Add GH actions to update lockfiles

Author: jcapiitao

.github/workflows/update-lockfiles.yml

@@ -0,0 +1,82 @@
+name: Submit PRs to update lockfiles
+
+on:
+  workflow_dispatch: # Allows manual triggering from the GitHub UI
+  schedule:
+    - cron: '0 4 * * *' # Daily at 4:00am UTC
+
+jobs:
+  update-lockfiles:
+    if: github.event.repository.fork == true && github.repository == 'coreosbot-releng/coreos-assembler'
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        branch: [main]
+
+    permissions:
+      pull-requests: write # Required to create a pull request
+      contents: write # Required to rebase branches
+
+    steps:
+      - name: Set up Python 3.12
+        uses: actions/setup-python@v5
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          # Required for 'peter-evans/create-pull-request' to push to a new branch
+          fetch-depth: 0
+
+      - name: Synchronise the 'lockfiles-update-STREAM' branch with the upstream one
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BRANCH: ${{ matrix.branch }}
+        run: |
+          TARGET_BRANCH=update-lockfiles-${BRANCH}
+          echo "The target branch is '$TARGET_BRANCH'."
+
+          git remote add upstream https://github.com/coreos/coreos-assembler.git
+          git fetch upstream
+          if git ls-remote --heads origin "$TARGET_BRANCH" | grep -q "$TARGET_BRANCH"; then
+              echo "Branch '$TARGET_BRANCH' exists on origin. Checking it out."
+              git checkout "$TARGET_BRANCH"
+          elif git rev-parse --verify --quiet "$TARGET_BRANCH" > /dev/null; then
+              echo "Branch '$TARGET_BRANCH' exists locally. Checking it out."
+              git checkout "$TARGET_BRANCH"
+          else
+              echo "Branch '$TARGET_BRANCH' does not exist. Creating it from upstream/${BRANCH}."
+              if git rev-parse --verify --quiet "upstream/${BRANCH}" > /dev/null; then
+                  git checkout -b "$TARGET_BRANCH" upstream/${BRANCH}
+                  echo "Successfully created and checked out branch '$TARGET_BRANCH' from upstream/${BRANCH}."
+              else
+                  echo "Error: upstream/${BRANCH} does not exist after fetch. Cannot create new branch."
+                  exit 1
+              fi
+          fi
+          git rebase upstream/${BRANCH}
+          git push --force origin "$TARGET_BRANCH"
+
+      - name: Update the lockfiles
+        working-directory: ci/hermetic
+        run: |
+          git checkout update-lockfiles-${{ matrix.branch }}
+          sudo apt-get update && sudo apt-get install -y python3-dnf
+          pip3 install requests ruamel.yaml
+          ./update_artifacts_lockfile
+          bash -x update_rpms_lockfile
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v6
+        with:
+          token: ${{ secrets.UPDATE_LOCKFILES_PAT }}
+          commit-message: 'feat(automated): Update the lockfiles'
+          title: 'Automated: lockfiles updated'
+          body: |
+            This PR was automatically generated by the 'Submit PRs to update lockfiles' workflow.
+            It updates the lockfiles.
+          branch: update-lockfiles/${{ matrix.branch }}-candidate
+          base: update-lockfiles-${{ matrix.branch }}
+          labels: |
+            update-lockfiles
+          committer: "CoreOS Bot <[email protected]>"
+          author: "CoreOS Bot <[email protected]>"