chore: enable Renovate, add nix flake e2e check, refresh lockfiles

0x77dev · 0x77dev · commit 594ac9dfd94e · 2025-12-13T01:07:49.000-08:00
diff --git a/.envrc b/.envrc
@@ -1,4 +1,5 @@
 # shellcheck shell=bash
 
-strict_env has nix
+strict_env
+has nix
 use flake .
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -36,6 +36,10 @@ jobs:
         run: |
           nix build .#pdf-sign --out-link result
 
+      - name: Test (flake checks)
+        run: |
+          nix flake check -L
+
       - name: Collect artifact
         run: |
           mkdir -p dist
diff --git a/Cargo.toml b/Cargo.toml
@@ -19,4 +19,8 @@ sequoia-gpg-agent = "0.6"
 sequoia-openpgp = { version = "2", default-features = false, features = ["crypto-rust", "allow-experimental-crypto", "allow-variable-time-crypto"] }
 tokio = { version = "1", features = ["full"] }
 
-
+[profile.release]
+opt-level = 3
+lto = "fat"
+codegen-units = 1
+strip = true
diff --git a/flake.nix b/flake.nix
@@ -52,6 +52,44 @@
         });
       in
       {
+        checks = {
+          pdf-sign-e2e = pkgs.runCommand "pdf-sign-e2e" {
+            nativeBuildInputs = with pkgs; [ gnupg ];
+          } ''
+            set -euo pipefail
+
+            export GNUPGHOME="$(mktemp -d)"
+            chmod 700 "$GNUPGHOME"
+
+            # Non-interactive agent defaults: sequoia-gpg-agent sends OPTION values,
+            # keep them non-empty even in CI.
+            export GPG_TTY=/dev/null
+            export LANG=C
+
+            gpgconf --launch gpg-agent
+
+            gpg --batch --pinentry-mode loopback --passphrase "" \
+              --quick-generate-key "CI Test <ci@example.invalid>" default default never
+
+            gpg --batch --armor --export "ci@example.invalid" > cert.asc
+
+            cat > input.pdf <<'EOF'
+%PDF-1.1
+1 0 obj
+<<>>
+endobj
+trailer
+<<>>
+%%EOF
+EOF
+
+            signed="$(${pdfSign}/bin/pdf-sign sign input.pdf --key cert.asc)"
+            ${pdfSign}/bin/pdf-sign verify "$signed" --cert cert.asc | grep -x OK >/dev/null
+
+            touch "$out"
+          '';
+        };
+
         packages =
           {
             default = pdfSign;
diff --git a/renovate.json b/renovate.json
@@ -0,0 +1,27 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["config:recommended"],
+  "enabledManagers": ["cargo", "nix", "github-actions"],
+  "nix": {
+    "enabled": true
+  },
+  "labels": ["dependencies"],
+  "dependencyDashboard": true,
+  "platformAutomerge": true,
+  "packageRules": [
+    {
+      "matchUpdateTypes": ["minor", "patch", "pin", "digest"],
+      "automerge": true,
+      "automergeType": "pr"
+    },
+    {
+      "matchUpdateTypes": ["major"],
+      "automerge": false
+    }
+  ],
+  "lockFileMaintenance": {
+    "enabled": true,
+    "automerge": true,
+    "automergeType": "pr"
+  }
+}
