chore: add monthly flake.lock inputs update workflow

[yvan-sraka]

Adds GitHub Action to automatically update flake.lock every Month. Uses Mic92/update-flake-inputs to create PRs with updated dependencies, preventing large, painful updates like the recent 2-year gap... #1714

Targets develop branch with automated and dependencies labels. Can also be triggered manually via workflow_dispatch.

The workflow is configured with GITHUB_TOKEN which works but won't trigger CI workflows on the created pull requests (GitHub prevents this to avoid infinite loops).

For CI workflows to run on the created PRs, you should set up a GitHub App:

1. Easy setup: Use the web interface to create a GitHub App with correct permissions
2. Configure secrets: Save the App ID as APP_ID and private key as APP_PRIVATE_KEY in repository secrets
3. Update workflow: Replace the github-token step to use the GitHub App token

See the full documentation for detailed instructions.

The current basic setup will work fine for creating PRs, the GitHub App is only needed if you want CI to automatically run on those PRs.

Summary by CodeRabbit

• Chores
  • Added an automated workflow to keep dependencies up to date, running monthly and also triggerable manually to help maintain project stability and currency.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds a GitHub Actions workflow that runs monthly and on-demand to checkout the repo, install Nix, obtain a GitHub App token, and run Mic92/update-flake-inputs to update the Nix flake.lock.

Changes

Cohort / File(s)	Summary
Nix Flake Lock Update Workflow \.github/workflows/update-flake-lock\.yml	Adds a new workflow "Update Flake Lock" triggered by workflow_dispatch and a monthly cron. Steps: checkout repo, ephemeral Nix install, generate GitHub App token from secrets, and run Mic92/update-flake-inputs to refresh flake.lock with dependency PR labels.

Sequence Diagram(s)

sequenceDiagram
    participant Scheduler as Scheduler (cron / manual)
    participant GH_Actions as GitHub Actions
    participant Repo as Repository
    participant NixAction as ephemeral-nix-action
    participant GHApp as GitHub App Token Action
    participant UpdateAction as Mic92/update-flake-inputs

    Scheduler->>GH_Actions: trigger workflow
    GH_Actions->>Repo: checkout code
    GH_Actions->>NixAction: install ephemeral Nix
    GH_Actions->>GHApp: generate GitHub App token (from secrets)
    GH_Actions->>UpdateAction: run update-flake-inputs (with token, labels)
    UpdateAction->>Repo: update flake.lock -> open PR

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• hunleyd
• samrose

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title accurately describes the main change: adding a monthly workflow to update flake.lock inputs.
Description check	✅ Passed	The pull request provides a comprehensive description covering purpose, configuration details, limitations with GITHUB_TOKEN, and setup instructions for GitHub App integration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}