feat(workflows): add reusable _dispatch-flake-consumers workflow#21
Merged
Merged
Conversation
Centralises the flake-consumer dispatch sender so every upstream repo that needs to notify downstream consumers on a release (or flake.lock push) can use a ~9-line caller instead of duplicating the full 41-line token-mint + matrix-dispatch job. Mirrors the conventions of the sibling _update-flake-input.yml: - @V3 create-github-app-token, vars.GH_APP_CLIENT_ID / GH_APP_PRIVATE_KEY - env-var injection guards on all run: steps - permissions: {} at top level, contents:read at job level - uses ${GITHUB_REPOSITORY_OWNER} instead of a hardcoded org name vars.DISPATCH_CONSUMERS and vars.GH_APP_CLIENT_ID resolve in the caller's context (workflow_call inherits caller vars), so they are read directly inside this workflow without input plumbing. GH_APP_PRIVATE_KEY is forwarded via `secrets: inherit` in each caller. The source_input default (${{ github.event.repository.name }}) resolves to the caller repo name, so callers typically need no `with:` block. Unblocks: dryvist/nix-claude-code#44, dryvist/nix-ai#869 Assisted-by: Claude:claude-opus-4-8
This was referenced Jun 2, 2026
JacobPEvans-personal
added a commit
to dryvist/nix-claude-code
that referenced
this pull request
Jun 2, 2026
* feat(ci): dispatch lock-update event to nix-ai on release After a nix-claude-code release is published, notify dryvist/nix-ai via repository_dispatch so it bumps its nix-claude-code flake input without waiting for the next Renovate lockFileMaintenance window (~Mon/Thu). The dispatch uses the GitHub App token scoped to nix-ai. nix-ai's own update-flake-input receiver and dispatch-to-nix-darwin workflows complete the two-hop propagation chain. Assisted-by: Claude:claude-opus-4-8 * refactor(ci): slim dispatch-lock-updates to thin workflow_call caller Replace the 41-line inline job with a 3-line call to the new reusable workflow in dryvist/.github. All logic (matrix fan-out, App-token mint, cross-repo dispatch) now lives in one place. Depends on: dryvist/.github adding _dispatch-flake-consumers.yml@main Refs: dryvist/.github#21 Assisted-by: Claude:claude-opus-4-8
JacobPEvans-personal
added a commit
to dryvist/nix-ai
that referenced
this pull request
Jun 2, 2026
* feat(ci): event-driven flake input updates Two new workflows completing the nix-claude-code → nix-ai → nix-darwin lock-propagation chain: update-flake-input.yml: listens for repository_dispatch from nix-claude-code (or any dryvist upstream), calls the shared _update-flake-input reusable workflow in dryvist/.github to bump the specified input and open an auto-merged PR. Also available as workflow_dispatch for manual bumps. dispatch-to-nix-darwin.yml: fires on any flake.lock push to main, notifying dryvist/nix-darwin to bump its nix-ai input. Completes the second hop. Assisted-by: Claude:claude-opus-4-8 * refactor(ci): slim dispatch-to-nix-darwin to thin workflow_call caller Replace the 41-line inline job with a 3-line call to the new reusable workflow in dryvist/.github. Also normalises the previously missing permission-contents:write on the App token (now enforced centrally). Depends on: dryvist/.github adding _dispatch-flake-consumers.yml@main Refs: dryvist/.github#21 Assisted-by: Claude:claude-opus-4-8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
_dispatch-flake-consumers.yml— a reusableworkflow_callworkflow that encapsulates the matrix fan-out, App-token mint, and cross-reporepository_dispatchcall that every upstream flake-release sender needsuses:caller; all logic lives here_update-flake-input.ymlconventions:@v3create-github-app-token,vars.GH_APP_CLIENT_ID/GH_APP_PRIVATE_KEY, env-var injection guards,permissions: {}+ job-levelcontents: read${GITHUB_REPOSITORY_OWNER}instead of a hardcodeddryvistsource_inputdefaults togithub.event.repository.nameso callers need nowith:blockpermission-contents: writeis now enforced centrally (nix-ai's sender was previously omitting it)Context
Part of the event-driven flake-lock propagation chain:
The receiver side was already centralized via
_update-flake-input.yml(#20). This PR does the same for the sender side.Must merge before the caller PRs:
Test Plan
zizmorpasses (min-privilege:permissions: {}top-level,contents: readat job, scoped App token withpermission-contents: writeonly for the target repo)@main🤖 Generated with Claude Code