ci: don't use unmaintained actions

6 files changed, 99 insertions, 53 deletions

diff --git a/.github/actions/setup-nix/action.yaml b/.github/actions/setup-nix/action.yaml
new file mode 100644
index 0000000..8afecd1
--- /dev/null
+++ b/.github/actions/setup-nix/action.yaml
@@ -0,0 +1,17 @@
+name: "setup nix & cachix"
+description: "setup nix and cachix"
+inputs:
+  cachix-token:
+    description: "cachix auth token"
+    default: ""
+    required: false
+
+runs:
+  using: "composite"
+  steps:
+    - uses: cachix/install-nix-action@v21
+
+    - uses: cachix/cachix-action@v12
+      with:
+        name: getchoo
+        authToken: ${{ inputs.cachix-token }}
diff --git a/.github/workflows/audit.yaml b/.github/workflows/audit.yaml
new file mode 100644
index 0000000..677ea14
--- /dev/null
+++ b/.github/workflows/audit.yaml
@@ -0,0 +1,30 @@
+name: audit crates
+# this checks our dependencies for
+# security advisories every saturday
+
+on:
+  schedule:
+    - cron: "0 0 * * 6"
+  push:
+    paths:
+      - "Cargo.lock"
+  pull_request:
+    paths:
+      - "Cargo.lock"
+  workflow_dispatch:
+
+jobs:
+  audit:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: setup nix & cachix
+        uses: ./.github/actions/setup-nix
+        with:
+          cachix-token: ${{ secrets.CACHIX_AUTH_TOKEN }}
+
+      - name: run audit
+        run: |
+          nix build -L .#checks.x86_64-linux.audit
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 1237ddc..bebf885 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -6,7 +6,6 @@ on:
   workflow_dispatch:
 
 permissions:
-  checks: write
   contents: write
   packages: write
 
@@ -17,14 +16,11 @@ jobs:
 
   format:
     name: format project
-    if: github.event_name != 'pull_request'
-    needs: lint
     uses: ./.github/workflows/format.yaml
 
   build:
     runs-on: ubuntu-latest
-    needs: format
-    if: always() && (needs.format.result == 'success' || needs.format.result == 'skipped')
+    needs: lint
 
     strategy:
       matrix:
@@ -33,12 +29,10 @@ jobs:
     steps:
       - uses: actions/checkout@v3
 
-      - uses: cachix/install-nix-action@v21
-
-      - uses: cachix/cachix-action@v12
+      - name: setup nix & cachix
+        uses: ./.github/actions/setup-nix
         with:
-          name: getchoo
-          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+          cachix-token: ${{ secrets.CACHIX_AUTH_TOKEN }}
 
       - name: build
         run: |
diff --git a/.github/workflows/format.yaml b/.github/workflows/format.yaml
index b0eaddd..e189f46 100644
--- a/.github/workflows/format.yaml
+++ b/.github/workflows/format.yaml
@@ -13,31 +13,25 @@ jobs:
     steps:
       - uses: actions/checkout@v3
 
-      - uses: actions-rs/toolchain@v1
+      - name: setup nix & cachix
+        uses: ./.github/actions/setup-nix
         with:
-          profile: minimal
-          toolchain: stable
-          override: true
-          components: clippy
+          cachix-token: ${{ secrets.CACHIX_AUTH_TOKEN }}
 
       - name: run cargo fmt
-        uses: actions-rs/cargo@v1
-        with:
-          command: fmt
-          args: --all
-
-      - uses: EndBug/add-and-commit@v9
-        with:
-          default_author: github_actions
-          message: "chore: fmt rust files"
+        run: |
+          nix build -L .#checks.x86_64-linux.fmt
 
   nix-fmt:
     runs-on: ubuntu-latest
-    needs: cargo-fmt
+    if: github.event_name != 'pull_request'
     steps:
       - uses: actions/checkout@v3
 
-      - uses: cachix/install-nix-action@v21
+      - name: setup nix & cachix
+        uses: ./.github/actions/setup-nix
+        with:
+          cachix-token: ${{ secrets.CACHIX_AUTH_TOKEN }}
 
       - run: nix fmt
 
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index 550e406..aab9e34 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -4,39 +4,22 @@ on:
   workflow_call:
   workflow_dispatch:
 
-permissions:
-  checks: write
-
 jobs:
-  cargo-check:
+  lint:
     runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - uses: actions-rs/toolchain@v1
-        with:
-          profile: minimal
-          toolchain: stable
-          override: true
 
-      - name: run cargo check
-        uses: actions-rs/cargo@v1
-        with:
-          command: check
+    strategy:
+      matrix:
+        check: [teawiebot, clippy]
 
-  clippy:
-    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
 
-      - uses: actions-rs/toolchain@v1
+      - name: setup nix & cachix
+        uses: ./.github/actions/setup-nix
         with:
-          profile: minimal
-          toolchain: stable
-          override: true
-          components: clippy
+          cachix-token: ${{ secrets.CACHIX_AUTH_TOKEN }}
 
-      - uses: actions-rs/clippy-check@v1
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          args: --all-features
+      - name: lint
+        run: |
+          nix build -L .#checks.x86_64-linux.${{ matrix.check }}
diff --git a/.github/workflows/update-flake.yaml b/.github/workflows/update-flake.yaml
new file mode 100644
index 0000000..12d7607
--- /dev/null
+++ b/.github/workflows/update-flake.yaml
@@ -0,0 +1,28 @@
+name: update nix flake
+# this is to make sure we can build against a
+# recent version of nixos-unstable
+
+on:
+  schedule:
+    - cron: "0 0 * * 6"
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  update-flake:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: setup nix & cachix
+        uses: ./.github/actions/setup-nix
+        with:
+          cachix-token: ${{ secrets.CACHIX_AUTH_TOKEN }}
+
+      - uses: DeterminateSystems/update-flake-lock@v19
+        with:
+          commit-msg: "chore(flake): update inputs"
+          pr-title: "chore(flake): update inputs"