From c15cf47b9b1a6a12abc0f1b9d8ab55d40b825f88 Mon Sep 17 00:00:00 2001
From: Muhammad Atif Ali <atif@coder.com>
Date: Tue, 30 Jul 2024 10:59:46 +0300
Subject: [PATCH 1/3] ci: improve `update-flake` job to handle retriggering ci
 and human authors

Improves #14046
Solved the CI stuck issue exhibited in
- #14039
- #14040
- #14041
- #14044
---
 .github/workflows/ci.yaml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 899a09293d197..bdfaffa4d9f7f 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -121,14 +121,12 @@ jobs:
     needs: changes
     if: needs.changes.outputs.gomod == 'true'
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
-    permissions:
-      # Give the default GITHUB_TOKEN write permission to commit and push the changed files back to the repository.
-      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 1
+          token: ${{ secrets.CDRCI_GITHUB_TOKEN }}
 
       - name: Setup Go
         uses: ./.github/actions/setup-go
@@ -136,11 +134,18 @@ jobs:
       - name: Update Nix Flake SRI Hash
         run: ./scripts/update-flake.sh
 
+        # auto update flake for dependabot
       - uses: stefanzweifel/git-auto-commit-action@v5
+        if: github.actor == 'dependabot[bot]'
         with:
           # Allows dependabot to still rebase!
           commit_message: "[dependabot skip] Update Nix Flake SRI Hash"
 
+        # check for other PRs
+      - name: Ensure No Changes
+        if: github.actor != 'dependabot[bot]'
+        run: git diff --exit-code
+
   lint:
     needs: changes
     if: needs.changes.outputs.offlinedocs-only == 'false' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'

From 547ffa692cf29248d799e216c20c025582bbaba4 Mon Sep 17 00:00:00 2001
From: Muhammad Atif Ali <atif@coder.com>
Date: Wed, 31 Jul 2024 19:02:57 +0300
Subject: [PATCH 2/3] Update .github/workflows/ci.yaml

Co-authored-by: Dean Sheather <dean@deansheather.com>
---
 .github/workflows/ci.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index bdfaffa4d9f7f..d65188467bd9a 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -141,7 +141,7 @@ jobs:
           # Allows dependabot to still rebase!
           commit_message: "[dependabot skip] Update Nix Flake SRI Hash"
 
-        # check for other PRs
+      # require everyone else to update it themselves
       - name: Ensure No Changes
         if: github.actor != 'dependabot[bot]'
         run: git diff --exit-code

From 233a42ece8d694108d33b315d7a94dc3e957a9b9 Mon Sep 17 00:00:00 2001
From: Muhammad Atif Ali <atif@coder.com>
Date: Wed, 31 Jul 2024 19:03:09 +0300
Subject: [PATCH 3/3] Update .github/workflows/ci.yaml

Co-authored-by: Dean Sheather <dean@deansheather.com>
---
 .github/workflows/ci.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index d65188467bd9a..acc71ab129b74 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -134,7 +134,7 @@ jobs:
       - name: Update Nix Flake SRI Hash
         run: ./scripts/update-flake.sh
 
-        # auto update flake for dependabot
+      # auto update flake for dependabot
       - uses: stefanzweifel/git-auto-commit-action@v5
         if: github.actor == 'dependabot[bot]'
         with: