pip-tools.yml

---

name: 🔒 pip-tools

on:
  workflow_dispatch:
    inputs:
      package-distribuition:
        # github.event_name == 'workflow_dispatch'
        # && github.event.inputs.package-distribuition
        description: >-
          A target Python package distribution to upgrade
        required: false
  pull_request:
    paths:
    - .github/workflows/pip-tools.yml
  schedule:
  - cron: 1 0 * * *  # Run daily at 0:01 UTC

env:
  GIT_BRANCH: >-
    maintenance/pip-tools-constraint-lockfiles${{
      (
      github.event_name == 'workflow_dispatch'
      && github.event.inputs.package-distribuition
      )
      && format('-updating-{0}', github.event.inputs.package-distribuition)
      || ''
    }}
  PIP_DISABLE_PIP_VERSION_CHECK: 1
  PIP_NO_PYTHON_VERSION_WARNING: 1
  PIP_NO_WARN_SCRIPT_LOCATION: 1
  PY_COLORS: 1

concurrency:
  group: >-
    ${{
        github.workflow
    }}-${{
        github.event.inputs.package-distribuition
        || github.event.pull_request.number
        || github.sha
    }}
  cancel-in-progress: true

run-name: >-
  ⮸
  Bumping
  ${{
  (
      github.event_name == 'workflow_dispatch'
      && github.event.inputs.package-distribuition
  )
  && format('`{0}`', github.event.inputs.package-distribuition)
  || 'everything'
  }}
  in all the lock files
  🔒

jobs:

  deps:
    name: >-
      ⛓${{ matrix.lock-file-env }}:
      🐍${{
          matrix.python-version
      }}@${{
          matrix.os
      }}
    runs-on: ${{ matrix.os }}

    timeout-minutes: 3

    strategy:
      matrix:
        python-version:
        # NOTE: The latest and the lowest supported Pythons are prioritized
        # NOTE: to improve the responsiveness. It's nice to see the most
        # NOTE: important results first.
        - 3.12
        - 3.11
        - ~3.13.0-0
        os:
        - ubuntu-22.04
        - macos-14
        - macos-13
        - windows-2019
        lock-file-env:
        - build-dists
        - build-docs
        - linkcheck-docs
        - metadata-validation
        - pip-compile
        - pip-compile-build-lock
        - pip-compile-tox-env-lock
        - pre-commit
        - py
        - tox
        - spellcheck-docs
        lock-file-extra-input:
        - pyproject.toml
        - ''
        exclude:
        - lock-file-env: build-dists
          lock-file-extra-input: pyproject.toml
        - lock-file-env: build-docs
          lock-file-extra-input: ''
        - lock-file-env: linkcheck-docs
          lock-file-extra-input: ''
        - lock-file-env: metadata-validation
          lock-file-extra-input: pyproject.toml
        - lock-file-env: pip-compile
          lock-file-extra-input: pyproject.toml
        - lock-file-env: pip-compile-build-lock
          lock-file-extra-input: pyproject.toml
        - lock-file-env: pip-compile-tox-env-lock
          lock-file-extra-input: pyproject.toml
        - lock-file-env: pre-commit
          lock-file-extra-input: pyproject.toml
        - lock-file-env: py
          lock-file-extra-input: ''
        - lock-file-env: tox
          lock-file-extra-input: pyproject.toml
        - lock-file-env: spellcheck-docs
          lock-file-extra-input: ''

    env:
      TOXENV: pip-compile-tox-env-lock

    steps:
    - name: Grab the source from Git
      uses: actions/checkout@v4  # Keep before `setup-python` for cache to work

    - name: Set up Python ${{ matrix.python-version }}
      uses: actions/setup-python@v5
      with:
        cache: pip
        cache-dependency-path: requirements/**
        python-version: ${{ matrix.python-version }}

    - name: Identify tox's own lock file
      id: tox-deps
      run: >
        LOCK_FILE_PATH="requirements/$(
        python bin/print_lockfile_base_name.py tox
        ).txt"


        echo lock-file="$(
        ls -1 "${LOCK_FILE_PATH}"
        || >&2 echo "${LOCK_FILE_PATH}" not found, not injecting...
        )"
        >> "${GITHUB_OUTPUT}"
      shell: bash  # windows compat

    - name: Install tox
      run: >-
        python -Im pip install -r requirements/tox-tox.in
        ${{
          steps.tox-deps.outputs.lock-file
          && format('--constraint={0}', steps.tox-deps.outputs.lock-file)
          || ''
        }}
      shell: bash  # windows compat

    - name: Pre-populate the tox env
      run: python -Im tox --skip-missing-interpreters false --notest

    - name: Setup git user as [bot]
      # Refs:
      # * https://github.community/t/github-actions-bot-email-address/17204/6
      # * https://github.com/actions/checkout/issues/13#issuecomment-724415212
      uses: fregante/setup-git-user@v2.0.1

    - name: Generate constraints files
      run: >-
        python -Im tox r
        --
        ${{ matrix.lock-file-env }} ${{ matrix.lock-file-extra-input }}
        ${{
          (
            github.event_name == 'workflow_dispatch'
            && github.event.inputs.package-distribuition
          )
          && format(
            '--upgrade-package="{0}"',
            github.event.inputs.package-distribuition
          )
          || '--upgrade'
        }}

    - name: Commit version bumps to Git
      id: constraints
      run: |
        LOCK_BASE_NAME=$(python bin/print_lockfile_base_name.py ${{
          matrix.lock-file-env
        }})

        git add "requirements/${LOCK_BASE_NAME}.txt"

        git commit "requirements/${LOCK_BASE_NAME}.txt" \
          -m "Update ${LOCK_BASE_NAME} constraints${{
          (
          github.event_name == 'workflow_dispatch'
          && github.event.inputs.package-distribuition
          )
          && format(' for {0}', github.event.inputs.package-distribuition)
          || ''
          }}" \
          && {
            echo "patch=${{
              runner.temp
            }}/patches/0001-Update-${LOCK_BASE_NAME}-constraints.patch" \
            >> "${GITHUB_OUTPUT}"
          } \
          || :
      shell: bash  # windows compat

    - name: Log the patch
      if: steps.constraints.outputs.patch
      run: git show --color
    - name: Create a temporary patch directory
      if: steps.constraints.outputs.patch
      run: mkdir -pv '${{ runner.temp }}/patches'
      shell: bash  # windows compat
    - name: Create a patch from the last Git commit
      if: steps.constraints.outputs.patch
      run: >-
        git format-patch
        --output='${{ steps.constraints.outputs.patch }}'
        -1
        HEAD
    - name: Make a GHA artifact suffix
      if: steps.constraints.outputs.patch
      id: random
      run: >-
        echo uuid=$(python -c 'import uuid; print(uuid.uuid4())')
        >> "${GITHUB_OUTPUT}"
      shell: bash  # windows compat
    - name: Save the package bump patch as a GHA artifact
      if: steps.constraints.outputs.patch
      uses: actions/upload-artifact@v4
      with:
        name: pip-constraints-git-patches--${{ steps.random.outputs.uuid }}
        path: ${{ steps.constraints.outputs.patch }}

  check:  # This job does nothing and is only used for the branch protection
    if: always()

    needs:
    - deps

    runs-on: ubuntu-latest

    timeout-minutes: 1

    steps:
    - name: Decide whether the needed jobs succeeded or failed
      uses: re-actors/alls-green@release/v1
      with:
        jobs: ${{ toJSON(needs) }}

  publish-pr:
    name: Open/refresh a PR
    if: github.event_name != 'pull_request'

    needs:
    - check

    runs-on: Ubuntu-latest

    timeout-minutes: 1

    environment:
      name: pip-tools
      url: ${{ steps.pr.outputs.pull_request_url }}

    permissions:
      contents: write
      pull-requests: write

    steps:
    - name: Download all the dists
      id: artifacts-download
      continue-on-error: true  # and judge whether there's updates later
      uses: actions/download-artifact@v4
      with:
        merge-multiple: true
        path: ${{ runner.temp }}/patches/
        pattern: pip-constraints-git-patches--*
    - name: >-
        Determine whether any change suggestions to lockfiles
        have been produced
      if: steps.artifacts-download.outcome == 'success'
      id: artifacts
      run: >-
        echo "lockfile-updates-needed=true" >> "${GITHUB_OUTPUT}"
    - name: Grab the source from Git
      if: steps.artifacts.outputs.lockfile-updates-needed
      uses: actions/checkout@v4
    - name: Setup git user as [bot]
      if: steps.artifacts.outputs.lockfile-updates-needed
      # Refs:
      # * https://github.community/t/github-actions-bot-email-address/17204/6
      # * https://github.com/actions/checkout/issues/13#issuecomment-724415212
      uses: fregante/setup-git-user@v2.0.1

    - name: Figure out if the pre-existing remote branch exists
      if: steps.artifacts.outputs.lockfile-updates-needed
      id: pre-existing-remote-branch
      run: >-
        echo "info=$(
        git ls-remote origin "${GIT_BRANCH}"
        )" >> "${GITHUB_OUTPUT}"
    - name: Fetch the existing remote PR branch
      if: steps.pre-existing-remote-branch.outputs.info
      run: git fetch origin "${GIT_BRANCH}"
    - name: Switch to the PR branch
      if: steps.artifacts.outputs.lockfile-updates-needed
      run: git checkout -B "${GIT_BRANCH}"

    - name: List Git patches
      if: steps.artifacts.outputs.lockfile-updates-needed
      run: ls -alh '${{ runner.temp }}/patches/'
    - name: Apply patches to the Git repo
      if: steps.artifacts.outputs.lockfile-updates-needed
      run: git am '${{ runner.temp }}/patches'/*.patch
    - name: Force-push the PR branch to remote
      if: steps.artifacts.outputs.lockfile-updates-needed
      run: git push origin "HEAD:${GIT_BRANCH}" --force-with-lease

    - name: Create a PR
      if: >-
        !steps.pre-existing-remote-branch.outputs.info
        && steps.artifacts.outputs.lockfile-updates-needed
      id: new-pr
      uses: vsoch/pull-request-action@1.1.1
      env:
        BRANCH_PREFIX: ''
        GITHUB_TOKEN: ${{ github.token }}
        PULL_REQUEST_BODY: >-
          Automated pip-tools-managed pip constraint lockfiles update.
        PULL_REQUEST_BRANCH: ${{ github.event.repository.default_branch }}
        PULL_REQUEST_DRAFT: true
        PULL_REQUEST_FROM_BRANCH: ${{ env.GIT_BRANCH }}
        PULL_REQUEST_TITLE: >-
          ⛓🔒 Bump transitive deps in pip-tools-managed lockfiles${{
          (
          github.event_name == 'workflow_dispatch'
          && github.event.inputs.package-distribuition
          )
          && format(' for {0}', github.event.inputs.package-distribuition)
          || ''
          }}
    - name: Retrieve the existing PR URL
      if: steps.pre-existing-remote-branch.outputs.info
      id: existing-pr
      env:
        GITHUB_TOKEN: ${{ github.token }}
      run: >
        echo -n pull_request_url=
        >> "${GITHUB_OUTPUT}"


        gh pr view
        --json 'url'
        --jq '.url'
        --repo '${{ github.repository }}'
        '${{ env.GIT_BRANCH }}'
        >> "${GITHUB_OUTPUT}"
    - name: Select the actual PR URL
      id: pr
      env:
        GITHUB_TOKEN: ${{ github.token }}
      run: >
        echo -n pull_request_url=
        >> "${GITHUB_OUTPUT}"


        echo '${{
          steps.new-pr.outputs.pull_request_url
          || steps.existing-pr.outputs.pull_request_url
        }}'
        >> "${GITHUB_OUTPUT}"
    - name: Log the pull request details
      run: >-
        echo 'PR URL: ${{ steps.pr.outputs.pull_request_url }}'
        | tee -a "${GITHUB_STEP_SUMMARY}"

    - name: Instruct the maintainers to trigger CI by undrafting the PR
      env:
        GITHUB_TOKEN: ${{ github.token }}
      run: >-
        gh pr comment
        --body 'Please mark the PR as ready for review to trigger PR checks.'
        --repo '${{ github.repository }}'
        '${{ steps.pr.outputs.pull_request_url }}'

...