ci: add automaerge and flake update, restructure flake config

rolehippie · Jul 24, 2024 · ab7c90a · ab7c90a
1 parent 3dd2084
commit ab7c90a
Show file tree

Hide file tree

Showing 6 changed files with 514 additions and 133 deletions.
diff --git a/.github/settings.yml b/.github/settings.yml
@@ -21,52 +21,20 @@ repository:
   enable_automated_security_fixes: true
   enable_vulnerability_alerts: true
 
-labels:
-  - name: bug
-    color: d73a4a
-    description: Something isn't working
-  - name: documentation
-    color: 0075ca
-    description: Improvements or additions to documentation
-  - name: duplicate
-    color: cfd3d7
-    description: This issue or pull request already exists
-  - name: enhancement
-    color: a2eeef
-    description: New feature or request
-  - name: good first issue
-    color: 7057ff
-    description: Good for newcomers
-  - name: help wanted
-    color: 008672
-    description: Extra attention is needed
-  - name: invalid
-    color: e4e669
-    description: This doesn't seem right
-  - name: question
-    color: d876e3
-    description: Further information is requested
-  - name: wontfix
-    color: ffffff
-    description: This will not be worked on
-  - name: hacktoberfest-accepted
-    color: cccccc
-    description: Accepted as a Hacktoberfest submission
-  - name: renovate
-    color: e99695
-    description: Automated action from Renovate
-
 branches:
   - name: master
     protection:
       allow_force_pushes: true
       required_pull_request_reviews: null
       required_status_checks:
         strict: true
-        contexts: []
+        contexts:
+          - linting
+          - testing (default)
       enforce_admins: false
       restrictions:
         apps:
+          - rolehippie
           - renovate
         users: []
         teams:

diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml
@@ -0,0 +1,49 @@
+---
+name: automerge
+
+"on":
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - master
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+
+    steps:
+      - name: Generate token
+        id: token
+        uses: tibdex/github-app-token@v2
+        with:
+          app_id: ${{ secrets.TOKEN_EXCHANGE_APP }}
+          installation_retrieval_mode: id
+          installation_retrieval_payload: ${{ secrets.TOKEN_EXCHANGE_INSTALL }}
+          private_key: ${{ secrets.TOKEN_EXCHANGE_KEY }}
+          permissions: >-
+            {"contents": "write", "pull_requests": "write", "issues": "write"}
+
+      - name: Fetch metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Approve request
+        id: approve
+        run: gh pr review --approve "${{github.event.pull_request.html_url}}"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Enable automerge
+        id: automerge
+        run: gh pr merge --rebase --auto "${{github.event.pull_request.html_url}}"
+        env:
+          GH_TOKEN: ${{ steps.token.outputs.token }}
+
+...
diff --git a/.github/workflows/flake.yml b/.github/workflows/flake.yml
@@ -0,0 +1,56 @@
+---
+name: flake
+
+"on":
+  workflow_dispatch:
+  schedule:
+    - cron: "0 8 * * 1"
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  flake:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Generate token
+        id: token
+        uses: tibdex/github-app-token@v2
+        with:
+          app_id: ${{ secrets.TOKEN_EXCHANGE_APP }}
+          installation_retrieval_mode: id
+          installation_retrieval_payload: ${{ secrets.TOKEN_EXCHANGE_INSTALL }}
+          private_key: ${{ secrets.TOKEN_EXCHANGE_KEY }}
+          permissions: >-
+            {"contents": "write", "pull_requests": "write"}
+
+      - name: Checkout source
+        id: source
+        uses: actions/checkout@v4
+
+      - name: Install nix
+        id: nix
+        uses: cachix/install-nix-action@v27
+
+      - name: Update flake
+        id: flake
+        uses: DeterminateSystems/update-flake-lock@v23
+        with:
+          commit-msg: "chore(flake): updated lockfile"
+          pr-title: "chore: automated flake update"
+          pr-body: "New flakelock generated, automerge should handle that!"
+          pr-labels: renovate
+          git-author-name: GitHub Actions
+          git-author-email: [email protected]
+          token: ${{ steps.token.outputs.token }}
+
+      - name: Enable automerge
+        id: automerge
+        if: steps.flake.outputs.pull-request-operation == 'created'
+        run: gh pr merge --rebase --auto "${{ steps.flake.outputs.pull-request-number }}"
+        env:
+          GH_TOKEN: ${{ steps.token.outputs.token }}
+
+...
diff --git a/.gitignore b/.gitignore
@@ -8,3 +8,4 @@ __pycache__/
 
 # ---> Flake
 .direnv/
+.devenv/