name: Update flake inputs

on:
  schedule:
    - cron: '0 4 * * *'  # Daily at 4am UTC
  workflow_dispatch:       # Allow manual trigger from the Actions tab

jobs:
  update:
    runs-on: fred-nix
    permissions:
      contents: write

    steps:
      - name: Checkout repo
        uses: actions/checkout@v6

      - name: Install Nix
        run: |
          set -euxo pipefail
          # The Nix install script refuses to run cleanly as root unless the
          # nixbld group + users exist, even with --no-daemon. The runner's
          # catthehacker image runs jobs as root, so create them first.
          groupadd -r nixbld || true
          for i in $(seq 1 10); do
            useradd -r -g nixbld -G nixbld -d /var/empty -s /sbin/nologin \
              -c "Nix build user $i" "nixbld$i" || true
          done
          curl --proto '=https' --tlsv1.2 -sSfL https://nixos.org/nix/install | sh -s -- --no-daemon
          echo "$HOME/.nix-profile/bin" >> "$GITHUB_PATH"
          mkdir -p ~/.config/nix
          echo 'experimental-features = nix-command flakes' >> ~/.config/nix/nix.conf

      - name: Update flake inputs
        run: nix flake update

      - name: Commit and push
        run: |
          set -euxo pipefail
          if git diff --quiet flake.lock; then
            echo "No changes to flake.lock — skipping commit."
            exit 0
          fi
          git config user.name 'forgejo-actions[bot]'
          git config user.email 'actions@forg.gregersen.it'
          git add flake.lock
          git commit -m 'flake: update inputs'
          git push