From 8220473f952571691b05037dbd18659d1f5f83a1 Mon Sep 17 00:00:00 2001
From: Austin Horstman <khaneliman12@gmail.com>
Date: Wed, 26 Nov 2025 12:42:01 -0600
Subject: [PATCH] ci: revert actions/checkout to v5 due to update-flake-lock
 incompatibility

Root cause: DeterminateSystems/update-flake-lock@v27 uses
peter-evans/create-pull-request@v6.0.5 internally, which is incompatible
with actions/checkout@v6's new credential storage mechanism.

The Problem Chain:
- actions/checkout@v6 moved credentials from .git/config to $RUNNER_TEMP
  (security improvement)
- peter-evans/create-pull-request@v6.0.5 cannot access credentials from
  the new $RUNNER_TEMP location
- This causes exit code 128 when update-flake-lock tries to create PRs

The Fix:
- create-pull-request@v7.0.9 fixed v6 compatibility
- However, update-flake-lock@v27 (released July 2025) hasn't upgraded yet
- Reverting to v5 restores working credential access

Next Steps:
- Can upgrade to v6 once update-flake-lock uses create-pull-request@v7.0.9+
  - https://github.com/DeterminateSystems/update-flake-lock/pull/224
- Dependabot configured to ignore v6 upgrades until compatibility is fixed

Fixes: https://github.com/nix-community/home-manager/actions/runs/19712979574
See: https://github.com/peter-evans/create-pull-request/issues/690

Signed-off-by: Austin Horstman <khaneliman12@gmail.com>
---
 .github/dependabot.yml             | 8 ++++++++
 .github/workflows/update-flake.yml | 7 ++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index e23c5b277..7874c5d4a 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -7,6 +7,10 @@ updates:
       interval: "weekly"
     commit-message:
       prefix: "ci:"
+    ignore:
+      # Ignore v6 until update-flake-lock upgrades to create-pull-request@v7.0.9+
+      - dependency-name: "actions/checkout"
+        update-types: ["version-update:semver-major"]
 
   - package-ecosystem: "github-actions"
     directory: "/"
@@ -15,3 +19,7 @@ updates:
       interval: "weekly"
     commit-message:
       prefix: "ci:"
+    ignore:
+      # Ignore v6 until update-flake-lock upgrades to create-pull-request@v7.0.9+
+      - dependency-name: "actions/checkout"
+        update-types: ["version-update:semver-major"]
diff --git a/.github/workflows/update-flake.yml b/.github/workflows/update-flake.yml
index 0f3421540..3d03461be 100644
--- a/.github/workflows/update-flake.yml
+++ b/.github/workflows/update-flake.yml
@@ -35,7 +35,12 @@ jobs:
             echo "email=$id+$name@users.noreply.github.com"
           } >> "$GITHUB_OUTPUT"
       - name: Checkout repository
-        uses: actions/checkout@v6
+        # NOTE: v6 is incompatible with update-flake-lock@v27 due to credential
+        # storage changes. update-flake-lock uses peter-evans/create-pull-request@v6.0.5
+        # which doesn't work with v6's $RUNNER_TEMP credential storage.
+        # Can upgrade to v6 once update-flake-lock uses create-pull-request@v7.0.9+
+        # See: https://github.com/peter-evans/create-pull-request/issues/690
+        uses: actions/checkout@v5
         with:
           ref: ${{ matrix.branch }}
           token: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}