dependabot: init

We now rely on a few external actions, so let's make sure to keep them
up-to-date.

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"

README.md

@@ -143,7 +143,7 @@ git push origin update_flake_lock_action --force
 ### With a Personal Authentication Token
 
 By providing a Personal Authentication Token, the PR will be submitted in a way that bypasses this limitation (GitHub will essentially think it is the owner of the PAT submitting the PR, and not an Action).
-You can create a token by visiting https://github.com/settings/tokens and select at least the `repo` scope. Then, store this token in your repository secrets (i.e. 'https://github.com/<USER>/<REPO>/settings/secrets/actions') as `GH_TOKEN_FOR_UPDATES` and set up your workflow file like the following:
+You can create a token by visiting https://github.com/settings/tokens and select at least the `repo` scope. Then, store this token in your repository secrets (i.e. `https://github.com/<USER>/<REPO>/settings/secrets/actions`) as `GH_TOKEN_FOR_UPDATES` and set up your workflow file like the following:
 
 ```yaml
 name: update-flake-lock
@@ -176,6 +176,8 @@ For the bot to produce signed commits, you will have to provide the GPG private
 
 When using commit signing, the commit author name and email for the commits produced by this bot would correspond to the ones associated to the GPG Public Key. 
 
+If you want to sign using a subkey, you must specify the subkey fingerprint using the `gpg-fingerprint` input parameter.
+
 You can find an example of how to using this action with commit signing below:
 
 ```yaml
@@ -198,6 +200,7 @@ jobs:
         with:
           sign-commits: true
           gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
+          gpg-fingerprint: ${{ secrets.GPG_FINGERPRINT }} # specify subkey fingerprint (optional)
           gpg-passphrase: ${{ secrets.GPG_PASSPHRASE }}
 ```
 

action.yml

@@ -57,6 +57,9 @@ inputs:
     description: 'GPG Private Key with which to sign the commits in the PR to be created'
     required: false
     default: ''
+  gpg-fingerprint:
+    description: 'Fingerprint of specific GPG subkey to use'
+    required: false
   gpg-passphrase:
     description: 'GPG Private Key Passphrase for the GPG Private Key with which to sign the commits in the PR to be created'
     required: false
@@ -71,9 +74,10 @@ runs:
     - name: Import bot's GPG key for signing commits
       if: ${{ inputs.sign-commits == 'true' }}
       id: import-gpg
-      uses: crazy-max/ghaction-import-gpg@v4
+      uses: crazy-max/ghaction-import-gpg@v5
       with:
         gpg_private_key: ${{ inputs.gpg-private-key }}
+        fingerprint: ${{ inputs.gpg-fingerprint }}
         passphrase: ${{ inputs.gpg-passphrase }}
         git_config_global: true
         git_user_signingkey: true
@@ -135,6 +139,12 @@ runs:
       uses: andstor/file-reader-action@v1
       with:
         path: "pr_body.txt"
+    # We need to remove the pr_body files so that the
+    # peter-evans/create-pull-request action does not commit it (the
+    # action commits all new and modified files).
+    - name: Remove PR body template files
+      shell: bash
+      run: rm -f pr_body.txt pr_body.template
     - name: Create PR
       id: create-pr
       uses: peter-evans/create-pull-request@v3

flake.lock

@@ -2,11 +2,11 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1654682581,
-        "narHash": "sha256-Jb1PQCwKgwdNAp907eR5zPzuxV+kRroA3UIxUxCMJ9s=",
+        "lastModified": 1659131907,
+        "narHash": "sha256-8bz4k18M/FuVC+EVcI4aREN2PsEKT7LGmU2orfjnpCg=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "e0169d7a9d324afebf5679551407756c77af8930",
+        "rev": "8d435fca5c561da8168abb30270788d2da2a7951",
         "type": "github"
       },
       "original": {