Ensure dependabot doesn't break over time

The automated GitHub workflow updates were broken for some time due to dependabot's images fetched
at runtime went out of sync with the binary.

While updating dependabot fixed it for now, a more permanent fix is to use the version of dependabot
that pins the images at build time, introduced in
NixOS/nixpkgs#352866 and NixOS/nixpkgs#354085

Author: infinisil

default.nix

@@ -132,7 +132,7 @@ let
           githubActions = pkgs.writeShellApplication {
             name = "update-github-actions";
             runtimeInputs = with pkgs; [
-              dependabot-cli
+              dependabot-cli.withDockerImages
               jq
               github-cli
               coreutils
@@ -144,8 +144,8 @@ let
       pkgs.writeShellApplication {
         name = "auto-pr-update";
         text = ''
-          # Prevent impurities
-          unset PATH
+          # Prevent impurities, but we need docker
+          PATH=$(dirname "$(which docker)")
           ${lib.concatMapStringsSep "\n" (script: ''
             echo >&2 "Running ${script}"
             ${lib.getExe script} "$1"