fix(ci): harden automated nix updates

Author: TakuyaYagam1

.github/workflows/dependabot-auto-merge.yml

@@ -0,0 +1,45 @@
+name: Dependabot auto-merge
+
+on:
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
+
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Approve patch and minor updates
+        continue-on-error: true
+        if: ${{ !github.event.pull_request.draft && (steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor') }}
+        run: gh pr review --approve "$PR_URL" --body "Auto-approved Dependabot $UPDATE_TYPE update."
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          UPDATE_TYPE: ${{ steps.metadata.outputs.update-type }}
+
+      - name: Merge patch and minor updates
+        if: ${{ !github.event.pull_request.draft && (steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor') }}
+        run: |
+          if gh pr merge --squash --delete-branch "$PR_URL"; then
+            exit 0
+          fi
+          gh pr merge --auto --squash --delete-branch "$PR_URL"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_URL: ${{ github.event.pull_request.html_url }}

.github/workflows/update-flake.yml

@@ -3,7 +3,7 @@ name: Update flake inputs
 on:
   workflow_dispatch:
   schedule:
-    - cron: "0 6 * * 1"
+    - cron: "0 1 * * *"
 
 permissions:
   contents: write
@@ -93,6 +93,7 @@ jobs:
           fi
 
       - name: Create pull request
+        id: cpr
         if: steps.check.outputs.modified == 'true'
         uses: peter-evans/create-pull-request@v8
         with:
@@ -103,6 +104,43 @@ jobs:
           add-paths: |
             flake.lock
             Linux/NixOS/flake.lock
-          title: "Update flake locks"
+          title: "chore(nix): update flake locks"
           body: |
+            ## What
+
             Updates root and NixOS flake locks after scheduled input refresh.
+
+            ## Why
+
+            Keeps pinned flake inputs current while preserving review through a pull request.
+
+            ## Testing
+
+            - `nix flake check --no-build`
+            - `nix build --no-link --print-build-logs .#checks.x86_64-linux.shells-module`
+            - `nix build .#mysetup --print-build-logs`
+            - `./result/bin/mysetup --help`
+            - `nix build --no-link --print-build-logs '.#nixosConfigurations.NixOS.config.home-manager.users.user.xdg.configFile."hypr/end4".source'`
+            - `nix build --no-link --print-build-logs '.#nixosConfigurations.NixOS.config.home-manager.users.user.programs.caelestia.package'`
+            - `nix build .#mysetup --print-build-logs`
+            - `./result/bin/mysetup --help`
+
+      - name: Approve pull request
+        continue-on-error: true
+        if: steps.cpr.outputs.pull-request-number != ''
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ steps.cpr.outputs.pull-request-number }}
+        run: |
+          gh pr review "$PR_NUMBER" --approve --body "Auto-approved after scheduled flake update checks passed."
+
+      - name: Merge pull request
+        if: steps.cpr.outputs.pull-request-number != ''
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ steps.cpr.outputs.pull-request-number }}
+        run: |
+          if gh pr merge "$PR_NUMBER" --squash --delete-branch; then
+            exit 0
+          fi
+          gh pr merge "$PR_NUMBER" --auto --squash --delete-branch

.github/workflows/update-omnirouter.yml

@@ -134,18 +134,50 @@ jobs:
         run: rm -f result result-*
 
       - name: Create pull request
+        id: cpr
         if: steps.compare.outputs.should_update == 'true'
         uses: peter-evans/create-pull-request@v8
         with:
-          commit-message: "chore: update omnirouter"
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: "chore(nix): update omnirouter"
           branch: "update-omnirouter"
           delete-branch: true
           add-paths: |
             Linux/NixOS/packages/omnirouter.nix
-          title: "Update OmniRouter to v${{ steps.release.outputs.version }}"
+          title: "chore(nix): update omnirouter to v${{ steps.release.outputs.version }}"
           body: |
+            ## What
+
             Updates local `omnirouter` package to `v${{ steps.release.outputs.version }}`.
 
             Updated hashes:
             - source: `${{ steps.src.outputs.hash }}`
             - npmDepsHash: `${{ steps.npm.outputs.hash }}`
+
+            ## Why
+
+            Keeps the packaged OmniRouter release current.
+
+            ## Testing
+
+            - `nix build --no-write-lock-file "$FLAKE#omnirouter"`
+
+      - name: Approve pull request
+        continue-on-error: true
+        if: steps.cpr.outputs.pull-request-number != ''
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ steps.cpr.outputs.pull-request-number }}
+        run: |
+          gh pr review "$PR_NUMBER" --approve --body "Auto-approved after scheduled OmniRouter update build passed."
+
+      - name: Merge pull request
+        if: steps.cpr.outputs.pull-request-number != ''
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ steps.cpr.outputs.pull-request-number }}
+        run: |
+          if gh pr merge "$PR_NUMBER" --squash --delete-branch; then
+            exit 0
+          fi
+          gh pr merge "$PR_NUMBER" --auto --squash --delete-branch

Linux/NixOS/home/home.nix

@@ -100,8 +100,8 @@ in
   # Caelestia ships its own bar - block any upstream waybar enable.
   programs.waybar.enable = lib.mkForce false;
 
-  # Silence HM 26.05 warning: keep gtk4 inheriting the gtk theme.
-  gtk.gtk4.theme = config.gtk.theme;
+  # Keep GTK4 inheriting the GTK theme unless Stylix defines it explicitly.
+  gtk.gtk4.theme = lib.mkDefault config.gtk.theme;
 
   # When HM uses the system package set, Stylix must not install package overlays
   # inside the HM evaluation as well.

Linux/NixOS/packages/omnirouter.nix

@@ -54,6 +54,8 @@ buildNpmPackage' rec {
     NEXT_TELEMETRY_DISABLED = "1";
     npm_config_arch = stdenv.hostPlatform.parsed.cpu.name;
     SHARP_IGNORE_GLOBAL_LIBVIPS = "0";
+    # CPU binaries are bundled; skip optional CUDA downloads from NuGet.
+    ONNXRUNTIME_NODE_INSTALL = "skip";
   };
 
   doCheck = false;