From af7c2967e99b3672b20c5196d21f87eecea5416a Mon Sep 17 00:00:00 2001
From: rito528 <39003544+rito528@users.noreply.github.com>
Date: Tue, 24 Mar 2026 19:18:06 +0900
Subject: [PATCH] =?UTF-8?q?fix(ci):=20update-flake-lock=20PR=20=E3=81=A7?=
 =?UTF-8?q?=20CI=20=E3=81=8C=E3=83=88=E3=83=AA=E3=82=AC=E3=83=BC=E3=81=95?=
 =?UTF-8?q?=E3=82=8C=E3=82=8B=E3=82=88=E3=81=86=20GitHub=20App=20=E3=83=88?=
 =?UTF-8?q?=E3=83=BC=E3=82=AF=E3=83=B3=E3=82=92=E4=BD=BF=E7=94=A8?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

GITHUB_TOKEN で作成した PR は GitHub の制限により後続 CI がトリガーされない。
nix-update-pr.yaml と同様に GitHub App トークンを使って PR を作成することで、
lint・integration-test・nix 等の CI チェックが正常に動作するようにする。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/update-flake-lock.yaml | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/update-flake-lock.yaml b/.github/workflows/update-flake-lock.yaml
index ebf2c64..e36d0a3 100644
--- a/.github/workflows/update-flake-lock.yaml
+++ b/.github/workflows/update-flake-lock.yaml
@@ -9,15 +9,21 @@ jobs:
   update-flake-lock:
     name: Update flake.lock
     runs-on: ubuntu-24.04
-    permissions:
-      contents: write
-      pull-requests: write
     steps:
+      - uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3
+        id: app-token
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
       - uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21
+
       - uses: DeterminateSystems/update-flake-lock@e80a657d7603606be0c69b117cfdc240f1e6af88
         with:
           pr-title: 'deps: update flake.lock'
           pr-labels: |
             dependencies
           path-to-flake-dir: 'nix/'
+          token: ${{ steps.app-token.outputs.token }}