ci: revert actions/checkout to v5 due to update-flake-lock incompatibility

Root cause: DeterminateSystems/update-flake-lock@v27 uses
peter-evans/create-pull-request@v6.0.5 internally, which is incompatible
with actions/checkout@v6's new credential storage mechanism.

The Problem Chain:
- actions/checkout@v6 moved credentials from .git/config to $RUNNER_TEMP
  (security improvement)
- peter-evans/create-pull-request@v6.0.5 cannot access credentials from
  the new $RUNNER_TEMP location
- This causes exit code 128 when update-flake-lock tries to create PRs

The Fix:
- create-pull-request@v7.0.9 fixed v6 compatibility
- However, update-flake-lock@v27 (released July 2025) hasn't upgraded yet
- Reverting to v5 restores working credential access

Next Steps:
- Can upgrade to v6 once update-flake-lock uses create-pull-request@v7.0.9+
  - https://github.com/DeterminateSystems/update-flake-lock/pull/224
- Dependabot configured to ignore v6 upgrades until compatibility is fixed

Fixes: https://github.com/nix-community/home-manager/actions/runs/19712979574
See: https://github.com/peter-evans/create-pull-request/issues/690

Signed-off-by: Austin Horstman <khaneliman12@gmail.com>

.github/workflows/update-flake.yml

@@ -35,7 +35,12 @@ jobs:
             echo "email=$id+$name@users.noreply.github.com"
           } >> "$GITHUB_OUTPUT"
       - name: Checkout repository
-        uses: actions/checkout@v6
+        # NOTE: v6 is incompatible with update-flake-lock@v27 due to credential
+        # storage changes. update-flake-lock uses peter-evans/create-pull-request@v6.0.5
+        # which doesn't work with v6's $RUNNER_TEMP credential storage.
+        # Can upgrade to v6 once update-flake-lock uses create-pull-request@v7.0.9+
+        # See: https://github.com/peter-evans/create-pull-request/issues/690
+        uses: actions/checkout@v5
         with:
           ref: ${{ matrix.branch }}
           token: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}