github: automatically update flake.lock every week

Summary: Keeping the flake.lock up to date and 'fresh' is nice for all the same reasons that apply to things like Cargo, Poetry, etc. Unfortunately, dependabot doesn't have support for Nix flakes. There is also no mechanism to add 'out of band' updates through dependabot, at least not yet. Instead, we use the `update-flake-lock` action from Determinate Systems, which can paper over it for us. This updates once a week on Sunday, which is pretty fine, I think. A theoretical downside of this approach is that we can't group updates together like dependabot does; but dependabot only groups 'related' updates together, i.e. updates to Cargo dependencies. If it also detected updates for e.g. Poetry or Nix, it would make separate PRs for those. Signed-off-by: Austin Seipp <[email protected]> Change-Id: I6f447deffc545da77fb320519abcf437
jj-vcs · Nov 3, 2023 · c1b6f2c · c1b6f2c
1 parent 904c37d
commit c1b6f2c
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/.github/workflows/nix-update-flake.yml b/.github/workflows/nix-update-flake.yml
@@ -0,0 +1,22 @@
+name: Update nix flake.lock
+on:
+  workflow_dispatch: # allows manual triggering
+  schedule:
+    - cron: '40 3 * * 0' # runs weekly on Sunday at 03:40
+
+jobs:
+  lockfile:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@bc7b19257469c8029b46f45ac99ecc11156c8b2d
+      - name: Update flake.lock
+        uses: DeterminateSystems/update-flake-lock@da2fd6f2563fe3e4f2af8be73b864088564e263d
+        with:
+          pr-title: "nix: update flake.lock"
+          pr-assignees: thoughtpolice
+          pr-reviewers: thoughtpolice
+          pr-labels: |
+            dependencies