Keeping nixos/nix docker image up to date with base image using dependabot

What about using something like dependabot to keep the image up to date?
Also, it is generally good idea to create immutable image tags, rather than only having latest.

I want nixos/nix to stay up to date with the base image because newer alpine image may contain bug fixes or security fixes, and nix image is not currently built with buildImage/buildLayeredImage (yet).