syft/.github/workflows/update-anchore-dependencies.yml

name: PR to update Anchore dependencies
on:
  workflow_dispatch:
    inputs:
      repos:
        description: "List of dependencies to update"
        required: true
        type: string

permissions:
  contents: read

jobs:
  update:
    runs-on: ubuntu-latest
    if: github.repository_owner == 'anchore' # only run for main repo (not forks)
    steps:
      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
        with:
          persist-credentials: false

      - name: Bootstrap environment
        uses: ./.github/actions/bootstrap
        with:
          tools: false
          bootstrap-apt-packages: ""

      - name: Update dependencies
        id: update
        uses: anchore/workflows/.github/actions/update-go-dependencies@main
        with:
          repos: ${{ github.event.inputs.repos }}

      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf #v2.2.1
        id: generate-token
        with:
          app-id: ${{ secrets.TOKEN_APP_ID }}
          private-key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}

      - uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 #v7.0.11
        with:
          signoff: true
          delete-branch: true
          draft: ${{ steps.update.outputs.draft }}
          # do not change this branch, as other workflows depend on it
          branch: auto/integration
          labels: dependencies,pre-release
          commit-message: "chore(deps): update anchore dependencies"
          title: "chore(deps): update anchore dependencies"
          body: ${{ steps.update.outputs.summary }}
          token: ${{ steps.generate-token.outputs.token }}