From 35c3b0886278fac2e74ed2acf566b58513756d59 Mon Sep 17 00:00:00 2001
From: Lyra Thorpe <iam@emmathe.dev>
Date: Tue, 16 Jun 2026 10:44:46 +0100
Subject: [PATCH 1/2] fix(renovaterc.json): ensure lockfile updates auto merge

---
 .renovaterc.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.renovaterc.json b/.renovaterc.json
index 5a18122..8fc84a5 100644
--- a/.renovaterc.json
+++ b/.renovaterc.json
@@ -6,7 +6,8 @@
   },
   "lockFileMaintenance": {
     "enabled": true,
-    "schedule": ["before 6am on monday"]
+    "schedule": ["before 6am on monday"],
+    "automerge": true
   },
   "git-submodules": {
     "enabled": false

From 8c3b101a14b12b7728cae2d50403ff7e64c9e3d9 Mon Sep 17 00:00:00 2001
From: Emma Thorpe <emma.thorpe@citrix.com>
Date: Tue, 16 Jun 2026 11:47:32 +0100
Subject: [PATCH 2/2] ci: always run the workflow on PRs, guard the heavy steps

This job is a required status check on main. The workflow was path-filtered
to **.nix/flake.lock/ci.yaml, so a PR touching none of those (e.g. a
.renovaterc.json-only change) skipped the workflow entirely, leaving the
required check pending forever and making the PR unmergeable.

Run the workflow on every PR so the check is always reported, but keep a
'detect' step that diffs the PR against its base and runs nix flake check
and the per-host evals only when a .nix file, flake.lock, or this workflow
changed. When nothing Nix-relevant changed the heavy steps skip and the job
still passes, so the required check stays green-reportable without burning a
full evaluation on unrelated changes. Checkout uses fetch-depth: 0 so the
diff has the base history.
---
 .gitea/workflows/ci.yaml | 50 +++++++++++++++++++++++++++++++++-------
 1 file changed, 42 insertions(+), 8 deletions(-)

diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml
index 2c7cb7c..f8794ca 100644
--- a/.gitea/workflows/ci.yaml
+++ b/.gitea/workflows/ci.yaml
@@ -2,18 +2,18 @@
 # plus an explicit per-host evaluation pass for granular output.
 name: CI
 
+# Deliberately no `paths:` filter. This job is a required status check on main,
+# and a path-filtered workflow is *skipped* (never runs) for PRs that touch no
+# matching file -- which leaves the required check pending forever and blocks the
+# merge (e.g. a .renovaterc.json-only change). So the workflow always runs and
+# always reports. To avoid burning a full Nix evaluation on changes that can't
+# affect it, the "detect" step below diffs the PR and the heavy steps run only
+# when a .nix file, flake.lock, or this workflow changed; otherwise they skip and
+# the job still passes. The required check is therefore always green-reportable.
 on:
   push:
     branches: [main]
-    paths:
-      - "**.nix"
-      - "flake.lock"
-      - ".gitea/workflows/ci.yaml"
   pull_request:
-    paths:
-      - "**.nix"
-      - "flake.lock"
-      - ".gitea/workflows/ci.yaml"
 
 jobs:
   flake:
@@ -21,8 +21,39 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          # Full history so the detect step can diff the PR against its base.
+          fetch-depth: 0
+
+      # Decide whether the Nix steps need to run. On a pull_request, diff the PR
+      # against its base and look for files that can affect the flake: any .nix,
+      # the lockfile, or this workflow. On any other event (push to main) always
+      # run. The job itself always succeeds, so the required status check is
+      # reported even when the heavy steps are skipped.
+      - name: Detect Nix-relevant changes
+        id: detect
+        run: |
+          set -euo pipefail
+          if [ "${{ github.event_name }}" != "pull_request" ]; then
+            echo "Event ${{ github.event_name }}: running full checks."
+            echo "run=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          base='${{ github.event.pull_request.base.sha }}'
+          head='${{ github.event.pull_request.head.sha }}'
+          changed=$(git diff --name-only "$base...$head")
+          echo "Changed files:"
+          echo "$changed"
+          if echo "$changed" | grep -Eq '(\.nix$|^flake\.lock$|^\.gitea/workflows/ci\.yaml$)'; then
+            echo "Nix-relevant changes found: running checks."
+            echo "run=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "No Nix-relevant changes: skipping checks (job still passes)."
+            echo "run=false" >> "$GITHUB_OUTPUT"
+          fi
 
       - name: Install Nix
+        if: steps.detect.outputs.run == 'true'
         uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31
         with:
           extra_nix_config: |
@@ -34,6 +65,7 @@ jobs:
       # Runs every flake check: treefmt formatting, deadnix, statix, and the
       # pre-commit hooks (so a --no-verify commit can't ship unlinted).
       - name: Flake check
+        if: steps.detect.outputs.run == 'true'
         run: nix flake check --print-build-logs
 
       # Evaluate (not build) each host's toplevel so eval errors fail CI cheaply.
@@ -44,6 +76,7 @@ jobs:
       # nixos/darwinConfigurations) rather than hard-coded, so adding or removing
       # a host needs no change to this workflow.
       - name: Evaluate NixOS host configurations
+        if: steps.detect.outputs.run == 'true'
         run: |
           set -euo pipefail
           hosts=$(nix eval --raw '.#nixosConfigurations' \
@@ -56,6 +89,7 @@ jobs:
           done
 
       - name: Evaluate Darwin host configurations
+        if: steps.detect.outputs.run == 'true'
         run: |
           set -euo pipefail
           hosts=$(nix eval --raw '.#darwinConfigurations' \