add workflow

Author: kalbasit

.github/workflows/flake-update.yml

@@ -0,0 +1,49 @@
+name: "Flake.lock: update Nix dependencies"
+on:
+  workflow_dispatch: # allows manual triggering
+  schedule:
+    - cron: "0 0 * * 0" # runs weekly on Sunday at 00:00
+jobs:
+  nix-flake-update:
+    permissions:
+      contents: write
+      id-token: write
+      issues: write
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          token: ${{ secrets.GHA_PAT_TOKEN }}
+      - uses: cachix/install-nix-action@v31
+      - uses: cachix/cachix-action@v16
+        with:
+          name: kalbasit
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      - name: update flake.lock and run go mod tidy
+        id: update-flake-lock-and-go-mod-tidy
+        run: |
+          nix flake update
+          nix develop --command go mod tidy
+      - uses: EndBug/add-and-commit@v9
+        if: ${{ steps.update-flake-lock-and-go-mod-tidy.outcome == 'success' }}
+        id: commit
+        with:
+          default_author: github_actions
+          message: "chore: update flake.lock and run go mod tidy"
+          fetch: false
+          new_branch: "update-flake-lock"
+          push: --set-upstream origin "update-flake-lock" --force
+      - uses: thomaseizinger/create-pull-request@1.4.0
+        if: ${{ steps.commit.outputs.pushed == 'true' }}
+        id: create_pr
+        with:
+          github_token: ${{ secrets.GHA_PAT_TOKEN }}
+          head: "update-flake-lock"
+          base: main
+          title: "chore: update flake.lock and run go mod tidy"
+      - name: enable automerge
+        if: ${{ steps.create_pr.outputs.created }}
+        run: gh pr merge --squash --auto "${{ steps.create_pr.outputs.number }}"
+        env:
+          GH_TOKEN: "${{ secrets.GHA_PAT_TOKEN }}"