Merge branch 'main' into zettelkasten

.editorconfig

@@ -11,7 +11,7 @@ insert_final_newline = true
 [*.md]
 trim_trailing_whitespace = false
 
-[{Makefile,*.mk,*.go,.gitmodules,*.*sh,.*shrc,*shenv,.bash_*}]
+[{Makefile,*.mk,*.go,.gitmodules,*.*sh,.*shrc,*shenv,.bash_*,*.envrc}]
 indent_style = tab
 indent_size = 4
 

.envrc

@@ -1,7 +1,3 @@
 #!/usr/bin/env -S bash
 
 use flake
-
-# To avoid absolute path for Nix and typos-lsp in vscode settings
-TYPOS_LSP_PATH="$(command -v typos-lsp)"
-export TYPOS_LSP_PATH

.github/dependabot.yml

@@ -15,6 +15,6 @@ updates:
     schedule:
       interval: 'weekly'
   - package-ecosystem: 'gomod'
-    directory: '/pkgs/trim-github-user-prefix-for-reponame'
+    directory: '/pkgs/reponame'
     schedule:
       interval: 'weekly'

.github/renovate.json

@@ -2,11 +2,12 @@
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "dependencyDashboard": true,
   "extends": [
+    "config:recommended",
     "github>kachick/renovate-config-dprint#1.3.0",
     "github>kachick/renovate-config-dprint:self"
   ],
   "labels": ["dependencies", "renovate"],
-  "enabledManagers": ["nix", "regex"],
+  "enabledManagers": ["nix", "regex", "dockerfile"],
   "nix": {
     "enabled": true
   },

.github/workflows/ci-go.yml

@@ -27,7 +27,7 @@ jobs:
       matrix:
         os:
           - ubuntu-24.04
-          - macos-14 # M1. Doesn't match for my Intel Mac, but preferring with the speed.
+          - macos-15 # Apple Silicon. Doesn't match for my Intel Mac, but preferring with the speed.
           - windows-latest
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/ci-home.yml

@@ -4,14 +4,14 @@ on:
     branches: [main]
     paths:
       - '.github/workflows/ci-home.yml'
-      - '**/home-manager/**.nix'
+      - 'home-manager/**.nix'
       - '**.nix'
       - 'flake.*'
       - 'Makefile.toml'
   pull_request:
     paths:
       - '.github/workflows/ci-home.yml'
-      - '**/home-manager/**.nix'
+      - 'home-manager/**.nix'
       - '**.nix'
       - 'flake.*'
       - 'Makefile.toml'
@@ -28,18 +28,23 @@ jobs:
     outputs:
       matrix: ${{ steps.generator.outputs.matrix }}
     steps:
+      - name: Install gh-action-escape
+        run: curl -fsSL https://raw.githubusercontent.com/kachick/gh-action-escape/main/scripts/install-in-github-action.sh | sh -s v0.2.0
       - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Get changed paths
+        run: |
+          git diff origin/main --name-only | gh-action-escape -name=CHANGED_PATHS | tee --append "$GITHUB_ENV"
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
           go-version-file: 'go.mod'
           cache-dependency-path: 'go.sum'
-      - name: Install gh-action-escape
-        run: curl -fsSL https://raw.githubusercontent.com/kachick/gh-action-escape/main/scripts/install-in-github-action.sh | sh -s v0.2.0
       - name: Generate Matrix
         id: generator
         run: |
-          go run ./cmd/gen_matrix -event_name '${{ github.event_name }}' | gh-action-escape -name=matrix | tee -a "$GITHUB_OUTPUT"
+          go run ./cmd/gen_matrix -event_name '${{ github.event_name }}' -paths "$CHANGED_PATHS" | gh-action-escape -name=matrix | tee -a "$GITHUB_OUTPUT"
   home-manager:
     needs: [generate_matrix]
     if: (github.event_name != 'pull_request') || (!github.event.pull_request.draft)
@@ -50,7 +55,8 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       # Do not use DeterminateSystems/magic-nix-cache-action for home workflow, it always faced to GitHub rate limit because of home depends on many packages
-      - uses: DeterminateSystems/nix-installer-action@v13
+      - uses: DeterminateSystems/nix-installer-action@v14
+      - uses: DeterminateSystems/magic-nix-cache-action@v8
       - name: Print some dotfiles overviews
         run: |
           </etc/nix/nix.conf
@@ -87,9 +93,12 @@ jobs:
           zsh -c zsh -c 'which la; which p'
           zsh -c 'ruby --version'
           zsh -c 'irb --version'
-          zsh -c 'alacritty --version'
           zsh -c 'ssh -V'
           zsh -c 'hx --health'
+      - name: Make sure macos dependencies
+        if: runner.os == 'macOS'
+        run: |
+          zsh -c 'command -v maccy'
       - name: Run homemade commands
         run: |
           zsh -c 'la ~; lat ~/.config'

.github/workflows/ci-nix.yml

@@ -22,23 +22,22 @@ on:
 
 jobs:
   tasks:
-    if: (github.event_name != 'pull_request') || (!github.event.pull_request.draft)
     strategy:
       fail-fast: false
       matrix:
         os:
           - ubuntu-24.04
-          - macos-14 # M1. Doesn't match for my Intel Mac, but preferring with the speed.
+          - macos-15 # Apple Silicon. Doesn't match for my Intel Mac, but preferring with the speed.
     runs-on: ${{ matrix.os }}
     timeout-minutes: 30
     steps:
       - uses: actions/checkout@v4
-      - uses: DeterminateSystems/nix-installer-action@v13
+      - uses: DeterminateSystems/nix-installer-action@v14
       - name: Print some dotfiles overviews
         run: |
           </etc/nix/nix.conf
           ls -alh ~
-      - uses: DeterminateSystems/magic-nix-cache-action@v7
+      - uses: DeterminateSystems/magic-nix-cache-action@v8
       - run: nix develop --command echo 'This step should be done before any other "nix develop" steps because of measuring Nix build time'
       - run: nix flake show
       - run: nix flake check

.github/workflows/cleanup-caches.yml

@@ -0,0 +1,27 @@
+# Mostly for DeterminateSystems/magic-nix-cache-action
+name: 👋 caches in merged PRs
+on:
+  pull_request:
+    types:
+      - closed
+  schedule:
+    # Every 12:42 JST
+    # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule
+    - cron: '42 3 * * *'
+  workflow_dispatch:
+
+jobs:
+  cleanup:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      # Intentionally cover all merged PRs to keep simple logics. See https://github.com/kachick/times_kachick/issues/311
+      - name: Cleanup
+        run: |
+          gh pr list --state merged --json number --jq '.[].number' --limit 2000 | \
+            xargs --no-run-if-empty -I '{}' gh cache list --sort size_in_bytes --order desc --json id --jq '.[].id' --limit 100 --ref 'refs/pull/{}/merge' | \
+            xargs --no-run-if-empty --max-lines=1 gh cache delete
+        env:
+          GH_TOKEN: ${{ github.token }}

.github/workflows/container.yml

@@ -52,7 +52,7 @@ jobs:
           if [ '${{ github.event_name }}' = 'pull_request' ]; then
             special='pr-${{ github.event.number }}-${{ github.event.pull_request.head.sha }}'
             ref='${{ github.event.pull_request.head.sha }}'
-          elif [ '${{ github.event_name }}' = 'push'  ] && [ '${{ github.ref_name }}' = '${{ github.event.repository.default_branch }}' ]; then
+          elif [ '${{ github.ref_name }}' = '${{ github.event.repository.default_branch }}' ]; then
             special='latest'
             ref='${{ github.sha }}'
           else

.github/workflows/gitleaks.yml

@@ -9,6 +9,14 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: gitleaks/gitleaks-action@44c470ffc35caa8b1eb3e8012ca53c2f9bea4eb5 # v2.3.6
+      - uses: gitleaks/gitleaks-action@83373cf2f8c4db6e24b41c1a9b086bb9619e9cd3 # v2.3.7
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # Without this env uses hardcoded old version.
+          # https://github.com/gitleaks/gitleaks-action/blob/2ec8b9f617b48c888d0653fb5925820e0de9c674/README.md?plain=1#L59C4-L59C20
+          GITLEAKS_VERSION: 'latest'
+          # action README says it will respect `gitleaks.toml`, however ths CLI respects only `.gitleaks.toml`
+          # I don't know which is correct or just a typo, so clarifying the path here
+          # https://github.com/gitleaks/gitleaks/blob/e93a7c0d2604fd1bcc43ac9cac6144a62387a8a4/cmd/root.go#L33C18-L33C27
+          # https://github.com/gitleaks/gitleaks-action/blob/2ec8b9f617b48c888d0653fb5925820e0de9c674/README.md?plain=1#L56
+          GITLEAKS_CONFIG: '.gitleaks.toml'

.github/workflows/lint.yml

@@ -39,12 +39,3 @@ jobs:
           token: ${{ github.token }}
           version: '0.20.0' # selfup {"extract":"\\d\\.\\d+\\.\\d+","replacer":["stylua", "--version"], "nth": 2}
           args: --check .
-
-  markdownlint:
-    timeout-minutes: 15
-    runs-on: ubuntu-24.04
-    steps:
-      - uses: actions/checkout@v4
-      - uses: DavidAnson/markdownlint-cli2-action@b4c9feab76d8025d1e83c653fa3990936df0e6c8 # v16
-        with:
-          globs: '**/*.md'

.github/workflows/update-flake-lock-and-ci.yml

@@ -14,13 +14,13 @@ on:
 jobs:
   update-nixpkgs:
     if: (github.event_name != 'pull_request') || (!github.event.pull_request.draft)
-    uses: kachick/selfup/.github/workflows/[email protected].3
+    uses: kachick/selfup/.github/workflows/[email protected].6
     with:
       app_id: ${{ vars.APP_ID }}
       dry-run: ${{ github.event_name == 'pull_request' }}
       pr-title: 'Bump flake.lock and related dependencies'
       optional-run: |
         nix run .#bump_completions
-        nix run .#bump_gomod
+        nix run .#bump_gomod -- . pkgs/reponame
     secrets:
       APP_PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }}

.github/workflows/windows.yml

@@ -33,10 +33,24 @@ permissions:
 
 defaults:
   run:
-    shell: pwsh
+    # To respect exit code and make fail-fast behaviors. See GH-617
+    #
+    # NOTE: `pwsh` specifier is defined in below
+    # - https://github.com/actions/runner/blob/6d7446a45ebc638a842895d5742d6cf9afa3b66d/src/Runner.Worker/Handlers/ScriptHandlerHelpers.cs#L16-L17
+    # - https://github.com/actions/runner/blob/6d7446a45ebc638a842895d5742d6cf9afa3b66d/src/Runner.Worker/Handlers/ScriptHandlerHelpers.cs#L60-L65
+    shell: |
+      pwsh -command "$PSNativeCommandUseErrorActionPreference = $true; $ErrorActionPreference = 'stop'; . '{0}'"
 
 jobs:
-  # This job has many comment-out tyle note, agree to ugly, but do NOT remove for now.
+  inspect_runner:
+    runs-on: windows-2022
+    steps:
+      - name: Print some variables which is applied in GH-617
+        run: |
+          $PSVersionTable
+          $PSNativeCommandUseErrorActionPreference
+          $ErrorActionPreference
+  # This job has many comment-out style note, agree to ugly, but do NOT remove for now.
   # See #443 for detail.
   #
   # Not Terraform :)

.gitleaks.toml

@@ -0,0 +1,14 @@
+[extend]
+# useDefault will extend the base configuration with the default gitleaks config:
+# https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml
+useDefault = true
+
+[allowlist]
+stopwords = [
+  # This pattern was detected in `facebook-page-access-token`, but I believe this is a false positive.
+  # See GH-783 for detail
+  # https://github.com/kachick/dotfiles/pull/783#issuecomment-2345176253
+  # https://gist.github.com/cocopon/a04be63f5e0856daa594702299c13160#file-iceberg-terminal-L170
+  # https://github.com/gitleaks/gitleaks/pull/1372
+  '''EAAC2z2Rlc2MAAAAAAAAAFklFQyBodHRwOi8vd3d3LmllYy5j''',
+]