Add Nix flakes to Dependabot supported ecosystems (#43717)

Co-authored-by: Sharra-writes <sharra-writes@github.com>

Author: JamieMagee

content/code-security/reference/supply-chain-security/dependabot-options-reference.md

@@ -308,6 +308,7 @@ When set to `dependency-name`, {% data variables.product.prodname_dependabot %}
 **Limitations of cross-directory grouping**
 
 When using `group-by: dependency-name`:
+
 * All directories must use the same package ecosystem (for example, all `npm` or all `bundler`)
 * Applies to **version updates only**
 * If directories have incompatible version constraints for a dependency, {% data variables.product.prodname_dependabot %} will create separate pull requests
@@ -537,6 +538,9 @@ Package manager | YAML value      | Supported versions |
 | Go modules     | `gomod`          | v1               |
 | Gradle        | `gradle`         | Not applicable   |
 | Maven      | `maven`          | Not applicable   |
+| {% ifversion dependabot-nix-support %} |
+| Nix flakes | `nix`            | Not applicable   |
+| {% endif %} |
 | npm            | `npm`            |  v7, v8, v9, v10   |
 | NuGet          | `nuget`          | {% ifversion fpt or ghec or ghes > 3.14 %}<=6.12.0{% endif %} |
 | {% ifversion dependabot-opentofu-support %} |
@@ -713,6 +717,7 @@ Examples : `0 9 * * *`, `every day at 5pm`
 `0 9 * * *` is equivalent to "every day at 9am". `every day at 5pm` is equivalent to `0 17 * * *`.
 
 > [!NOTE]
+>
 > * Timezones must be specified in the [`timezone`](#timezone) parameter and not in the `cronjob`.
 > * A `cronjob` type schedule is required to use a `cron` interval.
 
@@ -872,11 +877,11 @@ New version `1.2.0`
 New version `2.0.0`
 
 * `increase`: new constraint `^2.0.0`
-* `increase-if-necessary`: new constraint `^2.0.0 `
+* `increase-if-necessary`: new constraint `^2.0.0`
 * `widen`: new constraint `>=1.0.0 <3.0.0`
 
 > [!NOTE]
-> If the package manager you use does not yet support configuring the `versioning-strategy` parameter, or does not support a value you need. The strategy code is open source, so if you'd like a particular ecosystem to support a new strategy, you are always welcome to submit a pull request in https://github.com/dependabot/dependabot-core/.
+> If the package manager you use does not yet support configuring the `versioning-strategy` parameter, or does not support a value you need, the strategy code is open source, so if you'd like a particular ecosystem to support a new strategy, you are always welcome to submit a pull request in <https://github.com/dependabot/dependabot-core/>.
 
 {% ifversion dependabot-updates-supported-versioning-tags %}
 

data/features/dependabot-nix-support.yml

@@ -0,0 +1,6 @@
+# Reference: https://github.com/dependabot/dependabot-core/pull/14498
+# Nix flake support for Dependabot
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>3.21'

data/reusables/dependabot/supported-package-managers.md

@@ -33,6 +33,9 @@ git submodule  | `gitsubmodule`   | Not applicable | {% octicon "check" aria-lab
 Go modules     | `gomod`          | v1               | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} |
 [Gradle](#gradle)         | `gradle`         | Not applicable   | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
 [Maven](#maven)       | `maven`          | Not applicable   | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
+| {% ifversion dependabot-nix-support %} |
+[Nix](#nix)    | `nix`         | Not applicable               | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | Not applicable | Not applicable |
+| {% endif %} |
 npm            | `npm`            | v7, v8, v9, v10, v11   | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
 [NuGet](#nuget-cli)          | `nuget`          | {% ifversion fpt or ghec or ghes > 3.14 %}<=6.12.0{% endif %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
 | {% ifversion dependabot-opentofu-support %} |
@@ -146,6 +149,7 @@ To update the Gradle Wrapper, {% data variables.product.prodname_dependabot %} r
 For {% data variables.product.prodname_dependabot_security_updates %}, Gradle support is limited to manual uploads of the dependency graph data using the {% data variables.dependency-submission-api.name %}. For more information about the {% data variables.dependency-submission-api.name %}, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api).
 
 > [!NOTE]
+>
 > * When you upload Gradle dependencies to the dependency graph using the {% data variables.dependency-submission-api.name %}, all project dependencies are uploaded, even transitive dependencies that aren't explicitly mentioned in any dependency file. When an alert is detected in a transitive dependency, {% data variables.product.prodname_dependabot %} isn't able to find the vulnerable dependency in the repository, and therefore won't create a security update for that alert.
 > * {% data variables.product.prodname_dependabot_version_updates %} will, however, create pull requests when the parent dependency is explicitly declared as a direct dependency in the project's manifest file.
 
@@ -163,6 +167,16 @@ When configuring {% data variables.product.prodname_dependabot %} for Helm chart
 
 {% data variables.product.prodname_dependabot %} uses information from the `pom.xml` file of dependencies to add links to release information in update pull requests. If the information is omitted from the `pom.xml` file, then it cannot be included in {% data variables.product.prodname_dependabot %} pull requests, see [AUTOTITLE](/code-security/dependabot/ecosystems-supported-by-dependabot/optimizing-java-packages-dependabot).
 
+{% ifversion dependabot-nix-support %}
+
+### Nix
+
+{% data variables.product.prodname_dependabot %} monitors your `flake.lock` file and opens pull requests when newer commits are available upstream for your flake inputs. {% data variables.product.github %}, GitLab, SourceHut, and plain Git inputs are all supported. Updating pinned refs inside `flake.nix` itself (for example, changing `github:cachix/devenv/v0.5` to a newer tag) is not supported.
+
+{% data variables.product.prodname_dependabot %} does not currently support private repositories for the `nix` ecosystem.
+
+{% endif %}
+
 ### NuGet CLI
 
 {% data variables.product.prodname_dependabot %} doesn't run the NuGet CLI but does support most features up until version 6.8.0.
@@ -230,6 +244,7 @@ Private registry support applies to git registries only. Swift registries are no
 ### Terraform
 
 Terraform support includes:
+
 * Modules hosted on Terraform Registry or a publicly reachable Git repository.
 * Terraform providers.
 * Private Terraform Registry. You can configure access for private git repositories by specifying a git registry in your `dependabot.yml` file. For more information, see [`git`](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#git).