ci: Add weekly workflow to refresh nix-branch flake

GitHub Actions schedules and workflow_dispatch only fire from the
default branch, so the updater for the orphan `nix` branch lives
here. Each Monday it checks out `nix`, runs update.py to fetch the
latest gitopolis release's SHA256SUMS, and pushes the bumped
flake.nix back to `nix` if anything changed.

The commit identity used by the workflow is the standard
github-actions[bot] one. The email format
`<user-id>+<username>@users.noreply.github.com` is GitHub's noreply
scheme; `41898282` is the stable user ID for github-actions[bot].
Using this identity gives the auto-bump commits the bot avatar in
the GitHub UI and a "Verified" badge (the default GITHUB_TOKEN
auto-signs commits made under it), and keeps them visually distinct
from human commits in git log.

Assisted-by: Claude:Opus-4.7-1M [Claude-Code]

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: timabell

.github/workflows/update-nix-flake.yml

@@ -0,0 +1,34 @@
+name: update-nix-flake
+
+on:
+  schedule:
+    - cron: '0 8 * * 1'
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  update:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout nix branch
+        uses: actions/checkout@v4
+        with:
+          ref: nix
+
+      - name: Run updater
+        run: python3 update.py
+
+      - name: Commit and push if changed
+        run: |
+          if git diff --quiet flake.nix; then
+            echo "flake.nix unchanged"
+            exit 0
+          fi
+          VERSION=$(grep -oP 'version = "\K[^"]+' flake.nix | head -1)
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add flake.nix
+          git commit -m "chore: update to gitopolis v${VERSION}"
+          git push