feat(ci): combine all flake update operations

Author: zimbatm

.github/shared/README.md

@@ -0,0 +1,129 @@
+# Reusable Workflows
+
+This repository provides a reusable GitHub Actions workflow for automatically updating Nix flakes.
+
+## Workflow
+
+### `update-flake.yml`
+
+A unified workflow that updates both Nix packages and flake inputs in your repository.
+
+#### Features
+- Updates all packages and flake inputs in a single workflow run
+- Creates individual pull requests for each update
+- Runs updates in parallel using GitHub Actions matrix
+- Supports filtering specific packages or inputs
+- Configurable auto-merge for approved updates
+
+#### Inputs
+
+| Input | Description | Required | Default |
+|-------|-------------|----------|---------|
+| `packages` | Space-separated list of specific packages to update (empty for all) | No | `''` |
+| `inputs` | Space-separated list of specific inputs to update (empty for all) | No | `''` |
+| `update-command` | Nix command to run the package update tool | No | `'.#update-packages'` |
+| `pr-labels` | Comma-separated list of labels to add to PRs | No | `'dependencies,automated'` |
+| `auto-merge` | Enable auto-merge for created pull requests | No | `false` |
+
+#### Secrets
+
+| Secret | Description | Required |
+|--------|-------------|----------|
+| `github-token` | GitHub token for creating pull requests (GitHub App token recommended) | Yes |
+
+## Usage
+
+Create `.github/workflows/update-flake.yml`:
+
+```yaml
+name: Update Flake
+on:
+  schedule:
+    # Run daily at 2 AM UTC
+    - cron: '0 2 * * *'
+  workflow_dispatch:
+    inputs:
+      packages:
+        description: 'Specific packages to update (space-separated, empty for all)'
+        required: false
+        default: ''
+      inputs:
+        description: 'Specific flake inputs to update (space-separated, empty for all)'
+        required: false
+        default: ''
+
+jobs:
+  generate-token:
+    runs-on: ubuntu-latest
+    outputs:
+      token: ${{ steps.app-token.outputs.token }}
+    steps:
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
+  update:
+    needs: generate-token
+    uses: numtide/nix-ai-tools/.github/shared/update-flake.yml@main
+    with:
+      packages: ${{ github.event.inputs.packages }}
+      inputs: ${{ github.event.inputs.inputs }}
+      pr-labels: 'dependencies,automated'
+      auto-merge: true
+    secrets:
+      github-token: ${{ needs.generate-token.outputs.token }}
+    permissions:
+      contents: write
+      pull-requests: write
+```
+
+## Setting Up GitHub App
+
+Using a GitHub App token is recommended to ensure PR checks run properly:
+
+1. Go to Settings → Developer settings → GitHub Apps → New GitHub App
+2. Set these permissions:
+   - **Repository permissions:**
+     - Contents: Write
+     - Pull requests: Write
+     - Metadata: Read
+     - Actions: Write (if using auto-merge)
+3. Install the app on your repository
+4. Add secrets to your repository:
+   - `APP_ID`: The App ID from the app settings
+   - `APP_PRIVATE_KEY`: The private key generated for the app
+
+## Package Update Command Requirements
+
+Your update command (default: `.#update-packages`) must support:
+- `--list-only` flag that outputs a JSON array of package names
+- Accepting a package name as argument to update that specific package
+- Proper exit codes (0 for success, non-zero for failure)
+
+Example output for `--list-only`:
+```json
+["claude-code", "opencode", "gemini-cli"]
+```
+
+## How It Works
+
+1. **Discovery**: Finds all packages (via update command) and flake inputs
+2. **Matrix Build**: Creates a job matrix combining both types of updates
+3. **Parallel Updates**: Each item is updated in its own job
+4. **PR Creation**: Creates or updates pull requests with appropriate titles
+5. **Summary**: Reports the overall status of all updates
+
+## Pull Request Format
+
+**Package updates:**
+- Title: `package-name: 1.0.0 -> 1.1.0`
+- Branch: `update/package-name`
+
+**Flake input updates:**
+- Title: `flake.lock: Update input-name`
+- Branch: `update-input-name`
+
+Both types use squash merging when auto-merge is enabled.

.github/shared/create-update-pr.sh

@@ -0,0 +1,97 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Script to create or update a pull request for package/flake updates
+# Usage: create-update-pr.sh <type> <name> <current_version> <new_version>
+#   type: "package" or "flake-input"
+#   name: package name or input name
+#   current_version: current version/revision
+#   new_version: new version/revision
+
+type="$1"
+name="$2"
+current_version="$3"
+new_version="$4"
+
+# Extract optional arguments from environment
+pr_labels="${PR_LABELS:-dependencies,automated}"
+auto_merge="${AUTO_MERGE:-false}"
+
+# Handle type-specific logic
+if [ "$type" = "package" ]; then
+    branch="update/${name}"
+    pr_title="${name}: ${current_version} -> ${new_version}"
+    pr_body="Automated update of ${name} from ${current_version} to ${new_version}."
+elif [ "$type" = "flake-input" ]; then
+    branch="update-${name}"
+    pr_title="flake.lock: Update ${name}"
+    
+    pr_body="This PR updates the flake input \`${name}\` to the latest version.
+
+## Changes
+- ${name}: \`${current_version}\` → \`${new_version}\`"
+else
+    echo "Error: Unknown type '$type'. Must be 'package' or 'flake-input'."
+    exit 1
+fi
+
+# Check if branch exists on remote
+if git ls-remote --heads origin "$branch" | grep -q "$branch"; then
+    echo "Branch exists, checking out..."
+    git fetch origin "$branch"
+    git checkout "$branch"
+    git reset --hard HEAD~1  # Remove the last commit to update it
+else
+    echo "Creating new branch..."
+    git checkout -b "$branch"
+fi
+
+# Stage and commit changes
+git add .
+
+if [ "$type" = "flake-input" ]; then
+    commit_message="$pr_title
+
+${current_version} -> ${new_version}"
+else
+    commit_message="$pr_title"
+fi
+
+git commit -m "$commit_message" --signoff
+
+# Push the branch
+git push --force origin "$branch"
+
+# Check if PR already exists
+pr_number=$(gh pr list --head "$branch" --json number --jq '.[0].number // empty')
+
+if [ -n "$pr_number" ]; then
+    echo "Updating existing PR #$pr_number"
+    gh pr edit "$pr_number" \
+        --title "$pr_title" \
+        --body "$pr_body"
+else
+    echo "Creating new PR"
+    # Build label arguments
+    label_args=""
+    IFS=',' read -ra labels <<< "$pr_labels"
+    for label in "${labels[@]}"; do
+        label_args="$label_args --label \"$(echo "$label" | xargs)\""
+    done
+    
+    eval gh pr create \
+        --title "\"$pr_title\"" \
+        --body "\"$pr_body\"" \
+        --base main \
+        --head "$branch" \
+        $label_args
+    
+    # Store PR number for auto-merge
+    pr_number=$(gh pr list --head "$branch" --json number --jq '.[0].number')
+fi
+
+# Enable auto-merge if requested
+if [ "$auto_merge" = "true" ] && [ -n "$pr_number" ]; then
+    echo "Enabling auto-merge for PR #$pr_number"
+    gh pr merge "$pr_number" --auto --squash || echo "Note: Auto-merge may require branch protection rules"
+fi