ci: add workflows for automatic updates and checks (#9)

* ci: add workflows for automatic updates and checks

* ci: add repository-dispatch trigger and usage examples

Author: jetcookies

.github/workflows/check-flake-packages.yml

@@ -0,0 +1,27 @@
+name: check-flake-packages
+on:
+  pull_request:
+    paths-ignore:
+      - '.github/**'
+      - 'maintainers/**'
+      - 'examples/**'
+      - '.gitignore'
+      - '**/README.md'
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v6
+    - name: Install nix
+      uses: cachix/install-nix-action@v31
+      with:
+        nix_path: nixpkgs=channel:nixos-unstable
+        extra_nix_config: |
+          experimental-features = nix-command flakes
+          access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+    - name: Check evaluation
+      run: nix flake check
+    - name: Build nix packages
+      run: nix build --no-link --print-build-logs .#pico-fido

.github/workflows/update-flake-lock.yml

@@ -0,0 +1,37 @@
+name: update-flake-lock
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 2 * * 0'
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  lockfile:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v6
+    - name: Install nix
+      uses: cachix/install-nix-action@v31
+      with:
+        nix_path: nixpkgs=channel:nixos-unstable
+        extra_nix_config: |
+          experimental-features = nix-command flakes
+          access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+    - name: Update flake.lock
+      id: update
+      uses: DeterminateSystems/update-flake-lock@v28
+      with:
+        token: ${{ secrets.WORKFLOW_PR_TOKEN }}
+        pr-body: |
+          Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action.
+
+          ```
+          {{ env.GIT_COMMIT_MESSAGE }}
+          ```
+        pr-labels: "automated"
+    - name: Print PR number
+      run: echo Pull request number is ${{ steps.update.outputs.pull-request-number }}.

.github/workflows/update-flake-packages.yml

@@ -0,0 +1,43 @@
+name: update-flake-packages
+on:
+  workflow_dispatch:
+  repository_dispatch:
+    types: [update-flake-packages]
+  schedule:
+    - cron: '0 4 * * 0'
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  packages:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v6
+    - name: Install nix
+      uses: cachix/install-nix-action@v31
+      with:
+        nix_path: nixpkgs=channel:nixos-unstable
+        extra_nix_config: |
+          experimental-features = nix-command flakes
+          access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+    - name: Copy nixpkgs scripts
+      run: |
+        NIXPKGS=$(nix-instantiate --eval -E '<nixpkgs>')
+        cp -r $NIXPKGS/maintainers .
+        chmod -R +w .
+        sed -i "s|./../../default.nix|$NIXPKGS|g" maintainers/scripts/update.nix
+    - name: Update flake packages
+      id: update
+      uses: gepbird/nix-update-action@v2.1.1
+      with:
+        token: ${{ secrets.WORKFLOW_PR_TOKEN }}
+        # Ensure all *-firmwares are on the blacklist.
+        blacklist: "default,pico-fido-firmwares"
+        pr-body: |
+          Automated changes by the [nix-update-actions](https://github.com/gepbird/nix-update-action) GitHub Action.
+        pr-labels: "automated"
+    - name: Print PR number
+      run: echo Pull request number is ${{ steps.update.outputs.pull-request-number }}.

.gitignore

@@ -1,2 +1,3 @@
 result
-result-*
+result-*
+maintainers/

examples/repository-dispatch.yml

@@ -0,0 +1,20 @@
+name: repository-dispatch
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - v**
+
+jobs:
+  repository-dispatch:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Repository Dispatch
+        uses: peter-evans/repository-dispatch@v4.0.1
+        with:
+          # You can also use a fine-grained personal access token (beta). It needs the following permissions on the target repositories:
+          # contents: read & write
+          # metadata: read only (automatically selected when selecting the contents permission)
+          token: ${{ secrets.PAT }}
+          repository: librekeys/pico-fido-firmwares
+          event-type: update-flake-packages