geeksbsmrt · geeksbsmrt · Mar 5, 2026 · Mar 5, 2026 · Mar 5, 2026 · Mar 5, 2026
diff --git a/.github/workflows/dependabot-auto-merge.yaml b/.github/workflows/dependabot-auto-merge.yaml
@@ -18,31 +18,13 @@ jobs:
                   github-token: "${{ secrets.GITHUB_TOKEN }}"
 
             - name: Approve PR
-              uses: actions/github-script@v7
-              with:
-                  github-token: ${{ secrets.GITHUB_TOKEN }}
-                  script: |
-                      await github.rest.pulls.createReview({
-                          owner: context.repo.owner,
-                          repo: context.repo.repo,
-                          pull_number: context.issue.number,
-                          event: 'APPROVE'
-                      });
+              run: gh pr review --approve "$PR_URL"
+              env:
+                  PR_URL: ${{github.event.pull_request.html_url}}
+                  GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
 
             - name: Enable auto-merge
-              uses: actions/github-script@v7
-              with:
-                  github-token: ${{ secrets.GITHUB_TOKEN }}
-                  script: |
-                      await github.graphql(`
-                          mutation($pullRequestId: ID!) {
-                              enablePullRequestAutoMerge(input: {
-                                  pullRequestId: $pullRequestId,
-                                  mergeMethod: SQUASH
-                              }) {
-                                  clientMutationId
-                              }
-                          }
-                      `, {
-                          pullRequestId: context.payload.pull_request.node_id
-                      });
+              run: gh pr merge --auto --squash "$PR_URL"
+              env:
+                  PR_URL: ${{github.event.pull_request.html_url}}
+                  GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
diff --git a/.github/workflows/deploy-prod.yaml b/.github/workflows/deploy-prod.yaml
@@ -26,6 +26,36 @@ jobs:
           echo "Checking age version..."
           age --version
 
+      - name: Install or Update GitHub CLI (gh)
+        run: |
+          echo "Checking for latest gh release..."
+          ARCH=$(uname -m)
+          if [ "$ARCH" = "aarch64" ]; then GH_ARCH="arm64"; elif [[ "$ARCH" == armv* ]]; then GH_ARCH="armv6"; else GH_ARCH="amd64"; fi
+          GH_VERSION=$(curl -sH "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" "https://api.github.com/repos/cli/cli/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
+
+          INSTALL_GH=false
+          if ! command -v gh &> /dev/null; then
+              echo "gh not found. Will install version $GH_VERSION"
+              INSTALL_GH=true
+          else
+              CURRENT_VERSION=$(gh --version | head -n 1 | awk '{print $3}')
+              if [ "$CURRENT_VERSION" != "$GH_VERSION" ]; then
+                  echo "gh version mismatch (current: $CURRENT_VERSION, latest: $GH_VERSION). Updating..."
+                  INSTALL_GH=true
+              else
+                  echo "gh is up-to-date (version $CURRENT_VERSION)."
+              fi
+          fi
+
+          if [ "$INSTALL_GH" = true ]; then
+              echo "Downloading gh version $GH_VERSION for $GH_ARCH..."
+              curl -sL "https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_${GH_ARCH}.tar.gz" -o gh.tar.gz
+              tar xzf gh.tar.gz
+              # Install globally so it's persistent and usable by all workflows
+              sudo cp "gh_${GH_VERSION}_linux_${GH_ARCH}/bin/gh" "/usr/local/bin/"
+              echo "Installation complete."
+          fi
+
       - name: Decrypt secrets.sops.env to .env file on Pi
         env:
           SOPS_AGE_KEY: ${{ secrets.RUNNER_AGE_PRIVATE_KEY }}
@@ -37,12 +67,12 @@ jobs:
           sudo -E chmod 600 "${TARGET_ENV_FILE}"
           echo ".env file created at ${TARGET_ENV_FILE} with restricted permissions."
 
-      - name: Check for Tailscale and Install if Missing
+      - name: Install or Update Tailscale
         run: |
-          # This step is already quiet, no changes needed.
           if command -v tailscale &> /dev/null
           then
-              echo "Tailscale is already installed. Skipping installation."
+              echo "Tailscale is already installed. Attempting update..."
+              sudo tailscale update --yes || echo "Tailscale update failed or unsupported via this method, continuing..."
           else
               echo "Tailscale not found. Installing..."
               curl -fsSL https://tailscale.com/install.sh | sudo sh