
-        shell: bash
-        if: steps.update.outputs.pull-request-number != ''
-        run: gh pr merge --auto --squash "$PR_ID"
-        env:
-          GH_TOKEN: ${{ secrets.MERGE_TOKEN }}
-          PR_ID: ${{ steps.update.outputs.pull-request-number }}