.github: init workflows

.github/CODEOWNERS

@@ -0,0 +1,6 @@
+# Lines starting with '#' are comments.
+# Each line is a file pattern followed by one or more owners.
+# Order is important. The last matching pattern has the most precedence.
+
+# These owners will be the default owners for everything in the repo.
+* @khaneliman

.github/dependabot.yml

@@ -0,0 +1,9 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    commit-message:
+      # Prefix all commit messages with "npm: "
+      prefix: ".github"

.github/labeler.yml

@@ -0,0 +1,18 @@
+Flake-Modules:
+  - changed-files:
+      - any-glob-to-any-file: flake-modules/**/*
+Modules:
+  - changed-files:
+      - any-glob-to-any-file: modules/**/*
+Library:
+  - changed-files:
+      - any-glob-to-any-file: lib/**/*
+Overlays:
+  - changed-files:
+      - any-glob-to-any-file: overlays/**/*
+Packages:
+  - changed-files:
+      - any-glob-to-any-file: packages/**/*
+GitHub-Action:
+  - changed-files:
+      - any-glob-to-any-file: .github/workflows/*

.github/settings.yml

@@ -0,0 +1,122 @@
+repository:
+  # See https://developer.github.com/v3/repos/#edit for all available settings.
+
+  # The name of the repository. Changing this will rename the repository
+  name: khanelivim
+  # A short description of the repository that will show up on GitHub
+  description: Nixvim neovim flake.
+  # A URL with more information about the repository
+  homepage: ""
+  # A comma-separated list of topics to set on the repository
+  topics: "neovim,nixos,unstable,nixvim,nix"
+  # Either `true` to make the repository private, or `false` to make it public.
+  private: false
+  # Either `true` to enable issues for this repository, `false` to disable them.
+  has_issues: true
+  # Either `true` to enable projects for this repository, or `false` to disable them.
+  # If projects are disabled for the organization, passing `true` will cause an API error.
+  has_projects: true
+  # Either `true` to enable the wiki for this repository, `false` to disable it.
+  has_wiki: true
+  # Either `true` to enable downloads for this repository, `false` to disable them.
+  has_downloads: false
+  # Updates the default branch for this repository.
+  default_branch: main
+  # Either `true` to allow squash-merging pull requests, or `false` to prevent
+  # squash-merging.
+  allow_squash_merge: true
+  # Either `true` to allow merging pull requests with a merge commit, or `false`
+  # to prevent merging pull requests with merge commits.
+  allow_merge_commit: true
+  # Either `true` to allow rebase-merging pull requests, or `false` to prevent
+  # rebase-merging.
+  allow_rebase_merge: true
+  # Either `true` to enable automatic deletion of branches on merge, or `false` to disable
+  delete_branch_on_merge: true
+  # Either `true` to enable automated security fixes, or `false` to disable
+  # automated security fixes.
+  enable_automated_security_fixes: true
+  # Either `true` to enable vulnerability alerts, or `false` to disable
+  # vulnerability alerts.
+  enable_vulnerability_alerts: true
+# Labels: define labels for Issues and Pull Requests
+#
+labels:
+# NOTE: leave that up to the https://github.com/numtide/.github repo
+#   - name: bug
+#     color: CC0000
+#     description: An issue with the system 🐛.
+
+#   - name: feature
+#     # If including a `#`, make sure to wrap it with quotes!
+#     color: '#336699'
+#     description: New functionality.
+
+#   - name: Help Wanted
+#     # Provide a new name to rename an existing label
+#     new_name: first-timers-only
+
+# Milestones: define milestones for Issues and Pull Requests
+milestones:
+#   - title: milestone-title
+#     description: milestone-description
+#     # The state of the milestone. Either `open` or `closed`
+#     state: open
+
+# Collaborators: give specific users access to this repository.
+# See https://docs.github.com/en/rest/reference/repos#add-a-repository-collaborator for available options
+collaborators:
+# Note: `permission` is only valid on organization-owned repositories.
+# The permission to grant the collaborator. Can be one of:
+# * `pull` - can pull, but not push to or administer this repository.
+# * `push` - can pull and push, but not administer this repository.
+# * `admin` - can pull, push and administer this repository.
+# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
+# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
+# permission: push
+
+# See https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions for available options
+teams:
+# The permission to grant the team. Can be one of:
+# * `pull` - can pull, but not push to or administer this repository.
+# * `push` - can pull and push, but not administer this repository.
+# * `admin` - can pull, push and administer this repository.
+# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
+# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
+# permission: maintain
+branches:
+  - name: main
+    # https://docs.github.com/en/rest/reference/repos#update-branch-protection
+    # Branch Protection settings. Set to null to disable
+    protection:
+      # Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
+      required_pull_request_reviews:
+        # # The number of approvals required. (1-6)
+        required_approving_review_count: 1
+        # # Dismiss approved reviews automatically when a new commit is pushed.
+        dismiss_stale_reviews: true
+        # # Blocks merge until code owners have reviewed.
+        require_code_owner_reviews: true
+        # # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
+        # dismissal_restrictions:
+        #   users: []
+        #   teams: []
+      # Required. Require status checks to pass before merging. Set to null to disable
+      required_status_checks:
+        # Required. Require branches to be up to date before merging.
+        strict: true
+        # Required. The list of status checks to require in order to merge into this branch
+        contexts: []
+      # Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
+      enforce_admins: false
+      required_linear_history: true
+      required_conversation_resolution: true
+      required_signatures: true
+      # Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
+      restrictions:
+      # apps:  []
+      # users: []
+      # teams: []
+actions:
+  default_workflow_permissions: "write"
+  can_approve_pull_request_reviews": true

.github/workflows/check.yml

@@ -0,0 +1,32 @@
+name: Check
+on: [push, pull_request, workflow_dispatch]
+jobs:
+  checks:
+    name: Check expressions on ${{ matrix.arch }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest]
+        arch: [x86_64-linux, aarch64-darwin]
+    if: github.ref == 'refs/heads/main'
+    steps:
+      - uses: actions/checkout@v4
+      - name: Check Nix flake inputs
+        uses: DeterminateSystems/flake-checker-action@v9
+      - uses: cachix/install-nix-action@v23
+        with:
+          install_url: https://nixos.org/nix/install
+          extra_nix_config: |
+            auto-optimise-store = true
+            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+            experimental-features = nix-command flakes
+            system = ${{ matrix.arch }}
+      - uses: cachix/cachix-action@v12
+        with:
+          name: khanelinix
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+      - name: clear hostedtoolcache
+        run: rm -rf /opt/hostedtoolcache
+      - name: run flake check
+        run: nix flake check --system ${{ matrix.arch }}

.github/workflows/label.yml

@@ -0,0 +1,19 @@
+# This workflow will triage pull requests and apply a label based on the
+# paths that are modified in the pull request.
+#
+# To use this workflow, you will need to set up a .github/labeler.yml
+# file with configuration.  For more information, see:
+# https://github.com/actions/labeler
+
+name: Labeler
+on: [pull_request]
+jobs:
+  label:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - uses: actions/labeler@v5
+        with:
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/update-flakes.yml

@@ -0,0 +1,21 @@
+name: "Update flakes"
+on:
+  repository_dispatch:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 0 * * *"
+jobs:
+  createPullRequest:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install Nix
+        uses: cachix/install-nix-action@v30
+        with:
+          extra_nix_config: |
+            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+      - name: Update flake.lock
+        uses: DeterminateSystems/update-flake-lock@v24
+        with:
+          pr-labels: |
+            merge-queue