ci: add automation to update deps

Author: miparnisari

.github/workflows/deps.yaml

@@ -0,0 +1,83 @@
+name: Update SpiceDB and Zed
+on:
+  schedule:
+    - cron: "0 * * * *" # every hour.
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+  issues: read
+  checks: read
+  actions: read
+  statuses: read
+
+jobs:
+  vendor:
+    runs-on: depot-ubuntu-24.04-small
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: "1" # only fetch the latest commit
+      - name: vendor dependencies
+        run: yarn run update:deps
+      - name: check if any changes
+        id: check-changes
+        run: |
+          if [[ -n "$(git status --porcelain .)" ]]; then
+            echo "changes were vendored"
+            git status
+            echo "play_changed=true" >> $GITHUB_OUTPUT
+          else
+            echo "no changes were vendored"
+            echo "play_changed=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: If changes, make a PR
+        if: steps.check-changes.outputs.play_changed == 'true'
+        uses: "peter-evans/create-pull-request@v7"
+        id: cpr
+        with:
+          token: ${{ secrets.AUTHZEDBOT_REPO_SCOPED_TOKEN }}
+          commit-message: "vendor latest SpiceDB and Zed"
+          title: "Auto-generated PR: Update SpiceDB and Zed to latest releases"
+          body: "This PR was auto-generated by GitHub Actions."
+          branch: "auto-update-branch"
+          base: "main"
+
+      - name: "Approve Pull Request"
+        if: steps.check-changes.outputs.play_changed == 'true'
+        uses: "juliangruber/approve-pull-request-action@b71c44ff142895ba07fad34389f1938a4e8ee7b0" # v2.0.6
+        with:
+          repo: authzed/playground
+          github-token: ${{ secrets.AUTHZEDAPPROVER_REPO_SCOPED_TOKEN }}
+          number: ${{ steps.cpr.outputs.pull-request-number }}
+
+      - name: "Enable Pull Request Automerge"
+        if: steps.check-changes.outputs.play_changed == 'true'
+        run: "gh pr merge ${{ steps.cpr.outputs.pull-request-number }} --merge --auto"
+        env:
+          GH_TOKEN: ${{ secrets.AUTHZEDAPPROVER_REPO_SCOPED_TOKEN }}
+
+      - name: "Wait for all required checks to pass"
+        if: steps.check-changes.outputs.play_changed == 'true'
+        run: "gh pr checks --required --watch --interval 10 --fail-fast ${{ steps.cpr.outputs.pull-request-number }} "
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: "Notify in Slack if failure"
+        if: ${{ failure() }}
+        uses: "slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a" # v2.1.1
+        with:
+          webhook: "${{ secrets.SLACK_BUILDS_WEBHOOK_URL }}"
+          webhook-type: "incoming-webhook"
+          payload: |
+            text: "Broken vendoring of SpiceDB and Zed into Playground."
+            blocks:
+              - type: "section"
+                text:
+                  type: "mrkdwn"
+                  text: |
+                    :x: A change in SpiceDB and/or Zed broke something in Playground. 
+                    @eng-oss please take al ook.
+                    *PR:* <${{ github.server_url }}/${{ github.repository }}/pull/${{ steps.cpr.outputs.pull-request-number }}>