ci: add dependabot and nix flake update workflows [ENG-11704] (#71)

* chore(ci): add dependabot and nix flake update workflows

- Add dependabot.yaml for automated dependency updates
  - Python dependencies (pip) with weekly schedule
  - GitHub Actions with weekly schedule
  - Group dev dependencies and AI framework dependencies
- Add nix-flake-update.yaml workflow
  - Scheduled weekly Nix flake input updates
  - Auto-creates PR with merge enabled

* Apply suggestion from @Copilot

Co-authored-by: Copilot <[email protected]>

* Apply suggestions from code review

Co-authored-by: Copilot <[email protected]>

---------

Co-authored-by: Guillaume <[email protected]>
Co-authored-by: Copilot <[email protected]>

Author: 3 people

.github/dependabot.yaml

@@ -0,0 +1,58 @@
+# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+version: 2
+updates:
+  # Python dependencies (uv/pip)
+  - package-ecosystem: pip
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+      time: "09:00"
+      timezone: Europe/London
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "chore(deps)"
+    labels:
+      - dependencies
+      - python
+    groups:
+      dev-dependencies:
+        patterns:
+          - "pytest*"
+          - "ruff"
+          - "ty"
+          - "pre-commit"
+        update-types:
+          - minor
+          - patch
+      ai-frameworks:
+        patterns:
+          - "openai*"
+          - "langchain*"
+          - "crewai*"
+          - "mcp*"
+        update-types:
+          - minor
+          - patch
+
+  # GitHub Actions
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+      time: "09:00"
+      timezone: Europe/London
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "chore(deps)"
+    labels:
+      - dependencies
+      - github-actions
+    groups:
+      actions:
+        patterns:
+          - "*"
+        update-types:
+          - minor
+          - patch

.github/workflows/nix-flake-update.yaml

@@ -0,0 +1,63 @@
+name: "Scheduled: Nix flake update"
+
+on:
+  schedule:
+    # Run every Monday at 09:00 UTC (aligns with Dependabot's 09:00 Europe/London schedule in winter; 10:00 Europe/London in summer)
+    - cron: "0 9 * * 1"
+  workflow_dispatch: # Allow manual trigger
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update-flake:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+
+      - name: Setup Nix
+        uses: ./.github/actions/setup-nix
+
+      - name: Update flake.lock
+        run: nix flake update
+
+      - name: Check if flake.lock changed
+        id: check-changes
+        run: |
+          if git diff --quiet flake.lock; then
+            echo "changed=false" >> $GITHUB_OUTPUT
+          else
+            echo "changed=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Create Pull Request
+        id: create-pr
+        if: steps.check-changes.outputs.changed == 'true'
+        uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: "chore(deps): update nix flake inputs"
+          title: "chore(deps): update nix flake inputs"
+          body: |
+            ## Summary
+            - Automated update of Nix flake inputs
+
+            ## Test plan
+            - [ ] `nix flake check` passes in CI
+            - [ ] Development shell works correctly
+
+            ---
+            🤖 This PR was automatically created by the scheduled Nix flake update workflow.
+          branch: chore/nix-flake-update
+          labels: |
+            dependencies
+            nix
+          delete-branch: true
+
+      - name: Enable auto-merge
+        if: steps.create-pr.outputs.pull-request-number
+        run: gh pr merge --auto --squash "${{ steps.create-pr.outputs.pull-request-url }}"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}