tailscale/.github/workflows/update-flake.yml

name: update-flake

on:
  # run action when a change lands in the main branch which updates go.mod. Also
  # allow manual triggering.
  push:
    branches:
      - main
    paths:
      - go.mod
      - .github/workflows/update-flakes.yml
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
  cancel-in-progress: true

jobs:
  update-flake:
    runs-on: ubuntu-latest

    steps:
      - name: Check out code
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - name: Run update-flakes
        run: ./update-flake.sh

      - name: Get access token
        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
        id: generate-token
        with:
          app_id: ${{ secrets.LICENSING_APP_ID }}
          installation_retrieval_mode: "id"
          installation_retrieval_payload: ${{ secrets.LICENSING_APP_INSTALLATION_ID }}
          private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}

      - name: Send pull request
        uses: peter-evans/create-pull-request@8867c4aba1b742c39f8d0ba35429c2dfa4b6cb20 #v7.0.1
        with:
          token: ${{ steps.generate-token.outputs.token }}
          author: Flakes Updater <noreply+flakes-updater@tailscale.com>
          committer: Flakes Updater <noreply+flakes-updater@tailscale.com>
          branch: flakes
          commit-message: "go.mod.sri: update SRI hash for go.mod changes"
          title: "go.mod.sri: update SRI hash for go.mod changes"
          body: Triggered by ${{ github.repository }}@${{ github.sha }}
          signoff: true
          delete-branch: true
          reviewers: danderson