diff --git a/.github/actions/bootstrap/action.yaml b/.github/actions/bootstrap/action.yaml
index 6150113aee0..70d460686fc 100644
--- a/.github/actions/bootstrap/action.yaml
+++ b/.github/actions/bootstrap/action.yaml
@@ -18,6 +18,9 @@ inputs:
     description: "Download test fixture cache from OCI and github actions"
     required: true
     default: "false"
+  tools:
+    description: "weather to install tools"
+    default: "true"
   bootstrap-apt-packages:
     description: "Space delimited list of tools to install via apt"
     default: "libxml2-utils"
@@ -32,6 +35,7 @@ runs:
         go-version: ${{ inputs.go-version }}
 
     - name: Restore tool cache
+      if: inputs.tools == 'true'
       id: tool-cache
       uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
       with:
@@ -40,6 +44,7 @@ runs:
 
     - name: Install project tools
       shell: bash
+      if: inputs.tools == 'true'
       run: make tools
 
     - name: Install go dependencies
diff --git a/.github/workflows/update-stereoscope-release.yml b/.github/workflows/update-stereoscope-release.yml
index 002e3a84ea0..f9d87893a5d 100644
--- a/.github/workflows/update-stereoscope-release.yml
+++ b/.github/workflows/update-stereoscope-release.yml
@@ -1,42 +1,50 @@
-name: PR for latest Stereoscope release
+name: PR to update Anchore dependencies
 on:
-  schedule:
-    - cron: "0 8 * * *" # 3 AM EST
-
   workflow_dispatch:
-
-env:
-  GO_VERSION: "1.21.x"
-  GO_STABLE_VERSION: true
+    inputs:
+      from:
+        description: "Where to pull dependency commits from (branch or 'release')"
+        required: false
+        type: choice
+        options:
+          - "main" # reference commits from the main branch
+          - "auto/integration" # reference commits from a pre-release PR (like from this workflow)
+          - "release" # reference commits from the latest github release
+        default: "main"
 
 permissions:
   contents: read
 
 jobs:
-  upgrade-stereoscope:
+  update:
     runs-on: ubuntu-latest
-    if: github.repository == 'anchore/syft' # only run for main repo
+    if: github.repository == 'anchore/syft' # only run for main repo (not forks)
     steps:
       - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
 
-      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 #v5.0.2
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          stable: ${{ env.GO_STABLE_VERSION }}
-
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap
+        with:
+          tools: false
+          bootstrap-apt-packages: ""
 
-      - run: |
-          LATEST_VERSION=$(git ls-remote https://github.com/anchore/stereoscope main | head -n1 | awk '{print $1;}')
-
-          # update go.mod
-          go get github.com/anchore/stereoscope@$LATEST_VERSION
-          go mod tidy
+      - name: Update Stereoscope
+        id: stereoscope
+        # TODO: update to main branch when ready
+        uses: anchore/workflows/.github/actions/update-go-dependency@add-dep-update
+        with:
+          repo: anchore/stereoscope
+          # note: even if you pass a branch or commit, go tooling will resolve this to a version tag if it exists
+          from: ${{ github.event.inputs.from }}
 
-          # export the version for use with create-pull-request
-          echo "LATEST_VERSION=$LATEST_VERSION" >> $GITHUB_OUTPUT
-        id: latest-version
+      - name: Determine draft status
+        id: draft
+        run: |
+          if [ "${{ github.event.inputs.from }}" != "release" ]; then
+            echo "status=always-true" >> $GITHUB_OUTPUT
+          else
+             echo "status=false" >> $GITHUB_OUTPUT
+          fi
 
       - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a #v2.1.0
         id: generate-token
@@ -47,11 +55,13 @@ jobs:
       - uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f #v7.0.5
         with:
           signoff: true
-          delete-branch: true
-          branch: auto/latest-stereoscope
-          labels: dependencies
-          commit-message: "chore(deps): update stereoscope to ${{ steps.latest-version.outputs.LATEST_VERSION }}"
-          title: "chore(deps): update stereoscope to ${{ steps.latest-version.outputs.LATEST_VERSION }}"
+          draft: ${{ steps.draft.outputs.status }}
+          # do not change this branch, as other workflows depend on it
+          branch: auto/integration
+          labels: dependencies,pre-release
+          commit-message: "chore(deps): update anchore dependencies"
+          title: "chore(deps): update anchore dependencies"
           body: |
-            Update Stereoscope to ${{ steps.latest-version.outputs.LATEST_VERSION }}
+            Dependencies changed:
+             - Stereoscope: ${{ steps.stereoscope.outputs.original_version }} ➔ ${{ steps.stereoscope.outputs.resolved_version }} (${{ steps.stereoscope.outputs.action }})
           token: ${{ steps.generate-token.outputs.token }}