feat: fix auto approve and support dependabot

.github/dependabot.yml

@@ -0,0 +1,18 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      # Check for updates to GitHub Actions every monday
+      interval: "weekly"
+      day: "saturday"
+      time: "03:00"
+      timezone: "Asia/Tokyo"
+    groups:
+      angular:
+        patterns:
+          - "*"
+        update-types:
+          - major
+          - minor
+          - patch

.github/workflows/auto-approve.yml

@@ -1,61 +1,45 @@
 name: Auto approve
 on:
   workflow_run:
-    workflows: [Build check]
+    workflows: "*"
     types:
       - completed
 
 jobs:
-  check-pr:
+  auto-approve:
     runs-on: ubuntu-latest
+    if: contains(fromJSON('["misumisumi", "app/operate-pr-for-flakes"]'), github.actor)
     outputs:
-      pr-number: ${{ steps.pr-number.outputs.pr-number }}
-      check-codeowner: >-
-        steps.pr-author.outputs.pr-author == "misumisumi" ||
-        steps.pr-author.outputs.pr-author == "app/operate-pr-for-flakes"
+      pr-number: ${{ steps.pr.outputs.result }}
     steps:
-      - name: Download artifact
-        id: download-artifact
-        uses: dawidd6/action-download-artifact@v3
+      # From https://github.com/orgs/community/discussions/25220#discussioncomment-8697399
+      - name: Find associated pull request
+        id: pr
+        uses: actions/github-script@v7
         with:
-          workflow: build-check.yml
-          workflow_conclusion: success
-          name: pr-number
-          path: artifacts
+          script: |
+            const response = await github.rest.search.issuesAndPullRequests({
+              q: 'repo:${{ github.repository }} is:pr sha:${{ github.event.workflow_run.head_sha }}',
+              per_page: 1,
+            })
+            const items = response.data.items
+            if (items.length < 1) {
+              console.error('No PRs found')
+              return
+            }
+            const pullRequestNumber = items[0].number
+            console.info("Pull request number is", pullRequestNumber)
+            return pullRequestNumber
 
-      - name: Set PR number
-        id: pr-number
-        run: |
-          echo pr-number=$(cat ./artifacts/pr-number.txt) >> $GITHUB_OUTPUT
-
-      - name: Check PR Author
-        id: pr-author
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-        run: |
-          echo pr-author=$(gh pr view ${{ steps.pr-number.outputs.pr-number }} --json author --jq .author.login) >> $GITHUB_OUTPUT
-
-  on-success:
-    runs-on: ubuntu-latest
-    needs: check-pr
-    if: >-
-      needs.outputs.check-codeowner &&
-      github.event.workflow_run.conclusion == 'success'
-    steps:
-      - name: PR review and merge
+      - name: Check workflow status
+        id: check-workflow-status
         env:
           GITHUB_TOKEN: ${{ github.token }}
         run: |
-          gh pr review --approve ${{ needs.check-pr.outputs.pr-number.outputs.pr-number }}
-          gh pr merge --merge --auto ${{ needs.check-pr.outputs.pr-number.outputs.pr-number }}
-
-  on-failure:
-    runs-on: ubuntu-latest
-    needs: on-success
-    if: >-
-      needs.on-success.result != 'success'
-    steps:
-      - name: Error handling
-        run: |
-          echo "Not approve"
-          exit 1
+          status_check=$(gh pr view ${{ steps.pr.outputs.result }} --json statusCheckRollup)
+          completed=$(echo $status_check | jq -r '.statusCheckRollup | [.[] | select(.status=="COMPLETED")]')
+          if [ $(cat $completed | jq -r '. | length' ) -eq $(cat $status_check | jq -r '.statusCheckRollup | length') ]; then
+            if [ $(cat $completed | jq '[.[].conclusion] | all(.=="SUCCESS" or "NEUTRAL")') == true ]; then
+              gh pr review --approve ${{ steps.pr.outputs.result }} --repo ${{ github.repository }}
+            end
+          end

.github/workflows/auto-merge-dependabot.yml

@@ -0,0 +1,23 @@
+name: Auto merge for dependabot
+on:
+  pull_request:
+
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v1.1.1
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Enable auto-merge for Dependabot PRs
+        if: contains(fromJSON('["minor", "patch"]'), steps.metadata.outputs.update-type)
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+        run: |
+          gh pr review --approve "$PR_URL"
+          gh pr merge --auto --merge "$PR_URL"

.github/workflows/build-check.yml

@@ -1,11 +1,12 @@
 name: Build check
 on:
   pull_request:
+    paths:
+      - "**.nix"
 
 jobs:
   build-check:
     runs-on: ubuntu-latest
-    if: github.event.pull_request.user.login != 'misumisumi'
     steps:
       - uses: easimon/maximize-build-space@master
         with:
@@ -26,27 +27,3 @@ jobs:
 
       - name: Run flake build
         run: nix build --no-link ".#nixosConfigurations.test.config.system.build.toplevel"
-
-      - name: Save PR number
-        run: echo $GITHUB_REF | sed -e 's/[^0-9]//g' > pr-number.txt
-
-      - name: Upload Artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: pr-number
-          path: pr-number.txt
-          retention-days: 7
-
-  bypass-check:
-    runs-on: ubuntu-latest
-    if: github.event.pull_request.user.login == 'misumisumi'
-    steps:
-      - name: Save PR number
-        run: echo $GITHUB_REF | sed -e 's/[^0-9]//g' > pr-number.txt
-
-      - name: Upload Artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: pr-number
-          path: pr-number.txt
-          retention-days: 7

.github/workflows/update-repo.yml

@@ -2,7 +2,7 @@ name: Update repository
 on:
   workflow_dispatch: # allows manual triggering
   schedule:
-    - cron: "0 17 * * 5" # runs weekly on Saturday at 02:00 (JST)
+    - cron: "0 18 * * 5" # runs weekly on Saturday at 03:00 (JST)
 
 jobs:
   update-repo:
@@ -19,7 +19,7 @@ jobs:
           app_id: ${{ secrets.APP_ID }}
           private_key: ${{ secrets.PRIVATE_KEY }}
 
-      - uses: cachix/install-nix-action@v25
+      - uses: cachix/install-nix-action@v20
         with:
           nix_path: nixpkgs=channel:nixos-unstable
 
@@ -33,48 +33,3 @@ jobs:
           pr-labels: | # Labels to be set on the PR
             dependencies
             automated
-
-  update-readme:
-    runs-on: ubuntu-latest
-    needs: update-repo
-    steps:
-      - name: Generate GitHub Apps token
-        id: generate
-        uses: tibdex/github-app-token@v1
-        with:
-          app_id: ${{ secrets.APP_ID }}
-          private_key: ${{ secrets.PRIVATE_KEY }}
-
-      - uses: actions/checkout@v4
-        if: needs.update-repo.result == 'success'
-        with:
-          fetch-depth: 2
-          ref: "update_flake_lock_action"
-          token: ${{ steps.generate.outputs.token }}
-
-      - uses: cachix/install-nix-action@v25
-        if: needs.update-repo.result == 'success'
-        with:
-          nix_path: nixpkgs=channel:nixos-unstable
-
-      - name: Update README
-        id: update-readme
-        if: needs.update-repo.result == 'success'
-        run: ./scripts/update-readme.sh
-
-      - name: Get last commit message
-        id: last-commit-message
-        if: needs.update-repo.result == 'success'
-        run: |
-          echo "msg=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT
-
-      - name: Commit README
-        id: commit
-        uses: stefanzweifel/git-auto-commit-action@v5
-        if: needs.update-repo.result == 'success'
-        with:
-          push_options: "--force"
-          commit_message: ${{ steps.last-commit-message.outputs.msg }}
-          commit_options: "--amend --no-edit"
-          skip_fetch: true
-          file_pattern: "README.md _sources/*"