@@ -121,28 +121,32 @@ jobs:
121121needs :changes
122122if :needs.changes.outputs.gomod == 'true'
123123runs-on :${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
124- permissions :
125- # Give the default GITHUB_TOKEN write permission to commit and push the changed files back to the repository.
126- contents :write
127124steps :
128125 -name :Checkout
129126uses :actions/checkout@v4
130127with :
131128fetch-depth :1
132129# See: https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#commits-made-by-this-action-do-not-trigger-new-workflow-runs
133- token :${{ secrets.GITHUB_TOKEN }}
130+ token :${{ secrets.CDRCI_GITHUB_TOKEN }}
134131
135132 -name :Setup Go
136133uses :./.github/actions/setup-go
137134
138135 -name :Update Nix Flake SRI Hash
139136run :./scripts/update-flake.sh
140137
138+ # auto update flake for dependabot
141139 -uses :stefanzweifel/git-auto-commit-action@v5
140+ if :github.actor == 'dependabot[bot]'
142141with :
143142# Allows dependabot to still rebase!
144143commit_message :" [dependabot skip] Update Nix Flake SRI Hash"
145144
145+ # require everyone else to update it themselves
146+ -name :Ensure No Changes
147+ if :github.actor != 'dependabot[bot]'
148+ run :git diff --exit-code
149+
146150lint :
147151needs :changes
148152if :needs.changes.outputs.offlinedocs-only == 'false' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'