From b99a4bc4c9e00672efc4befc06d99ecec9ffbaa0 Mon Sep 17 00:00:00 2001
From: Guilhem Saurel <guilhem.saurel@laas.fr>
Date: Fri, 17 Jan 2025 15:57:15 +0100
Subject: [PATCH] CI: nix

---
 .github/dependabot.yml                  |  8 ++++++++
 .github/workflows/nix.yml               | 24 ++++++++++++++++++++++++
 .github/workflows/update-flake-lock.yml | 19 +++++++++++++++++++
 .mergify.yml                            |  2 ++
 4 files changed, 53 insertions(+)
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/nix.yml
 create mode 100644 .github/workflows/update-flake-lock.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..8520542
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,8 @@
+version: 2
+updates:
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+      interval: "weekly"
+
+# TODO: uv.lock not yet in https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems
diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml
new file mode 100644
index 0000000..2bdabc3
--- /dev/null
+++ b/.github/workflows/nix.yml
@@ -0,0 +1,24 @@
+name: "CI - Nix"
+
+on:
+  push:
+    branches:
+    - main
+  pull_request:
+    branches:
+    - main
+
+jobs:
+  nix:
+    runs-on: "${{ matrix.os }}-latest"
+    strategy:
+      matrix:
+        os: [ubuntu, macos]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: cachix/install-nix-action@v30
+      - uses: cachix/cachix-action@v15
+        with:
+          name: gepetto
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+      - run: nix build -L
diff --git a/.github/workflows/update-flake-lock.yml b/.github/workflows/update-flake-lock.yml
new file mode 100644
index 0000000..c81fff8
--- /dev/null
+++ b/.github/workflows/update-flake-lock.yml
@@ -0,0 +1,19 @@
+name: update-flake-lock
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 12 9 * *'
+
+jobs:
+  lockfile:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+      - name: Update flake.lock
+        uses: DeterminateSystems/update-flake-lock@main
+        with:
+          token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
diff --git a/.mergify.yml b/.mergify.yml
index 3527dd0..96e3b9f 100644
--- a/.mergify.yml
+++ b/.mergify.yml
@@ -2,6 +2,8 @@ pull_request_rules:
   - name: merge automatically when CI passes and PR is approved
     conditions:
       - check-success = "CMake"
+      - check-success = "nix (macos)"
+      - check-success = "nix (ubuntu)"
       - check-success = "Pip"
       - check-success = "pre-commit.ci - pr"
       - or: