ohmyzsh/.github/workflows/dependencies.yml

name: Update dependencies
on:
  workflow_dispatch: {}
  schedule:
    - cron: "0 6 * * 0"

jobs:
  check:
    name: Check for updates
    runs-on: ubuntu-latest
    if: github.repository == 'ohmyzsh/ohmyzsh'
    permissions:
      contents: write # this is needed to push commits and branches
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
          fetch-depth: 0
      - name: Authenticate as @ohmyzsh
        id: generate-token
        uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2.2.0
        with:
          app-id: ${{ secrets.OHMYZSH_APP_ID }}
          private-key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }}
      - name: Setup Python
        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: "3.12"
          cache: "pip"
      - name: Process dependencies
        env:
          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
          GIT_APP_NAME: ohmyzsh[bot]
          GIT_APP_EMAIL: 54982679+ohmyzsh[bot]@users.noreply.github.com
          TMP_DIR: ${{ runner.temp }}
        run: |
          pip install -r .github/workflows/dependencies/requirements.txt
          python3 .github/workflows/dependencies/updater.py