ci: github-actions-dhall

.github/workflows/check.dhall

@@ -0,0 +1,38 @@
+let GithubActions =
+      https://github.com/regadas/github-actions-dhall/raw/master/package.dhall
+        sha256:9c1ae46a1d56f1c22dbc9006cbb3e569806e75d02fded38fa102935b34980395
+
+let NIX_CONFIG =
+      ''
+      accept-flake-config = true
+      extra-experimental-features = flakes nix-command
+      ''
+
+let check =
+      GithubActions.Job::{
+      , runs-on = GithubActions.RunsOn.Type.ubuntu-latest
+      , steps =
+        [ GithubActions.Step::{ uses = Some "actions/checkout@v4" }
+        , GithubActions.Step::{
+          , uses = Some "DeterminateSystems/flake-checker-action@v5"
+          }
+        , GithubActions.Step::{
+          , uses = Some "DeterminateSystems/nix-installer-action@v11"
+          }
+        , GithubActions.Step::{
+          , uses = Some "DeterminateSystems/magic-nix-cache-action@v6"
+          }
+        , GithubActions.Step::{
+          , env = Some (toMap { NIX_CONFIG })
+          , run = Some "nix flake check --show-trace"
+          }
+        ]
+      }
+
+in  GithubActions.Workflow::{
+    , name = "check"
+    , on = GithubActions.On::{
+      , push = Some GithubActions.Push::{ paths = Some [ "**.nix", "**.lock" ] }
+      }
+    , jobs = toMap { check }
+    }

.github/workflows/check.yml

@@ -1,14 +1,19 @@
-on:
-  push:
-    paths: ["**.nix", "**.lock"]
-
 jobs:
   check:
-    runs-on: ubuntu-latest
+    "runs-on": "ubuntu-latest"
-
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+    - uses: "actions/checkout@v4"
-      - uses: DeterminateSystems/flake-checker-action@4b90f9fc724969ff153fe1803460917c84fe00a3 # v5
+    - uses: "DeterminateSystems/flake-checker-action@v5"
-      - uses: DeterminateSystems/nix-installer-action@main
+    - uses: "DeterminateSystems/nix-installer-action@v11"
-      - uses: DeterminateSystems/magic-nix-cache-action@main
+    - uses: "DeterminateSystems/magic-nix-cache-action@v6"
-      - run: nix flake check --show-trace --accept-flake-config
+    - env:
+        NIX_CONFIG: |
+          accept-flake-config = true
+          extra-experimental-features = flakes nix-command
+      run: "nix flake check --show-trace"
+name: check
+'on':
+  push:
+    paths:
+    - "**.nix"
+    - "**.lock"

flake.nix

@@ -56,7 +56,7 @@
               luacheck.enable = true;
               nil.enable = true;
               nixfmt.enable = true;
-              nixfmt.package = pkgs.nixfmt-rfc-style;
+              nixfmt.package = self'.formatter;
               shellcheck.enable = true;
               stylua.enable = true;
             };
@@ -67,13 +67,18 @@
             RULES = "./home/secrets/secrets.nix";
             buildInputs =
               (with pkgs; [
+                dhall
+                dhall-lsp-server
+                dhall-yaml
                 just
                 nix-output-monitor
                 nixd
                 nvd
-                self'.formatter
               ])
-              ++ [ inputs'.agenix.packages.agenix ]
+              ++ [
+                inputs'.agenix.packages.agenix
+                self'.formatter
+              ]
               ++ lib.optionals pkgs.stdenv.isDarwin [ inputs'.darwin.packages.darwin-rebuild ];
           };
 

renovate.json

@@ -1,11 +1,23 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
+  "extends": ["config:best-practices", "schedule:weekly", ":automergeAll"],
-    "config:best-practices",
+  "github-actions": {
-    "schedule:weekly",
+    "enabled": false
-    ":automergeAll"
+  },
-  ],
   "nix": {
     "enabled": true
+  },
+  "customManagers": [
+    {
+      "customType": "regex",
+      "fileMatch": [
+        "(^|/)(workflow-templates|\\.(?:github|gitea|forgejo)/(?:workflows|actions))/.+\\.dhall$",
+        "(^|/)action\\.dhall$"
+      ],
+      "matchStrings": [
+        "GithubActions\\.Step::{[\\s,]*uses\\s?=\\s?Some\\s?\"(?<depName>.+)@(?<currentValue>.+)\""
+      ],
+      "datasourceTemplate": "github-tags"
     }
+  ]
 }