From 9225aa1808a6b682ad6aa8eef1b0d0a720f309a0 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@yossarian.net>
Date: Sun, 18 May 2025 17:01:44 -0400
Subject: [PATCH 1/5] ci: experiment with reusable pinact

Signed-off-by: William Woodruff <william@yossarian.net>
---
 .github/workflows/pinact-reusable.yml | 70 +++++++++++++++++++++++++++
 .github/workflows/pinact.yml          | 19 ++++++++
 2 files changed, 89 insertions(+)
 create mode 100644 .github/workflows/pinact-reusable.yml
 create mode 100644 .github/workflows/pinact.yml

diff --git a/.github/workflows/pinact-reusable.yml b/.github/workflows/pinact-reusable.yml
new file mode 100644
index 0000000..9536479
--- /dev/null
+++ b/.github/workflows/pinact-reusable.yml
@@ -0,0 +1,70 @@
+name: Update use pins with pinact (reusable)
+
+on:
+  workflow_call:
+    inputs:
+      inputs:
+        description: 'Space-separated input paths for pinact'
+        required: false
+        default: ""
+        type: string
+      dry-run:
+        description: 'Perform a dry run (do not create a PR)'
+        required: false
+        default: false
+        type: boolean
+      reviewers:
+        description: 'GitHub reviewers'
+        required: false
+        default: "woodruffw"
+        type: string
+    secrets:
+      GITHUB_TOKEN:
+        description: 'The GitHub token to use'
+        required: true
+
+# calling workflow sets permissions.
+permissions: {}
+
+jobs:
+  pinact:
+    # NOTE: Intentionally runs on macOS to obtain pinact via brew.
+    runs-on: macos-latest
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: install pinact
+        run: brew install pinact
+
+      - name: run pinact
+        run: |
+          if [ -z "${PINACT_INPUTS}" ]; then
+            pinact run --update
+          else
+            pinact run --update "${PINACT_INPUTS}"
+          fi
+        env:
+          PINACT_INPUTS: ${{ inputs.inputs }}
+
+      - name: create PR
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        if: ${{ !inputs.dry-run }}
+        with:
+          commit-message: "[BOT] pinact: update use pins"
+          branch: pinact-bump
+          branch-suffix: timestamp
+          title: "[BOT] pinact: update use pins"
+          body: |
+            :robot: :warning: :robot:
+
+            This is an automated pull request. It uses [`pinact`]
+            to update the use pins in this repository.
+
+            Please review manually before merging.
+
+            [`pinact`]: https://github.com/suzuki-shunsuke/pinact
+          assignees: ${{ inputs.reviewers }}
+          reviewers: ${{ inputs.reviewers }}
diff --git a/.github/workflows/pinact.yml b/.github/workflows/pinact.yml
new file mode 100644
index 0000000..67ba97b
--- /dev/null
+++ b/.github/workflows/pinact.yml
@@ -0,0 +1,19 @@
+name: Update use pins with pinact
+
+on:
+  schedule:
+    - cron: "0 16 * * *"
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  call-pinact:
+    permissions:
+      contents: write # for branch creation
+      pull-requests: write # for pull request creation
+    uses: ./.github/workflows/pinact-reusable.yml
+    with:
+      inputs: .github/workflows/
+    secrets:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

From 5878475330852c71f9aa3442ccabc1ccaca494dd Mon Sep 17 00:00:00 2001
From: William Woodruff <william@yossarian.net>
Date: Sun, 18 May 2025 17:03:52 -0400
Subject: [PATCH 2/5] fix reusable workflow secret

Signed-off-by: William Woodruff <william@yossarian.net>
---
 .github/workflows/pinact-reusable.yml | 3 ++-
 .github/workflows/pinact.yml          | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/pinact-reusable.yml b/.github/workflows/pinact-reusable.yml
index 9536479..3e636d6 100644
--- a/.github/workflows/pinact-reusable.yml
+++ b/.github/workflows/pinact-reusable.yml
@@ -19,7 +19,7 @@ on:
         default: "woodruffw"
         type: string
     secrets:
-      GITHUB_TOKEN:
+      GH_TOKEN:
         description: 'The GitHub token to use'
         required: true
 
@@ -68,3 +68,4 @@ jobs:
             [`pinact`]: https://github.com/suzuki-shunsuke/pinact
           assignees: ${{ inputs.reviewers }}
           reviewers: ${{ inputs.reviewers }}
+          token: ${{ secrets.GH_TOKEN }}
diff --git a/.github/workflows/pinact.yml b/.github/workflows/pinact.yml
index 67ba97b..d2bd4f0 100644
--- a/.github/workflows/pinact.yml
+++ b/.github/workflows/pinact.yml
@@ -16,4 +16,4 @@ jobs:
     with:
       inputs: .github/workflows/
     secrets:
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

From 5ac90423a9510ca3ea159b5e6feb614d9b59cf0a Mon Sep 17 00:00:00 2001
From: William Woodruff <william@yossarian.net>
Date: Sun, 18 May 2025 17:04:56 -0400
Subject: [PATCH 3/5] testing

Signed-off-by: William Woodruff <william@yossarian.net>
---
 .github/workflows/pinact.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/pinact.yml b/.github/workflows/pinact.yml
index d2bd4f0..2b28271 100644
--- a/.github/workflows/pinact.yml
+++ b/.github/workflows/pinact.yml
@@ -4,6 +4,7 @@ on:
   schedule:
     - cron: "0 16 * * *"
   workflow_dispatch:
+  pull_request:
 
 permissions: {}
 

From 489ee836a2a841d31ce2638b13bb6b1d6cbfc7af Mon Sep 17 00:00:00 2001
From: William Woodruff <william@yossarian.net>
Date: Sun, 18 May 2025 17:08:55 -0400
Subject: [PATCH 4/5] experimenting

Signed-off-by: William Woodruff <william@yossarian.net>
---
 .github/workflows/pinact-reusable.yml | 14 +++++++-------
 .github/workflows/pinact.yml          |  2 --
 2 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/pinact-reusable.yml b/.github/workflows/pinact-reusable.yml
index 3e636d6..3042de0 100644
--- a/.github/workflows/pinact-reusable.yml
+++ b/.github/workflows/pinact-reusable.yml
@@ -3,8 +3,8 @@ name: Update use pins with pinact (reusable)
 on:
   workflow_call:
     inputs:
-      inputs:
-        description: 'Space-separated input paths for pinact'
+      extra-inputs:
+        description: 'Additional space-separated input paths for pinact'
         required: false
         default: ""
         type: string
@@ -41,13 +41,13 @@ jobs:
 
       - name: run pinact
         run: |
-          if [ -z "${PINACT_INPUTS}" ]; then
-            pinact run --update
-          else
-            pinact run --update "${PINACT_INPUTS}"
+          pinact run --update
+
+          if [ -n "${PINACT_EXTRA_INPUTS}" ]; then
+            pinact run --update "${PINACT_EXTRA_INPUTS}"
           fi
         env:
-          PINACT_INPUTS: ${{ inputs.inputs }}
+          PINACT_EXTRA_INPUTS: ${{ inputs.extra-inputs }}
 
       - name: create PR
         uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
diff --git a/.github/workflows/pinact.yml b/.github/workflows/pinact.yml
index 2b28271..f85bab7 100644
--- a/.github/workflows/pinact.yml
+++ b/.github/workflows/pinact.yml
@@ -14,7 +14,5 @@ jobs:
       contents: write # for branch creation
       pull-requests: write # for pull request creation
     uses: ./.github/workflows/pinact-reusable.yml
-    with:
-      inputs: .github/workflows/
     secrets:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

From 827fbcda9ee475e1434536a090228a8219d80b9f Mon Sep 17 00:00:00 2001
From: William Woodruff <william@yossarian.net>
Date: Sun, 18 May 2025 17:09:55 -0400
Subject: [PATCH 5/5] drop PR trigger

Signed-off-by: William Woodruff <william@yossarian.net>
---
 .github/workflows/pinact.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/pinact.yml b/.github/workflows/pinact.yml
index f85bab7..388aacf 100644
--- a/.github/workflows/pinact.yml
+++ b/.github/workflows/pinact.yml
@@ -4,7 +4,6 @@ on:
   schedule:
     - cron: "0 16 * * *"
   workflow_dispatch:
-  pull_request:
 
 permissions: {}