6.NUR/.github/workflows/update.yml

name: "Update"
on:
  workflow_dispatch:
  schedule:
    # chosen by fair dice rolling
    - cron:  '40 * * * *'
  push:
    branches:
      - main
concurrency:
  group: update
  cancel-in-progress: false
jobs:
  update_nur:
    runs-on: ubuntu-latest
    # Don't trigger when the last push was done by a bot
    if: github.event_name != 'push' || !endsWith(github.actor, '[bot]')
    steps:
    - id: get_workflow_token
      uses: peter-murray/workflow-application-token-action@d17e3a9a36850ea89f35db16c1067dd2b68ee343 # v4.0.1
      with:
        application_id: '${{ secrets.GH_APPLICATION_ID }}'
        application_private_key: '${{ secrets.GH_APPLICATION_PRIVATE_KEY }}'
        permissions: "contents:write"
        revoke_token: true
    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
    - uses: cachix/install-nix-action@17fe5fb4a23ad6cbbe47d6b3f359611ad276644c # v31
      with:
        nix_path: nixpkgs=channel:nixos-unstable
        extra_nix_config: |
          experimental-features = nix-command flakes
    - name: update nur / nur-combined
      run: ./ci/update-nur.sh
      env:
        API_TOKEN_GITHUB: '${{ steps.get_workflow_token.outputs.token }}'
    - name: rebase # TODO: fix upstream push-protected to retry when push fails
      run: |
        source ./ci/lib/setup-git.sh
        git fetch origin ${{ github.event.repository.default_branch }}
        git pull --rebase origin ${{ github.event.repository.default_branch }}
      env:
        GITHUB_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
    - uses: CasperWA/push-protected@74d25b8aa10e0c29024138735d32f3c0b75f9279 # v2
      with:
        token: ${{ steps.get_workflow_token.outputs.token }}
        branch: ${{ github.event.repository.default_branch }}
    - name: Dispatch NUR-combined update
      uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3
      with:
        token: ${{ steps.get_workflow_token.outputs.token }}
        repository: nix-community/nur-combined
        event-type: nur_update
    - name: Dispatch NUR-search update
      uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3
      with:
        token: ${{ steps.get_workflow_token.outputs.token }}
        repository: nix-community/nur-search
        event-type: nur_update