feat(ci): auto-update rust deps

On a weekly basis c:

.forgejo/workflows/check.yml

@@ -3,12 +3,12 @@ jobs:
   check:
     runs-on: nixos
     steps:
-      - uses: https://code.forgejo.org/actions/checkout@v4
+      - uses: https://git.salame.cl/actions/checkout@v4
       - run: nix --version
       - run: nix flake check --keep-going --verbose --print-build-logs
   build:
     runs-on: nixos
     steps:
-      - uses: https://code.forgejo.org/actions/checkout@v4
+      - uses: https://git.salame.cl/actions/checkout@v4
       - run: nix --version
       - run: nix build --print-build-logs .#

.forgejo/workflows/update.yml

@@ -0,0 +1,62 @@
+on:
+  workflow_dispatch:
+  schedule:
+    # 03:42 on Saturdays
+    - cron: '42 3 * * 6'
+env:
+  PR_TITLE: Weekly `cargo update` of dependencies
+  PR_MESSAGE: |
+    Automation to keep dependencies in `Cargo.lock` current.
+
+    The following is the output from `cargo update`:
+  COMMIT_MESSAGE: "chore: cargo update \n\n"
+jobs:
+  update-cargo:
+    runs-on: nixos
+    env:
+      BRANCH_NAME: cargo-update
+    steps:
+      - uses: https://git.salame.cl/actions/checkout@v4
+      - run: nix --version
+      - run: nix run .#cargo-update
+      - name: craft PR body and commit message
+        run: |
+          set -euo pipefail
+
+          echo "${COMMIT_MESSAGE}" > commit.txt
+          cat cargo_update.log >> commit.txt
+
+          echo "${PR_MESSAGE}" > body.md
+          echo '```txt' >> body.md
+          cat cargo_update.log >> body.md
+          echo '```' >> body.md
+      - name: commit
+        run: |
+          set -euo pipefail
+
+          git config user.name forgejo-actions
+          git config user.email forgejo-actions@salame.cl
+          git switch --force-create "$BRANCH_NAME"
+          git add ./Cargo.lock
+          DIFF="$(git diff --staged)"
+          if [[ "$DIFF" == "" ]]; then
+            echo >2 "Cargo.lock was not changed, bailing out and not making a PR"
+            exit 1
+          fi
+          git commit --no-verify --file=commit.txt
+      - name: push
+        run: |
+          set -euo pipefail
+          git push --no-verify --force --set-upstream origin "$BRANCH_NAME"
+      - name: open new pull request
+        env:
+          # We have to use a Personal Access Token (PAT) here.
+          # PRs opened from a workflow using the standard `GITHUB_TOKEN` in GitHub Actions
+          # do not automatically trigger more workflows:
+          # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow
+          # GITHUB_TOKEN: ${{ secrets.DEPS_UPDATER_GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          tea login add --name "forgejo-actions" --token "$GITHUB_TOKEN"
+          tea pr create --title "${PR_TITLE}" --description "$(cat body.md)" --repo "$GITHUB_REPOSITORY"

flake.nix

@@ -45,18 +45,26 @@
       packages = forEachSupportedSystem (
         system:
         let
-          webnsupdate = nixpkgs.legacyPackages.${system}.callPackage ./default.nix { };
+          pkgs = nixpkgs.legacyPackages.${system};
+          webnsupdate = pkgs.callPackage ./default.nix { };
         in
         {
           inherit webnsupdate;
           default = webnsupdate;
-
+          cargo-update = pkgs.writeShellApplication {
+            name = "cargo-update-lockfile";
+            runtimeInputs = with pkgs; [
+              cargo
+              gnused
+            ];
+            text = ''
+              CARGO_TERM_COLOR=never cargo update 2>&1 | sed '/crates.io index/d' | tee -a cargo_update.log
+            '';
+          };
         }
       );
 
-      overlays.default = final: prev: {
+      overlays.default = final: prev: { webnsupdate = final.callPackage ./default.nix { }; };
-        webnsupdate = final.callPackage ./default.nix { };
-      };
 
       nixosModules.default = ./module.nix;