GH Action: update images ref in Schutzfile on schedule

Add a simple script and an action to update images ref in Schutzfile on
schedule.

Both, the script and action are based on those in the osbuild/images
repository and the credit for those goes to Achilleas Koutsou.

Signed-off-by: Tomáš Hozza <thozza@redhat.com>

.github/workflows/update-images.yml

@@ -0,0 +1,52 @@
+# This action updates the images ref in the Schutzfile
+---
+    name: "Update images ref"
+    
+    on:
+      workflow_dispatch:
+      schedule:
+        # Every Mon at 8:00
+        - cron: "0 8 * * 1"
+    
+    jobs:
+      update-and-push:
+        runs-on: ubuntu-latest
+        steps:
+          - name: Apt update
+            run: sudo apt update
+    
+          - name: Check out main
+            uses: actions/checkout@v4
+            with:
+              path: osbuild
+              ref: main
+    
+          - name: Update Schutzfile
+            working-directory: ./osbuild
+            env:
+              GITHUB_TOKEN: ${{ secrets.SCHUTZBOT_GITHUB_ACCESS_TOKEN }}
+            run: |
+              ./schutzbot/update-schutzfile-images
+    
+          - name: Open PR
+            working-directory: ./osbuild
+            env:
+              GITHUB_TOKEN: ${{ secrets.SCHUTZBOT_GITHUB_ACCESS_TOKEN }}
+            run: |
+              if git diff --exit-code; then echo "No changes"; exit 0; fi
+              git config --unset-all http.https://github.com/.extraheader
+              git config user.name "schutzbot"
+              git config user.email "schutzbot@gmail.com"
+              branch="schutzfile-images-$(date -I)"
+              git checkout -b "${branch}"
+              git add Schutzfile
+              git commit -m "Schutzfile: Update images dependency ref to latest"
+              git push -f https://"$GITHUB_TOKEN"@github.com/schutzbot/osbuild.git
+              echo "Updating images dependency ref to current `main`" > body
+              gh pr create \
+                -t "Update images dependency ref to latest" \
+                -F "body" \
+                -r "osbuild/osbuild-reviewers" \
+                --repo "osbuild/osbuild" \
+                --base "main" \
+                --head "schutzbot:${branch}"

schutzbot/update-schutzfile-images

@@ -0,0 +1,46 @@
+#!/usr/bin/env python3
+import json
+import os
+import sys
+import urllib.request
+
+SCHUTZFILE = "Schutzfile"
+
+
+def images_main_commit_id():
+    token = os.environ.get("GITHUB_TOKEN")
+    req = urllib.request.Request("https://api.github.com/repos/osbuild/images/commits/main")
+    req.add_header("Accept", "application/vnd.github+json")
+    if token:
+        # this API request doesn't necessarily require a token, but let's use it if we have one
+        req.add_header("Authorization", f"Bearer {token}")
+    try:
+        with urllib.request.urlopen(req, timeout=30) as resp:
+            body = resp.read()
+    except urllib.error.HTTPError as http_error:
+        print(http_error)
+        sys.exit(1)
+
+    data = json.loads(body)
+    return data["sha"]
+
+
+def update_images_ref(new):
+    with open(SCHUTZFILE, encoding="utf-8") as schutzfile:
+        data = json.load(schutzfile)
+
+    data.setdefault("global", {}).setdefault("dependencies", {}).setdefault("images", {})["ref"] = new
+
+    with open(SCHUTZFILE, encoding="utf-8", mode="w") as schutzfile:
+        json.dump(data, schutzfile, indent="  ")
+
+
+def main():
+    main_id = images_main_commit_id()
+    print(f"osbuild/images main commit ID: {main_id}")
+    print("Updating Schutzfile")
+    update_images_ref(main_id)
+
+
+if __name__ == "__main__":
+    main()