add github actions and dependabot

.github/.gitignore

@@ -0,0 +1 @@
+/flake.lock

.github/dependabot.yml

@@ -0,0 +1,18 @@
+version: 2
+updates:
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+    groups:
+      npm-dependencies:
+        patterns:
+          - "*"
+  - package-ecosystem: cargo
+    directory: /
+    schedule:
+      interval: weekly
+    groups:
+      cargo-dependencies:
+        patterns:
+          - "*"

.github/flake.nix

@@ -0,0 +1,50 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
+  };
+
+  outputs = { nixpkgs, ... }:
+    let
+      inherit (nixpkgs) lib;
+
+      makePackages = (system: dev:
+        let
+          pkgs = import nixpkgs {
+            inherit system;
+          };
+        in
+        {
+          update-nix-hashes = pkgs.writeShellApplication {
+            name = "update-nix-hashes";
+            runtimeInputs = with pkgs; [
+              coreutils
+              gnugrep
+              nix
+              prefetch-npm-deps
+              sd
+            ];
+            text = ''
+              NPM_FLAKE_PATH="$1"
+              PACKAGE_LOCK_PATH="$2"
+
+              OLD_HASH="$(nix eval --raw ".#$NPM_FLAKE_PATH.npmDepsHash")"
+              NEW_HASH="$(prefetch-npm-deps "$PACKAGE_LOCK_PATH" 2>/dev/null)"
+
+              echo "$OLD_HASH" "$NEW_HASH"
+              test "$OLD_HASH" = "$NEW_HASH" && exit 0
+
+              grep -q "$OLD_HASH" flake.nix || { echo "couldn't find old hash in flake.nix"; exit 1; }
+              sd --fixed-strings "$OLD_HASH" "$NEW_HASH" flake.nix
+              grep -q "$NEW_HASH" flake.nix || { echo "couldn't find new hash in flake.nix"; exit 1; }
+            '';
+          };
+        }
+      );
+    in
+    builtins.foldl' lib.recursiveUpdate { } (builtins.map
+      (system: {
+        devShells.${system} = makePackages system true;
+        packages.${system} = makePackages system false;
+      })
+      lib.systems.flakeExposed);
+}

.github/workflows/build.yml

@@ -0,0 +1,19 @@
+name: Build
+
+on:
+  push:
+    branches: [master, main]
+  workflow_dispatch:
+
+concurrency:
+  group: build-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - run: nix build --print-build-logs .

.github/workflows/update-lock-files.yml

@@ -0,0 +1,37 @@
+name: Update lock files
+
+on:
+  schedule:
+    - cron: "0 0 1 * *" # monthly
+  workflow_dispatch:
+
+concurrency:
+  group: update-lock-files-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update_lock_files:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - run: nix flake update
+      - run: git diff && git add -v .
+      - run: nix develop --print-build-logs . -c cargo update
+      - run: git diff && git add -v .
+      - run: nix develop --print-build-logs . -c npm update
+      - run: git diff && git add -v .
+      - run: nix run --no-write-lock-file --print-build-logs ./.github#update-nix-hashes -- default package-lock.json
+      - run: git diff && git add -v .
+      - run: nix build --print-build-logs .
+      - uses: peter-evans/create-pull-request@v6
+        with:
+          branch: update-lock-files
+          title: Update lock files
+          body: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          commit-message: "Update lock files"

.github/workflows/update-nix-hashes.yml

@@ -0,0 +1,33 @@
+name: Update nix hashes
+
+on:
+  pull_request:
+    branches: [master, main]
+
+concurrency:
+  group: update-nix-hashes-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: write
+
+env:
+  GIT_AUTHOR_NAME: github-actions[bot]
+  GIT_AUTHOR_EMAIL: 41898282+github-actions[bot]@users.noreply.github.com
+  GIT_COMMITTER_NAME: github-actions[bot]
+  GIT_COMMITTER_EMAIL: 41898282+github-actions[bot]@users.noreply.github.com
+
+jobs:
+  update_nix_hashes:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.head_ref }}
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - run: nix run --no-write-lock-file --print-build-logs ./.github#update-nix-hashes -- default package-lock.json
+      - run: git diff && git add -v .
+      - run: nix build --print-build-logs .
+      - run: "git commit -m 'nix: update hashes' || true"
+      - run: git push origin