ci: keep dependencies up to date using latest versions with automation magic (#22)

Author: zimeg

.github/workflows/dependencies.yml

@@ -0,0 +1,150 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+name: Update dependencies
+on:
+  pull_request:
+  schedule:
+    - cron: "11 11 * * *"
+  workflow_dispatch:
+jobs:
+  dependabot:
+    name: Merge automatic pull requests
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    timeout-minutes: 12
+    permissions:
+      actions: write
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Collect update metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # v2.4.0
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+      - name: Checkout this repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: "0"
+          persist-credentials: true
+          ref: ${{ github.head_ref }}
+      - name: Configure git credentials
+        run: |
+          git config user.name 'github-actions[bot]'
+          git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
+      - name: Install a flaked Nix
+        uses: DeterminateSystems/nix-installer-action@21a544727d0c62386e78b4befe52d19ad12692e3 # v17
+      - name: Start the tests
+        run: |
+          gh api \
+            --method POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            "/repos/$REPO/actions/workflows/test.yml/dispatches" \
+             -f "ref=$REF"
+        env:
+          GH_TOKEN: ${{ github.token }}
+          REF: ${{ github.head_ref }}
+          REPO: ${{ github.repository }}
+      - name: Wait for tests to succeed
+        uses: lewagon/wait-on-check-action@ccfb013c15c8afb7bf2b7c028fb74dc5a068cccc # v1.3.4
+        with:
+          allowed-conclusions: success
+          check-name: "Report"
+          ref: ${{ github.head_ref }}
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          wait-interval: 10
+      - name: Merge requests from the kind dependabot
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+      - name: Perform more tests
+        run: |
+          gh api \
+            --method POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            "/repos/$REPO/actions/workflows/test.yml/dispatches" \
+             -f "ref=main"
+        env:
+          GH_TOKEN: ${{ github.token }}
+          REPO: ${{ github.repository }}
+  flake:
+    name: Freeze the latest lockfile
+    if: github.event_name != 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      contents: write
+    steps:
+      - name: Checkout this repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: true
+          ref: main
+      - name: Configure git credentials
+        run: |
+          git config user.name 'github-actions[bot]'
+          git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
+      - name: Install a flaked Nix
+        uses: DeterminateSystems/nix-installer-action@21a544727d0c62386e78b4befe52d19ad12692e3 # v17
+      - name: Checkout an update
+        run: |
+          git checkout -b update
+      - name: Update to the latest
+        run: |
+          nix flake update
+      - name: Check for changes
+        id: diff
+        run: |
+          if ! git diff --quiet; then
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+          fi
+      - name: Save the flake locks
+        if: steps.diff.outputs.changed == 'true'
+        run: |
+          git commit --all --message "chore(deps): automatic version bump to the most recent packages"
+          git push -u origin update
+      - name: Start the tests
+        if: steps.diff.outputs.changed == 'true'
+        run: |
+          gh api \
+            --method POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            "/repos/$REPO/actions/workflows/test.yml/dispatches" \
+             -f "ref=update"
+        env:
+          GH_TOKEN: ${{ github.token }}
+          REPO: ${{ github.repository }}
+      - name: Wait for tests to succeed
+        if: steps.diff.outputs.changed == 'true'
+        uses: lewagon/wait-on-check-action@ccfb013c15c8afb7bf2b7c028fb74dc5a068cccc # v1.3.4
+        with:
+          allowed-conclusions: success
+          check-name: "Report"
+          ref: update
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          wait-interval: 10
+      - name: Save changed version
+        if: steps.diff.outputs.changed == 'true'
+        run: |
+          git checkout main
+          git merge update
+          git push -u origin main
+          git push origin --delete update
+      - name: Confirm the tests
+        if: steps.diff.outputs.changed == 'true'
+        run: |
+          gh api \
+            --method POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            "/repos/$REPO/actions/workflows/test.yml/dispatches" \
+             -f "ref=main"
+        env:
+          GH_TOKEN: ${{ github.token }}
+          REPO: ${{ github.repository }}

CHANGELOG.md

@@ -10,6 +10,7 @@ to [Semantic Versioning][semver].
 ### Maintenance
 
 - Use minimum sets of permission and pinned external workflow step actions.
+- Keep dependencies up to date using latest versions with automation magic.
 
 ## [0.2.1] - 2025-05-13