chore: Automatically bump sec-scanners-config.yaml with image to be released

.github/workflows/create-runtime-watcher-release.yaml

@@ -1,8 +1,7 @@
 name: "Create Runtime Watcher Release"
 
 permissions:
-  id-token: write
-  contents: write
+  contents: read
 
 on:
   workflow_dispatch:
@@ -15,6 +14,10 @@ on:
         description: "Changelog since"
         default: ""
         required: false
+      skip_sec_scanners_bump:
+        description: "Skip sec-scanners-config.yaml bump"
+        type: boolean
+        default: false
 
 env:
   IMAGE_REPO: europe-docker.pkg.dev/kyma-project/prod/runtime-watcher
@@ -26,23 +29,95 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
       - name: Validate the release tag
         run: ./.github/scripts/release/validate_release_tag.sh ${{ github.event.inputs.name }}
       - name: Check if release doesn't exist yet
         run: ./.github/scripts/release/get_release_by_tag.sh ${{ github.event.inputs.name }} ${{ secrets.GITHUB_TOKEN }}
 
+  bump-images:
+    name: Bump sec-scanners-config.yaml images
+    runs-on: ubuntu-latest
+    needs: validate-release
+    if: ${{ !inputs.skip_sec_scanners_bump }}
+    permissions:
+      pull-requests: write
+      contents: write
+    outputs:
+      pr_number: ${{ steps.open-pr.outputs.pr_number }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          fetch-depth: 0
+      - name: Checkout lifecycle-manager
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          repository: kyma-project/lifecycle-manager
+          path: lifecycle-manager
+      - name: Bump sec-scanners-config.yaml images
+        run: |
+          ./lifecycle-manager/.github/scripts/release/bump_sec_scanners_versions.sh \
+            ${{ github.event.inputs.name }} \
+            europe-docker.pkg.dev/kyma-project/prod/runtime-watcher \
+            sec-scanners-config.yaml
+      - name: Push version bump branch and open PR
+        id: open-pr
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # Configure git
+          git config --local user.email "jellyfish-bot@users.noreply.github.com"
+          git config --local user.name "jellyfish-bot"
+
+          if PR_NUMBER=$(./lifecycle-manager/.github/scripts/release/create_sec_scanners_config_bump_pr.sh ${{ github.event.inputs.name }}); then
+            echo "pr_number=${PR_NUMBER}" >> "$GITHUB_OUTPUT"
+          else
+            echo "❌ Failed to create PR for sec-scanners-config.yaml bump"
+            exit 1
+          fi
+
+  await-bump-images-pr-merge:
+    name: Wait for version bump PR to be merged
+    runs-on: ubuntu-latest
+    needs: bump-images
+    if: ${{ !inputs.skip_sec_scanners_bump }}
+    permissions:
+      pull-requests: read
+      contents: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          fetch-depth: 0
+      - name: Checkout lifecycle-manager
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          repository: kyma-project/lifecycle-manager
+          path: lifecycle-manager
+      - name: Wait for PR to be merged
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: ./lifecycle-manager/.github/scripts/release/wait_for_pr_merge.sh ${{ needs.bump-images.outputs.pr_number }}
+      - name: Delete merged branch
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: ./lifecycle-manager/.github/scripts/release/delete_sec_scanners_config_pr_branch.sh ${{ github.event.inputs.name }}
+
   draft-release:
     name: Create draft release
     runs-on: ubuntu-latest
-    needs: validate-release
+    needs: [validate-release, await-bump-images-pr-merge]
+    permissions:
+      contents: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
+          ref: main  # Checkout main after version bump PR is merged
       - name: Generate changelog
         id: generate_changelog
         env:
@@ -66,13 +141,18 @@ jobs:
     uses: ./.github/workflows/build-image.yml
     with:
       tag: "${{ github.event.inputs.name }}"
+    permissions:
+      contents: read
+      id-token: write
   publish_release:
     name: Publish release
     needs: [validate-release, draft-release, builds]
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
       - name: Wait for the Docker image