diff --git a/.github/actions/bootstrap/action.yaml b/.github/actions/bootstrap/action.yaml
index a14c8478..3933bf17 100644
--- a/.github/actions/bootstrap/action.yaml
+++ b/.github/actions/bootstrap/action.yaml
@@ -37,6 +37,9 @@ inputs:
     description: "Prefix build cache key with this value"
     required: true
     default: "f8b6d31dea"
+  tools:
+    description: "whether to install tools"
+    default: "true"
   bootstrap-apt-packages:
     description: "Space delimited list of tools to install via apt"
     default: "sqlite3 libsqlite3-dev"
@@ -85,6 +88,7 @@ runs:
     - name: Restore tool cache
       id: tool-cache
       uses: actions/cache@v3
+      if: inputs.tools == 'true'
       with:
         path: ${{ github.workspace }}/.tmp
         key: ${{ inputs.cache-key-prefix }}-${{ runner.os }}-tool-${{ hashFiles('Makefile') }}
@@ -104,7 +108,7 @@ runs:
 
     - name: (cache-miss) Bootstrap project tools
       shell: bash
-      if: steps.tool-cache.outputs.cache-hit != 'true'
+      if: steps.tool-cache.outputs.cache-hit != 'true' && inputs.tools == 'true'
       run: make bootstrap-tools
 
     - name: Restore go build cache
diff --git a/.github/workflows/update-anchore-dependencies.yml b/.github/workflows/update-anchore-dependencies.yml
new file mode 100644
index 00000000..bf0a9093
--- /dev/null
+++ b/.github/workflows/update-anchore-dependencies.yml
@@ -0,0 +1,49 @@
+name: PR to update Anchore dependencies
+on:
+  workflow_dispatch:
+    inputs:
+      repos:
+        description: "List of dependencies to update"
+        required: true
+        type: string
+
+permissions:
+  contents: read
+
+jobs:
+  update:
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'anchore' # only run for main repo (not forks)
+    steps:
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+
+      - name: Bootstrap environment
+        uses: ./.github/actions/bootstrap
+        with:
+          tools: false
+          bootstrap-apt-packages: ""
+
+      - name: Update dependencies
+        id: update
+        uses: anchore/workflows/.github/actions/update-go-dependencies@main
+        with:
+          repos: ${{ github.event.inputs.repos }}
+
+      - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a #v2.1.0
+        id: generate-token
+        with:
+          app_id: ${{ secrets.TOKEN_APP_ID }}
+          private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
+
+      - uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f #v7.0.5
+        with:
+          signoff: true
+          delete-branch: true
+          draft: ${{ steps.update.outputs.draft }}
+          # do not change this branch, as other workflows depend on it
+          branch: auto/integration
+          labels: dependencies,pre-release
+          commit-message: "chore(deps): update anchore dependencies"
+          title: "chore(deps): update anchore dependencies"
+          body: ${{ steps.update.outputs.summary }}
+          token: ${{ steps.generate-token.outputs.token }}
diff --git a/.github/workflows/update-grype-release.yml b/.github/workflows/update-grype-release.yml
deleted file mode 100644
index 9e192f91..00000000
--- a/.github/workflows/update-grype-release.yml
+++ /dev/null
@@ -1,51 +0,0 @@
-name: PR for latest Grype release
-on:
-  schedule:
-    - cron: "0 8 * * *" # 3 AM EST
-
-  workflow_dispatch:
-
-env:
-  GO_VERSION: "1.23.x"
-  GO_STABLE_VERSION: true
-
-jobs:
-  upgrade-grype:
-    runs-on: ubuntu-latest
-    if: github.repository == 'anchore/grype-db' # only run for main repo
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
-
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed #v5.1.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          stable: ${{ env.GO_STABLE_VERSION }}
-
-      - run: |
-          LATEST_VERSION=$(curl "https://api.github.com/repos/anchore/grype/releases/latest" 2>/dev/null | jq -r '.tag_name')
-
-          # update go.mod
-          go get github.com/anchore/grype@$LATEST_VERSION
-          go mod tidy
-
-          # export the version for use with create-pull-request
-          echo "LATEST_VERSION=$LATEST_VERSION" >> $GITHUB_OUTPUT
-        id: latest-version
-
-      - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a #v2.1.0
-        id: generate-token
-        with:
-          app_id: ${{ secrets.TOKEN_APP_ID }}
-          private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
-
-      - uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f #v7.0.5
-        with:
-          signoff: true
-          delete-branch: true
-          branch: auto/latest
-          labels: dependencies
-          commit-message: "Update Grype to ${{ steps.latest-version.outputs.LATEST_VERSION }}"
-          title: "Update Grype to ${{ steps.latest-version.outputs.LATEST_VERSION }}"
-          body: |
-            Update Grype to ${{ steps.latest-version.outputs.LATEST_VERSION }}
-          token: ${{ steps.generate-token.outputs.token }}