Make pre-release integration PRs

[wagoodman]

This updates the existing stereoscope workflow into a generic "update anchore deps" workflow, leveraging the work done in anchore/workflows#11 . This adds a new task that can be used as so:

# update stereoscope from the tip of main
make update-anchore-dependencies FROM=main

# update stereoscope from the latest release relative to the goproxy
make update-anchore-dependencies FROM=latest

# update stereoscope from the tip of an integration branch
make update-anchore-dependencies FROM=integration

See an example run: #3372

[kzantow]

Would this task be used for anything? Generally, I think the dependencies would be updated by dependabot once an upstream project has a new version released. If I'm making a change in syft, here, I would be most interested in testing this specific change across the downstream projects, namely: Grype.

[wagoodman]

when there are releases, yes. But this is also used to control integration branches too (update to commits without releases), something that dependabot can't do. This mechanism would happen to be used for both integration and main though during release trains.

[kzantow]

I think this workflow just goes away, and there's a different workflow to run grype/validations.yml against a syft change in a syft PR.

[wagoodman]

The goal is to open these pre-release PRs as integration branches in all repos during a release day, starting with pointing at integration branches for all dependencies with the PR in a draft state, then once releases start (after all pre-release PRs are green) we bump all dependencies to released versions and promote the PR from draft to mergable.