From e22ce0f57eb5471377da3b9a5ee4ab306049c52c Mon Sep 17 00:00:00 2001
From: Drew Raines <drew@raines.me>
Date: Sat, 30 May 2026 21:05:10 +0000
Subject: [PATCH 1/3] fix(nix): use PR instead of direct push in
 nix-update-hash workflow

Repository rules on main require changes via pull request. Switch
from git push to peter-evans/create-pull-request@v7.
---
 .github/workflows/nix-update-hash.yaml | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/nix-update-hash.yaml b/.github/workflows/nix-update-hash.yaml
index 38b34d3..ae4b907 100644
--- a/.github/workflows/nix-update-hash.yaml
+++ b/.github/workflows/nix-update-hash.yaml
@@ -38,11 +38,13 @@ jobs:
         run: |
           git diff --exit-code flake.nix || echo "changed=true" >> $GITHUB_OUTPUT
 
-      - name: Commit and push changes
+      - name: Create Pull Request
         if: steps.git-check.outputs.changed == 'true'
-        run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-          git add flake.nix
-          git commit -m "chore(nix): update vendorHash for go deps"
-          git push
+        uses: peter-evans/create-pull-request@v7
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: "chore(nix): update vendorHash for go deps"
+          branch: "nix/update-vendorhash"
+          branch-suffix: timestamp
+          title: "chore(nix): update vendorHash for go deps"
+          body: "Automated vendorHash update for Go module dependency changes."

From c76c6e5f7508185419575eb694bf23d698448643 Mon Sep 17 00:00:00 2001
From: Drew Raines <drew@raines.me>
Date: Tue, 2 Jun 2026 17:50:55 +0000
Subject: [PATCH 2/3] fix(nix): delegate to shared nix-update-hash action

Replaces the inline workflow with a call to
datum-cloud/actions/.github/workflows/nix-update-hash.yaml@main.
---
 .github/workflows/nix-update-hash.yaml | 47 ++++----------------------
 1 file changed, 7 insertions(+), 40 deletions(-)

diff --git a/.github/workflows/nix-update-hash.yaml b/.github/workflows/nix-update-hash.yaml
index ae4b907..f0d47e5 100644
--- a/.github/workflows/nix-update-hash.yaml
+++ b/.github/workflows/nix-update-hash.yaml
@@ -1,4 +1,5 @@
 name: "nix-update-hash"
+
 on:
   push:
     paths:
@@ -6,45 +7,11 @@ on:
       - 'go.sum'
   workflow_dispatch:
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   update-hash:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v6
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Install Nix
-        uses: cachix/install-nix-action@v31
-        with:
-          github_access_token: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Install Go
-        uses: actions/setup-go@v6
-        with:
-          go-version-file: 'go.mod'
-
-      - name: Install Task
-        uses: arduino/setup-task@v2
-
-      - name: Update nix vendor hash
-        run: task nix-update-hash
-
-      - name: Check for changes
-        id: git-check
-        run: |
-          git diff --exit-code flake.nix || echo "changed=true" >> $GITHUB_OUTPUT
-
-      - name: Create Pull Request
-        if: steps.git-check.outputs.changed == 'true'
-        uses: peter-evans/create-pull-request@v7
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          commit-message: "chore(nix): update vendorHash for go deps"
-          branch: "nix/update-vendorhash"
-          branch-suffix: timestamp
-          title: "chore(nix): update vendorHash for go deps"
-          body: "Automated vendorHash update for Go module dependency changes."
+    uses: datum-cloud/actions/.github/workflows/nix-update-hash.yaml@main
+    secrets: inherit

From 1eaf412feaea191d3b66aaa98fddb58b47841a2f Mon Sep 17 00:00:00 2001
From: Drew Raines <drew@raines.me>
Date: Tue, 2 Jun 2026 18:39:22 +0000
Subject: [PATCH 3/3] fix(nix): drop pull-requests permission, no longer needed

---
 .github/workflows/nix-update-hash.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/nix-update-hash.yaml b/.github/workflows/nix-update-hash.yaml
index f0d47e5..b097eb8 100644
--- a/.github/workflows/nix-update-hash.yaml
+++ b/.github/workflows/nix-update-hash.yaml
@@ -9,7 +9,6 @@ on:
 
 permissions:
   contents: write
-  pull-requests: write
 
 jobs:
   update-hash: