From 0b8fe34c66ab120e344aa4c1e73a0607f6374eec Mon Sep 17 00:00:00 2001
From: Sylvain Carisey <sylvain@carisey.dev>
Date: Fri, 6 Mar 2026 14:50:34 +0100
Subject: [PATCH] fix(github action): check PR isolated from writing checks and
 push to cachix

---
 .github/workflows/check.yml           | 26 +-----------
 .github/workflows/report-and-push.yml | 57 +++++++++++++++++++++++++++
 .github/workflows/update.yml          |  4 +-
 3 files changed, 61 insertions(+), 26 deletions(-)
 create mode 100644 .github/workflows/report-and-push.yml

diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
index 479e239..6bbb6b4 100644
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -8,7 +8,7 @@ on:
       - "!main"
 
 jobs:
-  update:
+  check:
     runs-on: ubuntu-latest
     env:
       NIXPKGS_ALLOW_BROKEN: "1"
@@ -18,8 +18,7 @@ jobs:
         experimental-features = nix-command flakes
         access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
     permissions:
-      contents: write
-      checks: write
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - name: mount Nix store on larger partition
@@ -31,27 +30,6 @@ jobs:
       - uses: cachix/install-nix-action@v30
         with:
           nix_path: nixpkgs=channel:nixos-unstable
-      - uses: cachix/cachix-action@v15
-        with:
-          name: scarisey-public
-          authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
       - name: Build default package
         run: |
           nix build --accept-flake-config .#packages.x86_64-linux.default
-      - name: Generate a token
-        id: generate-token
-        uses: actions/create-github-app-token@v1
-        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - name: Check OK
-        env:
-          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
-          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
-        run: |
-          gh api \
-            --method POST \
-            -H "Accept: application/vnd.github+json" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            /repos/scarisey/copilot-cli-flake/check-runs \
-            -f "name=check_ok" -f "head_sha=$(git rev-parse HEAD)" -f "status=completed" -f "conclusion=success"
diff --git a/.github/workflows/report-and-push.yml b/.github/workflows/report-and-push.yml
new file mode 100644
index 0000000..51d6a5e
--- /dev/null
+++ b/.github/workflows/report-and-push.yml
@@ -0,0 +1,57 @@
+name: "Report check status and push to Cachix"
+on:
+  workflow_run:
+    workflows: ["Nix flake check"]
+    types: [completed]
+
+jobs:
+  report-and-push:
+    runs-on: ubuntu-latest
+    env:
+      NIXPKGS_ALLOW_BROKEN: "1"
+      NIXPKGS_ALLOW_UNFREE: "1"
+      NIXPKGS_ALLOW_INSECURE: "1"
+      NIX_CONFIG: |
+        experimental-features = nix-command flakes
+        access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+    permissions:
+      contents: write
+      checks: write
+    steps:
+      - uses: actions/checkout@v4
+      - name: mount Nix store on larger partition
+        # on the Linux runner `/` doesn't have enough space, but there's a `/mnt` which does.
+        if: runner.os == 'Linux'
+        run: |
+          sudo mkdir /nix /mnt/nix
+          sudo mount --bind /mnt/nix /nix
+      - uses: cachix/install-nix-action@v30
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+      - uses: cachix/cachix-action@v15
+        with:
+          name: scarisey-public
+          authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
+      - name: Build default package
+        run: |
+          nix build --accept-flake-config .#packages.x86_64-linux.default
+      - name: Generate a token
+        id: generate-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - name: Check OK
+        if: github.event.workflow_run.conclusion == 'success'
+        env:
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+        run: |
+          gh api \
+            --method POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            /repos/scarisey/copilot-cli-flake/check-runs \
+            -f "name=check_ok" \
+            -f "head_sha=${{ github.event.workflow_run.head_sha }}" \
+            -f "status=completed" \
+            -f "conclusion=success"
diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml
index 341bb24..12af736 100644
--- a/.github/workflows/update.yml
+++ b/.github/workflows/update.yml
@@ -48,7 +48,7 @@ jobs:
         run: |
           nix develop .#devShells.x86_64-linux.updateShell --command './update.sh'
           git add versions.json package-lock.json
-          git commit -m "chore:update copilot CLI version"
+          git diff --cached --quiet || git commit -m "chore:update copilot CLI version"
       - name: Push changes to remote
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -56,4 +56,4 @@ jobs:
           git push --force --set-upstream origin ci/auto_update
           gh pr create --title "CI:Auto Update" --body "Automatic update from CI" || true
           gh pr merge --rebase --auto --delete-branch
-          gh workflow run 197522097 --ref 'ci/auto_update'
+          gh workflow run check.yml --ref 'ci/auto_update'