ci: update plugins & nixpkgs automatically

Signed-off-by: NotAShelf <raf@notashelf.dev>
Change-Id: Ib2352ce0917aa0a73a71be3f20e1ea2d6a6a6964

.github/workflows/update.yml

@@ -0,0 +1,91 @@
+name: Weekly Dependency Updates
+on:
+  workflow_dispatch:
+  schedule:
+    #  8 PM UTC every Friday
+    - cron: '0 20 * * 5'
+jobs:
+  update-dependencies:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: "Install Nix"
+        uses: cachix/install-nix-action@v31.8.2
+
+      - name: Set up Git
+        run: |
+          git config user.name "GitHub Actions Bot"
+          git config user.email "actions@github.com"
+
+      - name: Create branch for updates
+        run: |
+          DATE=$(date +%Y-%m-%d)
+          BRANCH_NAME="update/dependencies-$DATE"
+          git checkout -b $BRANCH_NAME
+          echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV
+
+      - name: Update npins
+        run: nix run nixpkgs#npins update
+
+      # Only update Nixpkgs. mnw might break on update, better to track it manually to avoid
+      # unexpected breakage.
+      - name: Update nixpkgs
+        run: nix flake update nixpkgs
+
+      - name: Check for changes
+        id: check_changes
+        run: |
+          if git diff --quiet; then
+            echo "No changes detected"
+            echo "changes_detected=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          else
+            echo "Changes detected"
+            echo "changes_detected=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      # FIXME: Worth adding additional checks for, e.g., fragile plugins
+      # or modules
+      # nix build .#checks.<system>.<check-name>
+      # We'll probably want to handle this with machine tests
+      - name: Verify changes
+        if: steps.check_changes.outputs.changes_detected == 'true'
+        run: |
+          # Run verification tests to ensure updates don't break anything
+          nix flake check
+
+
+      - name: Set date variable
+        run: echo "DATE=$(date +%Y-%m-%d)" >> "$GITHUB_ENV"
+
+      - name: Commit and push changes
+        if: steps.check_changes.outputs.changes_detected == 'true'
+        run: |
+          git add .
+          git commit -m "pins: bump all plugins (${{ env.DATE }})"
+          git push -u origin $BRANCH_NAME
+
+      - name: Create Pull Request
+        if: steps.check_changes.outputs.changes_detected == 'true'
+        uses: peter-evans/create-pull-request@v7
+        with:
+          branch: ${{ env.BRANCH_NAME }}
+          base: main
+          labels: dependencies,automated pr
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: "npins: bump all plugins (${{ env.DATE }})"
+          title: "Weekly Dependency Updates: ${{ env.DATE }}"
+          body: |
+            > [!NOTE]
+            > This PR was automatically generated by the Weekly Dependency Updates workflow. Please wait
+            > for all CI steps to complete, and test any major changes personally.
+
+            Updates Performed:
+
+            - Updated dependencies using `npins update`
+            - Updated nixpkgs using `nix flake update nixpkgs`
+
+            If the verification steps have passed, updates should be safe to merge. For failing CI steps
+            submit a Pull Request targetting ${{ env.BRANCH_NAME }}