github: automatically update flake.lock every week

Summary: Keeping the flake.lock up to date and 'fresh' is nice for
all the same reasons that apply to things like Cargo, Poetry, etc.

Unfortunately, dependabot doesn't have support for Nix flakes. There is also
no mechanism to add 'out of band' updates through dependabot, at least not yet.
Instead, we use the `update-flake-lock` action from Determinate Systems, which
can paper over it for us.

This updates once a week on Sunday, which is pretty fine, I think.

A theoretical downside of this approach is that we can't group updates together
like dependabot does; but dependabot only groups 'related' updates together,
i.e. updates to Cargo dependencies. If it also detected updates for e.g. Poetry
or Nix, it would make separate PRs for those.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
Change-Id: I6f447deffc545da77fb320519abcf437

.github/workflows/nix-update-flake.yml

@@ -0,0 +1,22 @@
+name: Update nix flake.lock
+on:
+  workflow_dispatch: # allows manual triggering
+  schedule:
+    - cron: '40 3 * * 0' # runs weekly on Sunday at 03:40
+
+jobs:
+  lockfile:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@bc7b19257469c8029b46f45ac99ecc11156c8b2d
+      - name: Update flake.lock
+        uses: DeterminateSystems/update-flake-lock@da2fd6f2563fe3e4f2af8be73b864088564e263d
+        with:
+          pr-title: "nix: update flake.lock"
+          pr-assignees: thoughtpolice
+          pr-reviewers: thoughtpolice
+          pr-labels: |
+            dependencies