name: Bump Flake Inputs

on:
  workflow_dispatch:
  schedule:
    - cron: "3 0 * * *" # run daily at 00:03 UTC

permissions: {}

jobs:
  update-lockfile:
    runs-on: ubuntu-latest

    permissions:
      pull-requests: write
      contents: write

    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Install Lix
        uses: samueldr/lix-gha-installer-action@7b7f14d320d6aacfb65bd1ef761566b3b69e474c # v2026-02-22
        with:
          extra_nix_config: |
            substituters = https://nix-community.cachix.org https://catppuccin.cachix.org https://cache.nixos.org/ https://cache.tgirl.cloud/tgirlcloud/
            trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= catppuccin.cachix.org-1:noG/4HkbhJb+lUAdKrph6LaozJvAeEEZj4N732IysmU= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= tgirlcloud:EaOlHrpuOI6Zwmir3/MzqS9uA0Xn3gYr15/k/v0HIPo=

      - name: Update Lockfile
        id: pr
        uses: DeterminateSystems/update-flake-lock@c5930b397a673a70ca70be06020e943aeac310a1 # v27
        with:
          token: ${{ secrets.GH_TOKEN_UPDATES }}
          commit-msg: "flake.lock: update all inputs"
          pr-title: "flake.lock: update all inputs"
          branch: update-flake-inputs
          pr-body: |
            ```
            {{ env.GIT_COMMIT_MESSAGE }}
            ```

      - name: Merge Pull Request
        run: gh pr merge --rebase --auto --delete-branch "$PR"
        env:
          GH_TOKEN: ${{ github.token }}
          PR: ${{ steps.pr.outputs.pull-request-url }}