1 files changed, 43 insertions, 0 deletions

diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml
new file mode 100644
index 000000000..8d8f5cc73
--- /dev/null
+++ b/.github/workflows/dependencies.yml
@@ -0,0 +1,43 @@
+name: Update dependencies
+on:
+  workflow_dispatch: {}
+  schedule:
+    - cron: "0 6 * * 0"
+
+jobs:
+  check:
+    name: Check for updates
+    runs-on: ubuntu-latest
+    if: github.repository == 'ohmyzsh/ohmyzsh'
+    permissions:
+      contents: write # this is needed to push commits and branches
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          fetch-depth: 0
+      - name: Authenticate as @ohmyzsh
+        id: generate-token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        with:
+          app-id: ${{ secrets.OHMYZSH_APP_ID }}
+          private-key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }}
+      - name: Setup Python
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+        with:
+          python-version: "3.12"
+          cache: "pip"
+      - name: Process dependencies
+        env:
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+          GIT_APP_NAME: ohmyzsh[bot]
+          GIT_APP_EMAIL: 54982679+ohmyzsh[bot]@users.noreply.github.com
+          TMP_DIR: ${{ runner.temp }}
+        run: |
+          pip install -r .github/workflows/dependencies/requirements.txt
+          python3 .github/workflows/dependencies/updater.py