ci(deps): automate dependency updates

Signed-off-by: Christina Sørensen <ces@fem.gg>

.github/workflows/update-dependencies.sh

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+# SPDX-FileCopyrightText: 2025 Christina Sørensen
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+set -euo pipefail
+
+commit_changes() {
+  local file_to_check="$1"
+  local commit_subject="$2"
+  local commit_body="$3"
+
+  # Check if the file has changes staged or unstaged
+  if ! git diff --quiet --exit-code "$file_to_check"; then
+    echo "$file_to_check has been updated. Committing changes."
+    git add "$file_to_check"
+    
+    printf "%s\n\n%s" "$commit_subject" "$commit_body" | git commit -F -
+  else
+    echo "No changes to $file_to_check. Skipping commit."
+  fi
+}
+
+BRANCH_NAME="deps_update_$(date --iso-8601)"
+if git rev-parse --verify "$BRANCH_NAME" >/dev/null 2>&1; then
+  echo "Branch '$BRANCH_NAME' already exists. Checking out."
+  git switch "$BRANCH_NAME"
+else
+  git switch -c "$BRANCH_NAME"
+fi
+
+# 1. Update Cargo dependencies
+echo "Checking for Cargo dependency updates..."
+# Redirect stderr to stdout to capture cargo's output.
+CARGO_OUTPUT=$(cargo update --recursive 2>&1)
+UPDATED_CRATES=$(echo "$CARGO_OUTPUT" | grep 'Updating' || true)
+commit_changes "Cargo.lock" "build(deps): cargo bump $(date --iso-8601)" "$UPDATED_CRATES"
+
+# 2. Update Nix Flake dependencies
+echo "Checking for Nix Flake dependency updates..."
+# Use grep -A 2 to capture the 2 lines *after* the match.
+FLAKE_OUTPUT=$(nix flake update 2>&1)
+UPDATED_FLAKES=$(echo "$FLAKE_OUTPUT" | grep -A 2 'Updated input' || true)
+commit_changes "flake.lock" "build(deps): flake bump $(date --iso-8601)" "$UPDATED_FLAKES"
+
+echo "Dependency update process complete."
+git status

.github/workflows/update-dependencies.yaml

@@ -0,0 +1,44 @@
+# SPDX-FileCopyrightText: 2025 Christina Sørensen
+#
+# SPDX-License-Identifier: EUPL-1.2
+name: "Automated Dependency Bump"
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 0 * * 4'
+jobs:
+  update-and-create-pr:
+    runs-on: ubuntu-latest
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}
+      cancel-in-progress: true
+    steps:
+      - name: "Checkout repository"
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: "Install Nix"
+        uses: cachix/install-nix-action@v22
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+      - name: "Set up Git credentials"
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+      - name: "Run update script"
+        id: run_script
+        run: |
+          chmod +x .github/workflows/update-dependencies.sh
+          .github/workflows/update-dependencies.sh
+
+          BRANCH_NAME=$(git rev-parse --abbrev-ref HEAD)
+          echo "branch=${BRANCH_NAME}" >> $GITHUB_OUTPUT
+      - name: "Create Pull Request"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh pr create \
+            --title "build(deps): Automatic dependency updates for $(date --iso-8601)" \
+            --body "This PR was automatically generated by a GitHub Action to update crate and flake dependencies. Please review the changes and merge." \
+            --base main \
+            --head ${{ steps.run_script.outputs.branch }}