name: Update Nix Package Hash On Dependabot PRs

on:
  pull_request:
    types: [opened, synchronize]
    branches:
      - main

jobs:
  nix-update:
    if: github.actor == 'dependabot[bot]'
    runs-on: ubuntu-latest

    permissions:
      contents: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          ref: ${{ github.head_ref }}
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@main

      - name: Run nix-update
        run: |
          nix run nixpkgs#nix-update -- --flake pangolin-newt --no-src --version skip

      - name: Check for changes
        id: changes
        run: |
          if git diff --quiet; then
            echo "changed=false" >> "$GITHUB_OUTPUT"
          else
            echo "changed=true" >> "$GITHUB_OUTPUT"
          fi

      - name: Commit and push changes
        if: steps.changes.outputs.changed == 'true'
        run: |
          git config user.name "dependabot[bot]"
          git config user.email "dependabot[bot]@users.noreply.github.com"

          git add .
          git commit -m "chore(nix): fix hash for updated go dependencies"
          git push