Automate Nix vendorHash updates in nix-shell-test workflow

[Copilot]

Description

When Go dependencies change, the Nix vendorHash in pkgs/defang/cli.nix becomes stale, causing nix-shell-test to fail with the correct hash in the error output. This workflow now automatically extracts that hash, updates the file, and commits the change.

Workflow changes:

• Added permissions: contents: write for automated commits
• Modified test step to capture output with continue-on-error: true
• Extract hash from Nix error using grep 'got:' | grep -oP 'sha256-[A-Za-z0-9+/]+=*'
• Validate extracted hash matches expected format (44 base64 chars + '=')
• Update cli.nix using sed with safe delimiter (@)
• Commit and push with github-actions[bot] credentials
• Re-run test to verify the fix

Error handling:

• Only triggers on test failure
• Shows last 20 lines of output if hash extraction fails
• Exits with error if hash format is invalid

Linked Issues

Closes #[issue_number]

Checklist

• I have performed a self-review of my code
• I have added appropriate tests
• I have updated the Defang CLI docs and/or README to reflect my changes, if necessary

Original prompt

---

This section details on the original issue you should resolve

<issue_title>automate nix-shell-test update</issue_title>
<issue_description>When a dependency is added or updated, we need to update the nix vendor hash. We currently have a workflow called nix-shell-test, which validates that the vendor hash is correct. When the hash is not correct, we see the following error in the logs:

Error: Replace the vendorHash in cli.nix with the correct value:    sha256-+fRKEzSNEwTT3xqFYKsoO3CtQi0GKY+EOq2bPYUusQI=`

Update the nix-shell-test workflow to automatically create a commit on the current branch with the updated vendor hash.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes automate nix-shell-test update #1663

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.