Github app for merge-bot and for nixos-infra for updating flakes

[Mic92]

I need two github apps for both merge-bot and nixos-infra,
so that I can update create pull requests in a way that trigger CI,
Similar to what we do for nixpkgs: https://github.com/NixOS/nixpkgs/blob/c1f95f184125fe9dbeed9f2fb39596c8f356502c/.github/workflows/backport.yml#L26C1-L26C65

See #38 for a tutorial how to do set this up.

If you at it, I would like one app for the Nix repository as well. Than we can use github builtin merge queues instead of mergify.

[infinisil]

How about we repurpose the Nixpkgs CI app for other repos too? There's no reason we'd need per-repository apps, it just makes it more annoying to manage. So we could:

• Rename it to something more generic like "Nix Projects CI"
• Install it on all repos instead of individual repos

Then the only per-repository thing we need to do is to generate a private key and set the repository variables/secrets.

[infinisil]

And at that point we could go even further and specify organisation-wide GHA variables/secrets, such that all repos can get access to the GitHub app.

If we do this though, it also means that GHA's on any repo could write to any other repo, but I think that's fine because you still need somebody with commit access to configure GHA's.

What do you think, @NixOS/org?

[zimbatm]

Whenever I give commit access to somebody, I can reason that their area of action is within the repo. I would prefer to keep that property and avoid unintended consequences down the line. Especially if it becomes easier to make more projects official.

[Mic92]

I also want to keep these things separate. Otherwise every nixpkgs committer for example could commit to the nix repository.

[infinisil]

Fair yeah. Especially also because there are a bunch of repos that aren't watched by many, and ao could more easily be sneaked in some changes.

[infinisil]

Before I go ahead with this, here's the plan:

Two GitHub Apps:

• One installed on https://github.com/nixos/nixpkgs-merge-bot named "Nixpkgs Merge Bot CI"
• One installed on https://github.com/nixos/infra named "Nix Infra CI"

Each with only these permissions on the respective repository:

• Repository > Contents: read-write (to create a PR branches)
• Repository > Pull Requests: read-write (to create PRs)

Each will be available via:

• ${{ vars.CI_APP_ID }}
• ${{ secrets.CI_APP_PRIVATE_KEY }}

@Mic92 Can you confirm that that's looking good?

[Mic92]

Plan sounds good to me. If you could also do the same for the nix repository that is would be great.

[infinisil]

Done for all three repos now. Note that I called the Nix one "Internal Nix CI" because "Nix CI" was taken. Can be renamed if there's a better suggestion.