Automatically check for updates to packaged dependencies (#61933)

* Add update config for universal-ctags

* Add upstream monitoring for additional packages

* Add context to disabled release checking

* Fix s3proxy upstream

* Add new wolfictl action

* Try running wolfictl update --dry-run

* Add repo

* Add env

* Use checkout

* Remove checkout as it confuses wolfictl

* Trick wolfictl

* Fix env

* path

* Tweaks for wolfictl

* Remove checkout again

* Add base branch for testing

* Remove branch now that changes are on main

* Tweak labels

* Add some extra flags

* Fix flags?

* Fix quotes

* Build and use forked wolfictl

* Fix path for checkout

* Relative checkout path

* use path under workspace

* Move binary rather than directory

* Don't pass --dry-run on main

* Remove dry-run mode

* Use patched branch

* Add yam.yaml

* Tweak comments

* Remove syntect-server

* Revert s3proxy changes

* Bump epoch to appease CI

* Revert "Bump epoch to appease CI"

This reverts commit 4e3925ccb6.

* Remove yam.yaml (added on different branch)

* Add git author information

* Give repo write permissions

* Check for all packages

* Enable cron and add personal TODO

* Reformat wolfictl command

* Remove on: push

* Add review suggestions

* Tweak workflow dispatch?

* add push ack

* Remove debugging

* Remove on: push

.github/workflows/wolfictl-update.yml

@@ -0,0 +1,66 @@
+name: 'wolfictl-update'
+
+on:
+  schedule:
+    # everyday at 0:00 UTC
+    - cron:  0 0 * * *
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+  issues: write
+
+jobs:
+  wolfictl-update:
+    name: Wolfictl Update
+    runs-on: ubuntu-latest
+
+    steps:
+      # Install wolfictl
+
+      # NOTE: The main wolfictl binary has a bug which prevents us from using it
+      # Once https://github.com/wolfi-dev/wolfictl/pull/763 is merged, we can remove the following which
+      # builds wolfictl from a patched fork.
+
+      # Build and install a fork of wolfictl
+      - name: Check out code from external repository
+        uses: actions/checkout@v4
+        with:
+          repository: 'willdollman/wolfictl'
+          ref: 'will/fix-update-pkgpath'
+          token: ${{ secrets.GITHUB_TOKEN }}
+          path: 'wolfictl'
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+         go-version: '1.22'
+
+      - name: Build binary
+        run: |
+          TMP=$(mktemp -d)
+          export GOBIN=$TMP
+          cd $GITHUB_WORKSPACE/wolfictl
+          go install ./...
+          echo "$TMP" >> $GITHUB_PATH
+
+      # TODO(will): Once the bugfix PR is accepted:
+      #   * Replace above wolfictl build step with the following
+      #   * Pin commit hash
+      # - uses: wolfi-dev/actions/install-wolfictl@main
+
+      # Run wolfictl update
+      # Ideally we would use actions/checkout to clone sourcegraph/sourcegraph, but this isn't properly supported by wolfictl
+      - name: wolfictl update
+        run: |
+          wolfictl update \
+            --create-issues='false' \
+            --path='wolfi-packages/' \
+            --github-labels='SSDLC' --github-labels='security-auto-update' --github-labels='security-auto-update/packages' \
+            $GITHUB_SERVER_URL/$GITHUB_REPOSITORY
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GIT_AUTHOR_NAME: sourcegraph secbot
+          GIT_AUTHOR_EMAIL: security@sourcegraph.com
+