use github contents api for image urls + summer cleaning (#253)

* nix: alejandra -> nixfmt-rfc-style

* nix: pre-commit-hooks -> treefmt-nix

* nix: use corepack

* ci: cleanup workflows

* ci: use better dependabot scopes

* gitignore: extend with github templates

* remove teawie-archive submodule

* pnpm: 8.8.0 -> 9.6.0

* nix: add nrr to shell

* nix: add node lsps to shell

* use github contents api for image urls

* ci: cleanup workflows

* nix: add ci shell

* `octokit` -> `fetch` & cache responses

* nix: use nixpkgs wrangler

* nix: update flake.lock

Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/d9c0b9d611277e42e6db055636ba0409c59db6d2' (2024-07-05)
  → 'github:NixOS/nixpkgs/038fb464fcfa79b4f08131b07f2d8c9a6bcc4160' (2024-07-28)

* tsconfig: use strictest

* adopt openapi

* package.json: rename to teawie-api

* nix: add treefmt to ci shell

* ci: add release gate

6 files changed, 65 insertions, 57 deletions

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index fa9c837..005ad67 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -5,7 +5,12 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    commit-message:
+      prefix: "ci"
+
   - package-ecosystem: "npm"
     directory: "/"
     schedule:
       interval: "weekly"
+    commit-message:
+      prefix: "node_modules"
diff --git a/.github/workflows/autobot.yaml b/.github/workflows/autobot.yaml
index 450e5d2..4e74d0a 100644
--- a/.github/workflows/autobot.yaml
+++ b/.github/workflows/autobot.yaml
@@ -4,23 +4,25 @@ on: pull_request
 
 jobs:
   automerge:
+    name: Check and merge PR
+    if: github.actor == 'dependabot[bot]'
+
     runs-on: ubuntu-latest
 
     permissions:
       contents: write
       pull-requests: write
 
-    if: github.actor == 'dependabot[bot]'
-
     steps:
-      - uses: dependabot/fetch-metadata@v2
+      - name: Fetch metadata
+        uses: dependabot/fetch-metadata@v2
         id: metadata
         with:
           github-token: ${{ github.token }}
 
       - name: Enable auto-merge
         if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'
-        run: gh pr merge --auto --rebase "$PR"
+        run: gh pr merge --auto --squash "$PR"
         env:
           GH_TOKEN: ${{ github.token }}
           PR: ${{ github.event.pull_request.html_url }}
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index ef649d9..b77ed84 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -6,49 +6,48 @@ on:
 
 jobs:
   build:
-    runs-on: "ubuntu-latest"
+    name: Build
 
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          submodules: recursive
+    runs-on: ubuntu-latest
 
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
 
-      - name: Setup Node
-        uses: actions/setup-node@v4
-        with:
-          node-version: 20
-          cache: pnpm
-          cache-dependency-path: pnpm-lock.yaml
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v13
 
-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+      - name: Install Dependencies
+        run: nix develop .#ci --command pnpm install --frozen-lockfile
 
       - name: Run build
-        run: pnpm build
+        run: nix develop .#ci --command nrr build
+
+  treefmt:
+    name: Treefmt
 
-  format:
-    runs-on: "ubuntu-latest"
+    runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
-        with:
-          submodules: recursive
+      - name: Checkout repository
+        uses: actions/checkout@v4
 
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v13
 
-      - name: Setup Node
-        uses: actions/setup-node@v4
-        with:
-          node-version: 20
-          cache: pnpm
-          cache-dependency-path: pnpm-lock.yaml
+      - name: Run checks
+        run: |
+          nix develop .#ci --command treefmt --fail-on-change
 
-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+  release-gate:
+    name: CI Release gate
+    needs: [build, treefmt]
 
-      - name: Run Prettier
-        run: pnpm exec prettier --check .
+    if: always()
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Exit with error
+        if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')
+        run: exit 1
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
index c8dfaf4..9d82771 100644
--- a/.github/workflows/codeql.yaml
+++ b/.github/workflows/codeql.yaml
@@ -1,14 +1,14 @@
 name: CodeQL
 
 on:
-  push:
-    branches: ["main"]
   pull_request:
+  workflow_dispatch:
 
 jobs:
   codeql:
     name: Run CodeQL scan
-    runs-on: "ubuntu-latest"
+
+    runs-on: ubuntu-latest
 
     permissions:
       security-events: write
@@ -17,7 +17,8 @@ jobs:
       LANGUAGE: "javascript-typescript"
 
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@v4
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
diff --git a/.github/workflows/eslint.yaml b/.github/workflows/eslint.yaml
index 4cecab1..0a6f7ce 100644
--- a/.github/workflows/eslint.yaml
+++ b/.github/workflows/eslint.yaml
@@ -3,37 +3,37 @@ name: ESLint
 on:
   push:
     branches: [main]
+    paths:
+      - "**.ts"
+      - "package.json"
+      - "pnpm-lock.yaml"
+      - "tsconfig.json"
   pull_request:
 
 jobs:
   eslint:
-    name: Run ESLint scan
+    name: Run scan
+
     runs-on: ubuntu-latest
 
     permissions:
       security-events: write
 
     steps:
-      - uses: actions/checkout@v4
-        with:
-          submodules: recursive
+      - name: Checkout repository
+        uses: actions/checkout@v4
 
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-
-      - name: Setup Node
-        uses: actions/setup-node@v4
-        with:
-          node-version: 20
-          cache: pnpm
-          cache-dependency-path: pnpm-lock.yaml
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v13
 
       - name: Install Dependencies
-        run: pnpm install --frozen-lockfile
+        run: nix develop .#ci --command pnpm install --frozen-lockfile
 
       - name: Run ESLint
         continue-on-error: true
-        run: pnpm run lint --format @microsoft/eslint-formatter-sarif --output-file /tmp/results.sarif
+        run: |
+          nix develop .#ci --command \
+            nrr lint --format @microsoft/eslint-formatter-sarif --output-file /tmp/results.sarif
 
       - name: Upload Results
         uses: github/codeql-action/upload-sarif@v3
diff --git a/.github/workflows/update-flake.yaml b/.github/workflows/update-flake.yaml
index 33fc043..bfebbc7 100644
--- a/.github/workflows/update-flake.yaml
+++ b/.github/workflows/update-flake.yaml
@@ -9,6 +9,7 @@ on:
 jobs:
   update:
     name: Run update
+
     runs-on: ubuntu-latest
 
     permissions:
@@ -20,7 +21,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Install Nix
-        uses: DeterminateSystems/nix-installer-action@v12
+        uses: DeterminateSystems/nix-installer-action@v13
 
       - name: Update flake.lock & make PR
         uses: DeterminateSystems/update-flake-lock@v23