ci(vendor-hash): fix fake-hash leak; batch indirect Go deps (micasa-dev#976)

Two fixes tied to PR micasa-dev#974, where `update-vendor-hash.yml` committed
`sha256-AAAAAAAAAAAA...=` to `nix/package.nix`.

## What went wrong

Renovate opened micasa-dev#974 to major-bump `github.com/openai/openai-go`
(indirect). Nothing in the repo imports `openai-go/v3` — `go mod why
github.com/openai/openai-go/v3` reports `(main module does not need
package ...)` — so `go mod tidy` in the vendor-hash workflow removes it.
The vendor contents then match the pre-PR state, so `new_hash ==
old_hash`.

The compute step writes the fake sentinel first, runs `nix build`,
parses `got: sha256-...`, then — on the `old_hash == new_hash` branch —
exits before the final `sed` that restores the real hash. `go mod tidy`
still left `go.mod`/`go.sum` changes, so `git diff --cached` wasn't
empty, and `Commit and push` ran with the fake hash still in
`nix/package.nix`. `Verify build` was gated on `changed == 'true'` so it
was skipped. See run
[24829437487](https://github.com/micasa-dev/micasa/actions/runs/24829437487):
`vendorHash unchanged
(sha256-wDz1EKWKPkubV8NcBGQnLnRi4XT0rCjOQBKtO/yRdds=), nothing to do`
immediately followed by `[renovate/major-go-indirect ee7cceb] chore:
update vendorHash for Go dependency changes`.

## Changes

- `.github/workflows/update-vendor-hash.yml` — move the restoration
`sed` ahead of the unchanged-check, so the file always holds a real hash
before any exit. Pipe `grep` through `head -n1` as a defense against
multi-line output.
- `renovate.json` — set `separateMajorMinor`, `separateMultipleMajor`,
and `separateMinorPatch` to `false` on the `go-indirect` rule so every
indirect update lands in one PR regardless of semver level.

## Reproduction

1. Open a Renovate PR that bumps only an unused indirect dep (e.g.
`openai-go` v1 → v3).
2. `update-vendor-hash.yml` fires on the push.
3. `go mod tidy` removes the unused dep; vendor contents unchanged.
4. Before the fix: fake hash is committed. After the fix: the real hash
is restored and only `go.mod`/`go.sum` (if tidied) end up in the commit.

## Follow-up

PR micasa-dev#974 still has the fake-hash commit in its branch history and now
conflicts on `nix/package.nix` with micasa-dev#973's legitimate vendorHash update.
Once this merges, close micasa-dev#974 — Renovate will open a replacement under
the new batched config.

Author: cpcloud

.github/workflows/update-vendor-hash.yml

@@ -102,21 +102,25 @@ jobs:
           sed -i "s|vendorHash = \"sha256-[^\"]*\";|vendorHash = \"$fake_hash\";|" nix/package.nix
 
           output=$(nix build '.#micasa' 2>&1 || true)
-          new_hash=$(echo "$output" | grep -oP 'got:\s+\Ksha256-[A-Za-z0-9+/=]+' || true)
+          new_hash=$(echo "$output" | grep -oP 'got:\s+\Ksha256-[A-Za-z0-9+/=]+' | head -n1 || true)
 
           if [ -z "$new_hash" ]; then
             echo "::error::Failed to extract vendorHash from nix build output"
             echo "$output"
             exit 1
           fi
 
+          # Restore a real hash before any early-return so the fake hash can
+          # never reach a commit. If old_hash == new_hash this substitutes the
+          # original value back in place of the fake.
+          sed -i "s|vendorHash = \"$fake_hash\";|vendorHash = \"$new_hash\";|" nix/package.nix
+
           if [ "$old_hash" = "$new_hash" ]; then
             echo "vendorHash unchanged ($old_hash), nothing to do"
             echo "changed=false" >> "$GITHUB_OUTPUT"
             exit 0
           fi
 
-          sed -i "s|vendorHash = \"$fake_hash\";|vendorHash = \"$new_hash\";|" nix/package.nix
           echo "changed=true" >> "$GITHUB_OUTPUT"
 
       - name: Verify build

renovate.json

@@ -18,11 +18,14 @@
       "pinDigests": true
     },
     {
-      "description": "Group all indirect Go dependencies",
+      "description": "Group all indirect Go dependencies (major, minor, patch in one PR)",
       "matchManagers": ["gomod"],
       "matchDepTypes": ["indirect"],
       "groupName": "go-indirect",
-      "enabled": true
+      "enabled": true,
+      "separateMajorMinor": false,
+      "separateMultipleMajor": false,
+      "separateMinorPatch": false
     },
     {
       "description": "Group GitHub Actions updates",