1 files changed, 62 insertions, 0 deletions

diff --git a/.github/workflows/update-deps.yaml b/.github/workflows/update-deps.yaml
new file mode 100644
index 0000000..d53d59f
--- /dev/null
+++ b/.github/workflows/update-deps.yaml
@@ -0,0 +1,62 @@
+name: Update Dependencies
+env:
+  GO_VERSION: 1.21.6
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 14 * * 1" # 2pm cest, weekly on Monday
+
+jobs:
+  dep_update:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Install Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Update minor and patch-level dependencies
+        run: go get -t -u ./...
+
+      - name: Tidy
+        run: go mod tidy
+
+      - name: Create pull request
+        uses: peter-evans/create-pull-request@v4
+        with:
+          title: "Update package dependencies + tidy"
+          body: |
+            This is a change initiated automatically on a weekly basis by a
+            GitHub Action that updates the projects dependencies to their latest
+            minor and patch-level versions. This lets us stay up to date
+            incrementally so that updates are less effort to get merged compared
+            to large monolithic updates, and gets us security updates more
+            expediently.
+
+            If the build passes, you are probably A-OK to merge and deploy this.
+            If not, try to dig into what's not working and see if you can fix it
+            so that the dep train stays on its rails.
+
+            Note that although minor/patch level changes are handled
+            automatically, notably major version changes like you'd find in
+            stripe-go are not and those upgrades need to be performed manually.
+            That should theoretically not be a problem if fixes are backported
+            to all previous majors, but in practice they are often not, so it's
+            worthwhile to occasionally look for new majors and integrate them.
+          branch: "feature/dep-update"
+          commit-message: |
+            Update package dependencies + tidy
+
+            Weekly update to the project's package dependencies initiated by an
+            automatic GitHub Action running on cron. Keeps upgrades less of a
+            monolithic task and lets security-related patches trickle in more
+            quickly.
+          author: "Bot <[email protected]>"
+          committer: "Bot <[email protected]>"
+          delete-branch: true
\ No newline at end of file