From 7eee32d2b2bdbc98afb758e55070aa0177d84a08 Mon Sep 17 00:00:00 2001
From: Yvan Sraka <yvan@sraka.xyz>
Date: Mon, 19 Jan 2026 17:12:48 +0100
Subject: [PATCH 1/2] feat: create monthly flake inputs update workflow

---
 .github/workflows/update-flake-lock.yml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 .github/workflows/update-flake-lock.yml

diff --git a/.github/workflows/update-flake-lock.yml b/.github/workflows/update-flake-lock.yml
new file mode 100644
index 000000000..596d4213f
--- /dev/null
+++ b/.github/workflows/update-flake-lock.yml
@@ -0,0 +1,24 @@
+name: Update Flake Lock
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 0 1 * *'
+
+jobs:
+  update-flake-lock:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: ./.github/actions/nix-install-ephemeral
+
+      - name: Update flake.lock
+        uses: Mic92/update-flake-inputs@main
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          pr-labels: |
+            dependencies
+            automated

From 662e731dec264730b536e35f7be391eda4847751 Mon Sep 17 00:00:00 2001
From: Etienne Stalmans <etienne@supabase.io>
Date: Thu, 29 Jan 2026 09:47:38 +0100
Subject: [PATCH 2/2] chore: gh app and pin versions

---
 .github/workflows/update-flake-lock.yml | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/update-flake-lock.yml b/.github/workflows/update-flake-lock.yml
index 596d4213f..b8063bf2a 100644
--- a/.github/workflows/update-flake-lock.yml
+++ b/.github/workflows/update-flake-lock.yml
@@ -8,17 +8,26 @@ on:
 jobs:
   update-flake-lock:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Install Nix
         uses: ./.github/actions/nix-install-ephemeral
 
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0
+        with:
+          app-id: ${{ secrets.FLAKE_UPDATE_APP_ID }}
+          private-key: ${{ secrets.FLAKE_UPDATE_PRIVATE_KEY }}
+
       - name: Update flake.lock
-        uses: Mic92/update-flake-inputs@main
+        uses: Mic92/update-flake-inputs@73cb58f118541b956f5a061d12838ef1dd997867 # v1.0.3
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ steps.app-token.outputs.token }}
           pr-labels: |
             dependencies
             automated