Automatically fix flake.nix hashes from dependabot PRs

I recently made this change in our fork of golinks, and thought I'd upstream it.

This patch uses Determinate Nix 3.3's feature of being able to automatically fix invalid Nix hashes in CI.

More context: https://determinate.systems/posts/changelog-determinate-nix-331/#automatic-hash-mismatches-fixes-in-github-actions 

Signed-off-by: Graham Christensen <[email protected]>

Author: grahamc

.github/workflows/nix.yml

@@ -10,14 +10,39 @@ on:
 
 jobs:
   build:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v3
         with:
           fetch-depth: 2
 
-      - uses: cachix/install-nix-action@v16
+      - uses: DeterminateSystems/nix-installer-action@main
+        with:
+          determinate: true
 
       - name: Run build
         run: nix build
+
+      - name: Fix hash mismatches
+        if: failure() && github.event_name == 'pull_request'
+        id: fix-hashes
+        run: |
+          git stash --include-untracked
+          git fetch --depth=1 origin "$GITHUB_HEAD_REF"
+          git checkout -B "$GITHUB_HEAD_REF" "${{ github.event.pull_request.head.sha }}"
+
+          determinate-nixd fix hashes --auto-apply
+
+          if ! git diff --quiet; then
+            git config user.name "github-actions[bot]"
+            git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+            git add --update --ignore-removal .
+            git commit -m "[dependabot skip] Automatically fix Nix hashes"
+            git push origin "$GITHUB_HEAD_REF"
+          fi
+
+          git checkout -
+          git stash pop || true