From f8a4aeab3f8dde9d1dae6ab123992216bb3b57bd Mon Sep 17 00:00:00 2001
From: Maxwell G <maxwell@gtmx.me>
Date: Wed, 24 Jan 2024 19:43:58 +0000
Subject: [PATCH 1/2] ci pip-compile: disable workflow_dispatch for reusable
 workflow

We don't really need this, and it's a bit of a security hole.
The individual pip-compile-dev and pip-compile-docs have
workflow_dispatch which can be used instead.
---
 .github/workflows/reusable-pip-compile.yml | 25 ----------------------
 1 file changed, 25 deletions(-)

diff --git a/.github/workflows/reusable-pip-compile.yml b/.github/workflows/reusable-pip-compile.yml
index 802be4e7e26..f040aa870e3 100644
--- a/.github/workflows/reusable-pip-compile.yml
+++ b/.github/workflows/reusable-pip-compile.yml
@@ -3,8 +3,6 @@ name: "Refresh pinned dependencies"
 
 "on":
   workflow_call:
-    # GHA does not support anchors :(
-    # inputs: &inputs
     inputs:
       # Commit messae and PR title
       message:
@@ -31,29 +29,6 @@ name: "Refresh pinned dependencies"
       reset-branch:
         type: boolean
         default: false
-  workflow_dispatch:
-    # inputs: *inputs
-    inputs:
-      message:
-        type: string
-        required: true
-      pr-branch:
-        type: string
-        required: true
-      base-branch:
-        type: string
-        required: true
-      nox-args:
-        type: string
-        required: true
-      changed-files:
-        default: "tests/*.txt"
-        type: string
-        required: false
-      reset-branch:
-        type: boolean
-        default: false
-
 jobs:
   refresh:
     runs-on: ubuntu-latest

From c29f39ed221976c86209f8a778d558a723303f01 Mon Sep 17 00:00:00 2001
From: Maxwell G <maxwell@gtmx.me>
Date: Wed, 24 Jan 2024 19:48:43 +0000
Subject: [PATCH 2/2] nox pip-compile: don't use env to pass nox args

Using env here messes up the quoting for the args passed from the
calling workflows. Now that workflow_dispatch is disabled for the
reusable workflow, it should be safe to use GHA workflow templating
directly.
---
 .github/workflows/reusable-pip-compile.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/reusable-pip-compile.yml b/.github/workflows/reusable-pip-compile.yml
index f040aa870e3..06e9ee92f45 100644
--- a/.github/workflows/reusable-pip-compile.yml
+++ b/.github/workflows/reusable-pip-compile.yml
@@ -77,9 +77,8 @@ jobs:
           # Ensure the latest pip version is used
           VIRTUALENV_DOWNLOAD: '1'
           #
-          nox_args: "${{ inputs.nox-args }}"
         run: |
-          nox ${nox_args}
+          nox ${{ inputs.nox-args }}
       - name: Push new dependency versions and create a PR
         env:
           GITHUB_TOKEN: ${{ steps.create_token.outputs.token }}