From 7c60ea029602851cdeb2f3246e991fcc117195bc Mon Sep 17 00:00:00 2001
From: Matt Sturgeon <matt@sturgeon.me.uk>
Date: Fri, 30 May 2025 22:22:44 +0100
Subject: [PATCH] ci: add 'GitHub App' TODO to update workflow

Using a GitHub App is more secure and idiomatic than using a
Personal Access Token or SSH Deploy Key.

See https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#triggering-further-workflow-runs
and https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#authenticating-with-github-app-generated-tokens
---
 .github/workflows/update-flake.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/update-flake.yml b/.github/workflows/update-flake.yml
index 1b0d2215..b292b95d 100644
--- a/.github/workflows/update-flake.yml
+++ b/.github/workflows/update-flake.yml
@@ -17,5 +17,8 @@ jobs:
       - name: Update flake.lock
         uses: DeterminateSystems/update-flake-lock@v25
         with:
+          # NOTE: this uses the GH_TOKEN_FOR_UPDATES because pushing a flake
+          # update PR using GITHUB_TOKEN does not trigger CI.
+          # TODO: consider switching to a GitHub App
           token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
           pr-labels: dependencies