Update flake.lock #217

	name: Update flake.lock

	on:
	workflow_dispatch:
	inputs:
	flake-inputs:
	description: "Space-separated flake inputs to update; empty updates all."
	type: string
	default: ""
	# Reusable: ix (and any other indexable-inc repo) calls this same job via
	# `uses: indexable-inc/index/.github/workflows/update-flake-lock.yml@main`
	# so the flake-bump mechanics live in one place. The caller supplies the
	# schedule and the contents/PR permissions. A caller whose flake has private
	# inputs the GitHub-hosted runner cannot fetch passes `flake-inputs` to
	# update only the public ones (e.g. ix scopes to `index`).
	workflow_call:
	inputs:
	flake-inputs:
	description: "Space-separated flake inputs to update; empty updates all."
	type: string
	default: ""
	schedule:
	- cron: "17 * * * *"

	permissions:
	contents: read

	jobs:
	update-flake-lock:
	runs-on: ubuntu-latest
	permissions:
	contents: write
	id-token: write
	pull-requests: write
	steps:
	- name: Checkout repository
	uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6

	- name: Install Determinate Nix
	uses: DeterminateSystems/determinate-nix-action@9adf02b41cfdac2632e1c16f0480ff5bf3b05dd6 # v3

	- name: Update flake.lock
	uses: DeterminateSystems/update-flake-lock@834c491b2ece4de0bbd00d85214bb5e83b4da5c6 # v28
	with:
	base: main
	branch: update-flake-lock
	commit-msg: "flake.lock: update"
	pr-title: "Update Nix flake inputs"
	# Empty for schedule/dispatch on index (all inputs public); a caller
	# scopes this to avoid fetching private inputs it can't auth for.
	inputs: ${{ inputs.flake-inputs }}

Provide feedback