ci: use github app for flake.lock PRs

1 files changed, 25 insertions, 13 deletions

diff --git a/.github/workflows/update-flake.yaml b/.github/workflows/update-flake.yaml
index 4794422..2ef1ffc 100644
--- a/.github/workflows/update-flake.yaml
+++ b/.github/workflows/update-flake.yaml
@@ -8,30 +8,42 @@ on:
 
 jobs:
   update:
-    name: Run update
-    runs-on: ubuntu-latest
+    name: Run update & create PR
 
-    permissions:
-      contents: write
+    runs-on: ubuntu-latest
 
     steps:
+      - name: Generate GitHub App token
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Install Nix
         uses: DeterminateSystems/nix-installer-action@v14
 
-      - name: Update flake.lock & make PR
-        uses: DeterminateSystems/update-flake-lock@v24
-        id: update
+      - name: Run update
+        run: nix flake update
+
+      - name: Create pull request
+        id: pull-request
+        uses: peter-evans/create-pull-request@v7
         with:
-          commit-msg: "nix: update flake.lock"
-          pr-title: "nix: update flake.lock"
-          token: ${{ secrets.MERGE_TOKEN }}
+          branch: update-flake-lock
+          commit-message: "nix: update flake.lock"
+          title: "nix: update flake.lock"
+          token: ${{ steps.app-token.outputs.token }}
+          sign-commits: true
 
       - name: Enable auto-merge
-        if: env.PR_ID != ''
+        if: ${{ env.PR_ID != '' }}
         run: gh pr merge --auto --squash "$PR_ID"
         env:
-          GH_TOKEN: ${{ github.token}}
-          PR_ID: ${{ steps.update.outputs.pull-request-number }}
+          PR_ID: ${{ steps.pull-request.outputs.pull-request-number }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}