feat(ci): use REST API to make bot commit verified

Author: charliie-dev

.github/workflows/update_flake_lock.yml

@@ -1,33 +1,102 @@
 ---
-name: "Flake.lock: update Nix dependencies"
+name: "Flake.lock: update Nix dependencies (Verified)"
 on:
   workflow_dispatch: # allows manual triggering
   schedule:
-    - cron: "0 0 * * 0" # runs weekly on Sunday at 00:00
+    - cron: 0 0 * * 0 # runs weekly on Sunday at 00:00
+
+env:
+  BRANCH: "main"
+  COMMIT_MESSAGE: "chore(lockfile): auto update flake.lock"
+  GIT_NAME: "github-actions[bot]"
+  GIT_EMAIL: "41898282+github-actions[bot]@users.noreply.github.com"
 
 jobs:
   nix-flake-update:
     permissions:
       contents: write
       id-token: write
     runs-on: ubuntu-latest
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
+
       - name: Install Nix
         uses: DeterminateSystems/determinate-nix-action@v3
+
       - name: Check Nix flake inputs
         uses: DeterminateSystems/flake-checker-action@v12
         with:
           ignore-missing-flake-lock: false
           fail-mode: true
+
       - name: Update flake.lock
         run: |
           nix flake update
-      - uses: stefanzweifel/git-auto-commit-action@v7
+
+      - name: Detect modified files
+        id: diff
+        shell: bash
+        run: |
+          set -euo pipefail
+          # List modified (tracked) files relative to HEAD.
+          # If you only want specific patterns, add a grep here (e.g., grep -E '(^|/)flake\.lock$').
+          mapfile -t changed < <(git ls-files -m --full-name)
+
+          if [ "${#changed[@]}" -eq 0 ]; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+            echo "changed_files=" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          # Join into a comma-separated string for downstream steps.
+          IFS=',' read -r -a _ <<< ""
+          changed_csv="$(printf "%s," "${changed[@]}")"
+          changed_csv="${changed_csv%,}"
+
+          echo "Changed files:"
+          printf ' - %s\n' "${changed[@]}"
+
+          echo "changed=true" >> "$GITHUB_OUTPUT"
+          echo "changed_files=${changed_csv}" >> "$GITHUB_OUTPUT"
+
+      - name: Commit via REST Contents API (server-signed → Verified)
+        if: steps.diff.outputs.changed == 'true'
+        uses: actions/github-script@v8
+        env:
+          CHANGED_FILES: ${{ steps.diff.outputs.changed_files }}
         with:
-          commit_message: "chore(lockfile): auto update flake.lock"
-          commit_user_name: "github-actions[bot]"
-          commit_user_email: "32497323+github-actions[bot]@users.noreply.github.com"
-          commit_author: "github-actions[bot] <32497323+github-actions[bot]@users.noreply.github.com>"
-          file_pattern: "flake.lock"
+          script: |
+            const fs = require('fs');
+            const owner   = context.repo.owner;
+            const repo    = context.repo.repo;
+            const branch  = process.env.BRANCH;
+            const message = process.env.COMMIT_MESSAGE;
+
+            const files = (process.env.CHANGED_FILES || '')
+              .split(',')
+              .map(s => s.trim())
+              .filter(Boolean);
+
+            for (const path of files) {
+              const content = fs.readFileSync(path, { encoding: 'base64' });
+
+              // Get existing sha if the file already exists
+              let sha;
+              try {
+                const res = await github.rest.repos.getContent({ owner, repo, path, ref: branch });
+                if (!Array.isArray(res.data)) sha = res.data.sha;
+              } catch (e) {
+                if (e.status !== 404) throw e;
+              }
+
+              // NOTE: author/committer intentionally omitted to allow platform signing
+              const r = await github.rest.repos.createOrUpdateFileContents({
+                owner, repo, path, branch,
+                message,
+                content,
+                sha
+              });
+              core.info(`Committed ${path}: ${r.data.commit.sha}`);
+            }