flake/actions: replace some crane checks with pre-commit

3 files changed, 14 insertions, 28 deletions

diff --git a/.github/workflows/audit.yaml b/.github/workflows/audit.yaml
deleted file mode 100644
index ebf88d0..0000000
--- a/.github/workflows/audit.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-name: audit crates
-# this checks our dependencies for
-# security advisories every saturday
-
-on:
-  schedule:
-    - cron: "0 0 * * 6"
-  workflow_dispatch:
-
-jobs:
-  audit:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v4
-      - uses: DeterminateSystems/nix-installer-action@main
-
-      - name: run audit
-        run: |
-          nix build --accept-flake-config -L .#checks.x86_64-linux.audit
diff --git a/.github/workflows/clippy.yaml b/.github/workflows/clippy.yaml
index 48b1bd6..cb35d14 100644
--- a/.github/workflows/clippy.yaml
+++ b/.github/workflows/clippy.yaml
@@ -11,6 +11,10 @@ jobs:
   clippy:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+      security-events: write
+
     steps:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/nix-installer-action@main
@@ -23,6 +27,7 @@ jobs:
 
       - name: run clippy
         run: |
+          mkdir -p /tmp
           cargo clippy --all --all-targets --message-format=json | clippy-sarif > /tmp/clippy.sarif
 
       - name: upload results
diff --git a/.github/workflows/update-flake.yaml b/.github/workflows/update-lock.yaml
index 7e0d992..9e3301d 100644
--- a/.github/workflows/update-flake.yaml
+++ b/.github/workflows/update-lock.yaml
@@ -1,9 +1,8 @@
-name: update nix flake
-# this is to make sure we can build against a
-# recent version of nixos-unstable
+name: update flake lock
 
 on:
   schedule:
+    # run every saturday
     - cron: "0 0 * * 6"
   workflow_dispatch:
 
@@ -12,20 +11,22 @@ permissions:
   pull-requests: write
 
 jobs:
-  update-flake:
+  update:
     runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/nix-installer-action@main
 
-      - uses: DeterminateSystems/update-flake-lock@v20
+      - name: update lockfile
+        uses: DeterminateSystems/update-flake-lock@v20
         id: update
         with:
-          commit-msg: "deps(flake): update inputs"
-          pr-title: "deps(flake): update inputs"
+          commit-msg: "flake: update inputs"
+          pr-title: "flake: update inputs"
+          token: ${{ github.token }}
 
-      - name: auto-merge pull request
+      - name: enable auto-merge
         shell: bash
         run: gh pr merge --auto --rebase "$PR_ID"
         env: