-
Notifications
You must be signed in to change notification settings - Fork 1
99 lines (88 loc) · 3.96 KB
/
auto_updates.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# This is a workflow for updating Python dependencies with Poetry.
# Major version updates are handled separately, by Dependabot.
# It will also update the pre-commit hooks to use latest tags.
---
name: Update Deps
on:
workflow_dispatch:
# Run every Monday at 1435 UTC
schedule:
- cron: '35 14 * * 1'
jobs:
workflow-auto-updates:
name: Update dependencies and hooks
runs-on: ubuntu-latest
env:
PYTHON_VERSION: "3.12"
POETRY_VERSION: "1.8.5"
defaults:
run:
shell: bash
steps:
- name: Checkout the repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# This GPG key is for the `phylum-bot` account and used in order to ensure commits are signed/verified
- name: Import GPG key for bot account
uses: crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5 # v6.2.0
with:
gpg_private_key: ${{ secrets.PHYLUM_BOT_GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.PHYLUM_BOT_GPG_PASSPHRASE }}
git_user_signingkey: true
git_commit_gpgsign: true
- name: Install poetry
run: pipx install poetry==${{ env.POETRY_VERSION }}
- name: Configure poetry
run: poetry config virtualenvs.in-project true
- name: Set up Python
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: 'poetry'
- name: Install the project with poetry
run: |
poetry env use python${{ env.PYTHON_VERSION }}
poetry check --lock
poetry lock --no-update --no-cache
poetry install --verbose --no-root --sync --with qa
# Update hooks before dependencies because otherwise `pre-commit` may be updated and used before it can be trusted
#
# NOTE: Specific repos are specified for update since the autoupdated/frozen version here may not always be the
# latest version. This is the case for `poetry`, which has described the limitations of `pre-commit` here:
# https://python-poetry.org/docs/pre-commit-hooks/#why-does-pre-commit-autoupdate-not-update-to-the-latest-version
- name: Update pre-commit hooks
run: |
poetry run pre-commit autoupdate --freeze \
--repo https://github.com/pre-commit/pre-commit-hooks \
--repo https://github.com/psf/black \
--repo https://github.com/charliermarsh/ruff-pre-commit \
--repo https://github.com/dosisod/refurb \
--repo https://github.com/jendrikseipp/vulture \
--repo https://github.com/adrienverge/yamllint
- name: Update Python dependencies
run: |
poetry update -vv --lock --no-cache
poetry check --lock
- name: Commit changes
id: commit
continue-on-error: true
# NOTE: The git user name and email used for commits is already configured,
# by the crazy-max/ghaction-import-gpg action.
run: |
git commit -a -m "build: bump \`poetry.lock\` dependencies and \`pre-commit\` hooks"
git push --force origin HEAD:workflow-auto-updates
- name: Create Pull Request
if: ${{ steps.commit.outcome == 'success' }}
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
# This PAT is for the `phylum-bot` account and only has the `public_repo` scope to limit privileges.
github-token: ${{ secrets.GH_RELEASE_PAT }}
script: |
const response = await github.rest.pulls.create({
owner: context.repo.owner,
repo: context.repo.repo,
head: "workflow-auto-updates",
base: context.ref,
title: "build: bump `poetry.lock` dependencies and `pre-commit` hooks",
body: "Bump dependencies in `poetry.lock` and hooks in `.pre-commit-config.yaml`.",
});
console.log(response);