From 481d7b3b396da2877349a50eb24f3797c99c4ed6 Mon Sep 17 00:00:00 2001
From: Olivier Vernin <olivier@vernin.me>
Date: Tue, 20 Jan 2026 21:27:02 +0100
Subject: [PATCH] ci: refactor updatecli gha workflow

Signed-off-by: Olivier Vernin <olivier@vernin.me>
---
 .github/workflows/updatecli.yaml        | 30 +++++++++++--------------
 .github/workflows/updatecli_test.yaml   | 22 ++++++++++++++++++
 .github/workflows/updatecli_update.yaml | 26 +++++++++++++++++++++
 3 files changed, 61 insertions(+), 17 deletions(-)
 create mode 100644 .github/workflows/updatecli_test.yaml
 create mode 100644 .github/workflows/updatecli_update.yaml

diff --git a/.github/workflows/updatecli.yaml b/.github/workflows/updatecli.yaml
index 6034b2a9..a31b8968 100644
--- a/.github/workflows/updatecli.yaml
+++ b/.github/workflows/updatecli.yaml
@@ -1,30 +1,26 @@
-name: updatecli
+name: Updatecli
 on:
+  release:
   workflow_dispatch:
-  push:
-    branches: [main]
   schedule:
-    # Run every hour
-    - cron: "0 * * * *"
+    # Run at 12:00 every Saterday every 14 days
+    - cron: "0 12 */14 * 6"
 jobs:
   updatecli:
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
     steps:
       - name: "Checkout"
         uses: "actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8" # v6.0.1
       - name: "Setup updatecli"
-        uses: "updatecli/updatecli-action@a93efa6052d12f3d77728350fe500c0ed74c169c" # v2
-      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-        id: generate_token
-        if: github.ref == 'refs/heads/main'
+        uses: "updatecli/updatecli-action@b846825b298f5351abd80f94c4f9eab63a38a804" # v2.98.0
         with:
-          app-id: ${{ secrets.UPDATECLIBOT_APP_ID }}
-          private-key: ${{ secrets.UPDATECLIBOT_APP_PRIVKEY }}
+          version: "v0.113.0"
       - name: "Run updatecli"
-        if: github.ref == 'refs/heads/main'
-        run: "updatecli compose apply"
+        run: updatecli compose apply --clean-git-branches=true --experimental
         env:
-          UPDATECLI_GITHUB_USERNAME: ${{ secrets.UPDATECLI_BOT_GITHUB_ACTOR }}
-          UPDATECLI_GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+          UPDATECLI_GITHUB_APP_CLIENT_ID: ${{ secrets.UPDATECLIBOT_APP_ID }}
+          UPDATECLI_GITHUB_APP_PRIVATE_KEY: ${{ secrets.UPDATECLIBOT_APP_PRIVKEY }}
+          UPDATECLI_GITHUB_APP_INSTALLATION_ID: ${{ secrets.UPDATECLIBOT_APP_INSTALLATION_ID }}
+          UPDATECLI_UDASH_API_URL: ${{ secrets.UPDATECLI_UDASH_API_URL }}
+          UPDATECLI_UDASH_ACCESS_TOKEN: ${{ secrets.UPDATECLI_UDASH_ACCESS_TOKEN }}
+          UPDATECLI_UDASH_URL: ${{ secrets.UPDATECLI_UDASH_URL }}
diff --git a/.github/workflows/updatecli_test.yaml b/.github/workflows/updatecli_test.yaml
new file mode 100644
index 00000000..312772f5
--- /dev/null
+++ b/.github/workflows/updatecli_test.yaml
@@ -0,0 +1,22 @@
+---
+name: Updatecli Test
+on:
+  pull_request:
+permissions:
+  contents: read
+jobs:
+  updatecli:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout"
+        uses: "actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8" # v6.0.1
+      - name: "Setup updatecli"
+        uses: "updatecli/updatecli-action@b846825b298f5351abd80f94c4f9eab63a38a804" # v2.98.0
+        with:
+          version: "v0.113.0"
+      - name: "Test updatecli in dry-run mode"
+        run: "updatecli compose diff"
+        env:
+          # This step is executed in untrusted context. We use a GitHub token with minimal permissions.
+          GITHUB_ACTOR: ${{ github.actor }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/updatecli_update.yaml b/.github/workflows/updatecli_update.yaml
new file mode 100644
index 00000000..b3009f46
--- /dev/null
+++ b/.github/workflows/updatecli_update.yaml
@@ -0,0 +1,26 @@
+---
+name: Updatecli - Update
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+jobs:
+  updatecli:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout"
+        uses: "actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8" # v6.0.1
+      - name: "Setup updatecli"
+        uses: "updatecli/updatecli-action@b846825b298f5351abd80f94c4f9eab63a38a804" # v2.98.0
+        with:
+          version: "v0.113.0"
+      - name: "Run updatecli only on existing pipelines"
+        run: updatecli compose apply --clean-git-branches=true --existing-only=true --experimental
+        env:
+          UPDATECLI_GITHUB_APP_CLIENT_ID: ${{ secrets.UPDATECLIBOT_APP_ID }}
+          UPDATECLI_GITHUB_APP_PRIVATE_KEY: ${{ secrets.UPDATECLIBOT_APP_PRIVKEY }}
+          UPDATECLI_GITHUB_APP_INSTALLATION_ID: ${{ secrets.UPDATECLIBOT_APP_INSTALLATION_ID }}
+          UPDATECLI_UDASH_API_URL: ${{ secrets.UPDATECLI_UDASH_API_URL }}
+          UPDATECLI_UDASH_ACCESS_TOKEN: ${{ secrets.UPDATECLI_UDASH_ACCESS_TOKEN }}
+          UPDATECLI_UDASH_URL: ${{ secrets.UPDATECLI_UDASH_URL }}