From 503116ee8abef7b915b74ae6a26212beb5886f69 Mon Sep 17 00:00:00 2001
From: "Luke W. Johnston" <lwjohnst@gmail.com>
Date: Mon, 28 Jul 2025 19:03:22 +0200
Subject: [PATCH 1/2] feat: :sparkles: workflow to check for updates and make a
 PR with them

---
 .../workflows/update-from-template.yml        | 58 +++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 template/.github/workflows/update-from-template.yml

diff --git a/template/.github/workflows/update-from-template.yml b/template/.github/workflows/update-from-template.yml
new file mode 100644
index 0000000..53a4bd4
--- /dev/null
+++ b/template/.github/workflows/update-from-template.yml
@@ -0,0 +1,58 @@
+name: Update from template
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Every day at 3:30 at night.
+    - cron: '30 3 * * *'
+
+# Limit token permissions for security
+permissions: read-all
+
+jobs:
+  update-from-template:
+    runs-on: ubuntu-latest
+    # This job outputs env variables `previous_version` and `current_version`.
+    # Only give permissions for this job.
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - name: Check out repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Install Python
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        with:
+          python-version: "3.13"
+
+      - name: Install dependencies
+        run: |
+          sudo apt install pipx
+          pipx ensurepath
+          pipx install uv rust-just copier
+
+      - name: Set User
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+      - name: Pull request with updates from template
+        run: |
+          copier update --trust --defaults --overwrite
+          any_changes=$(git status --porcelain=v1 2>/dev/null | wc -l)
+          if [ "$any_changes" -eq 0 ]; then
+            echo "No updates from the template detected, and no changes found. Stopping and exiting."
+            exit 0
+          fi
+          git checkout -b chore/update-from-template
+          git add .
+          git commit -m "chore(sync): :hammer: update changes from template"
+          gh pr create \
+            --title "chore(sync): :hammer: update changes from template" \
+            --body "This PR is automatically generated by the 'update-from-template' workflow. It syncs the latest changes from the template repository with this repository."

From 45fac254626ea135e6588e22ca5831db15175929 Mon Sep 17 00:00:00 2001
From: "Luke W. Johnston" <lwjohnst@gmail.com>
Date: Mon, 28 Jul 2025 19:13:42 +0200
Subject: [PATCH 2/2] refactor: :recycle: don't actually need the `content:
 write` permissions

---
 template/.github/workflows/update-from-template.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/template/.github/workflows/update-from-template.yml b/template/.github/workflows/update-from-template.yml
index 53a4bd4..58b216f 100644
--- a/template/.github/workflows/update-from-template.yml
+++ b/template/.github/workflows/update-from-template.yml
@@ -12,10 +12,7 @@ permissions: read-all
 jobs:
   update-from-template:
     runs-on: ubuntu-latest
-    # This job outputs env variables `previous_version` and `current_version`.
-    # Only give permissions for this job.
     permissions:
-      contents: write
       pull-requests: write
     steps:
       - name: Harden the runner (Audit all outbound calls)