ci: revert actions/checkout to v5 due to update-flake-lock incompatibility

Root cause: DeterminateSystems/update-flake-lock@v27 uses
peter-evans/[email protected] internally, which is incompatible
with actions/checkout@v6's new credential storage mechanism.

The Problem Chain:
- actions/checkout@v6 moved credentials from .git/config to $RUNNER_TEMP
  (security improvement)
- peter-evans/[email protected] cannot access credentials from
  the new $RUNNER_TEMP location
- This causes exit code 128 when update-flake-lock tries to create PRs

The Fix:
- [email protected] fixed v6 compatibility
- However, update-flake-lock@v27 (released July 2025) hasn't upgraded yet
- Reverting to v5 restores working credential access

Next Steps:
- Can upgrade to v6 once update-flake-lock uses [email protected]+
  - DeterminateSystems/update-flake-lock#224
- Dependabot configured to ignore v6 upgrades until compatibility is fixed

Fixes: https://github.com/nix-community/home-manager/actions/runs/19712979574
See: peter-evans/create-pull-request#690

Signed-off-by: Austin Horstman <[email protected]>

Author: khaneliman

.github/dependabot.yml

@@ -7,6 +7,10 @@ updates:
       interval: "weekly"
     commit-message:
       prefix: "ci:"
+    ignore:
+      # Ignore v6 until update-flake-lock upgrades to [email protected]+
+      - dependency-name: "actions/checkout"
+        update-types: ["version-update:semver-major"]
 
   - package-ecosystem: "github-actions"
     directory: "/"
@@ -15,3 +19,7 @@ updates:
       interval: "weekly"
     commit-message:
       prefix: "ci:"
+    ignore:
+      # Ignore v6 until update-flake-lock upgrades to [email protected]+
+      - dependency-name: "actions/checkout"
+        update-types: ["version-update:semver-major"]

.github/workflows/update-flake.yml

@@ -35,7 +35,12 @@ jobs:
             echo "[email protected]"
           } >> "$GITHUB_OUTPUT"
       - name: Checkout repository
-        uses: actions/checkout@v6
+        # NOTE: v6 is incompatible with update-flake-lock@v27 due to credential
+        # storage changes. update-flake-lock uses peter-evans/[email protected]
+        # which doesn't work with v6's $RUNNER_TEMP credential storage.
+        # Can upgrade to v6 once update-flake-lock uses [email protected]+
+        # See: https://github.com/peter-evans/create-pull-request/issues/690
+        uses: actions/checkout@v5
         with:
           ref: ${{ matrix.branch }}
           token: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}