ci: periodically update dependencies

.github/workflows/update.yml

@@ -0,0 +1,89 @@
+name: Weekly Dependency Updates
+
+on:
+  workflow_dispatch:
+  schedule:
+    #  8 PM UTC every Friday
+    - cron: '0 20 * * 5'
+
+jobs:
+  update-dependencies:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+
+      - name: Set up Git
+        run: |
+          git config user.name "GitHub Actions Bot"
+          git config user.email "actions@github.com"
+
+      - name: Create branch for updates
+        run: |
+          DATE=$(date +%Y-%m-%d)
+          BRANCH_NAME="update/dependencies-$DATE"
+          git checkout -b $BRANCH_NAME
+          echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV
+
+      - name: Update npins
+        run: npins update
+
+      # Only update npins. mnw might break on update, better to track it manually to avoid
+      # unexpected breakage.
+      - name: Update nixpkgs
+        run: nix flake update nixpkgs
+
+      - name: Check for changes
+        id: check_changes
+        run: |
+          if git diff --quiet; then
+            echo "No changes detected"
+            echo "changes_detected=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          else
+            echo "Changes detected"
+            echo "changes_detected=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Verify changes
+        if: steps.check_changes.outputs.changes_detected == 'true'
+        run: |
+          # Run verification tests to ensure updates don't break anything
+          nix flake check
+
+          # Worth adding additional checks for, e.g., fragile plugins
+          # or modules
+          # nix build .#checks.<system>.check-name
+
+      - name: Set date variable
+        run: echo "DATE=$(date +%Y-%m-%d)" >> "$GITHUB_ENV"
+
+      - name: Commit and push changes
+        if: steps.check_changes.outputs.changes_detected == 'true'
+        run: |
+          git add .
+          git commit -m "pins: bump all plugins (${{ env.DATE }})"
+          git push -u origin $BRANCH_NAME
+
+      - name: Create Pull Request
+        if: steps.check_changes.outputs.changes_detected == 'true'
+        uses: peter-evans/create-pull-request@v7
+        with:
+          branch: ${{ env.BRANCH_NAME }}
+          base: main
+          labels: dependencies,automated pr
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: "npins: bump all plugins (${{ env.DATE }})"
+          title: "Weekly Dependency Updates: ${{ env.DATE }}"
+          body: |
+            This PR was automatically generated by the **Weekly Dependency Updates** workflow. Please wait
+            for all checks to pass before merging.
+
+            Updates:
+            - Updated dependencies using `npins update`
+            - Updated nixpkgs using `nix flake update nixpkgs`
+
+            The verification steps have passed, updates should be safe to merge.