sops-nix/.github/workflows/update-vendor-hash.yml

name: Update vendorHash
on: pull_request
jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      - uses: actions/create-github-app-token@v2
        id: app-token
        with:
          app-id: ${{ vars.CI_APP_ID }}
          private-key: ${{ secrets.CI_APP_PRIVATE_KEY }}
      - uses: actions/checkout@v5
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0
          token: ${{ steps.app-token.outputs.token }}
      - name: Install Nix
        uses: cachix/install-nix-action@v31
        with:
          github_access_token: ${{ secrets.GITHUB_TOKEN }}
          nix_path: nixpkgs=channel:nixos-unstable
      - name: Update checksum
        run: |
          ./scripts/update-vendor-hash.sh
          # git push if we have a diff
          if [[ -n $(git diff) ]]; then
            git add default.nix
            git config --global user.email "<49699333+dependabot[bot]@users.noreply.github.com>"
            git config --global user.name "dependabot[bot]"
            git commit -m "update vendorHash"
            git push origin HEAD:${{ github.head_ref }}
          fi