Pin Requirements #28
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Pin Requirements | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| tag: | |
| description: Tag to pin dependencies against. | |
| required: false | |
| type: string | |
| workflow_call: | |
| inputs: | |
| tag: | |
| description: Tag to pin dependencies against. | |
| required: false | |
| type: string | |
| permissions: | |
| contents: read | |
| jobs: | |
| update-pinned-requirements: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write # Branch creation for PR. | |
| outputs: | |
| sigstore-release-tag: ${{ steps.get-branch.outputs.sigstore-release-tag }} | |
| sigstore-pin-requirements-branch: ${{ steps.get-branch.outputs.sigstore-pin-requirements-branch }} | |
| steps: | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| with: | |
| ref: main | |
| # NOTE: Needed for `git describe` below. | |
| fetch-depth: 0 | |
| fetch-tags: true | |
| - name: Get latest tag | |
| run: | | |
| latest_tag=$(git describe --tags --abbrev=0) | |
| echo "LATEST_TAG=${latest_tag}" >> "${GITHUB_ENV}" | |
| - name: Set SIGSTORE_RELEASE_TAG and SIGSTORE_NEW_BRANCH | |
| id: get-branch | |
| env: | |
| INPUT_TAG: "${{ inputs.tag }}" | |
| run: | | |
| if [[ -n "${INPUT_TAG}" ]]; then | |
| effective_tag="${INPUT_TAG}" | |
| else | |
| effective_tag="${LATEST_TAG}" | |
| fi | |
| # Environment | |
| echo "SIGSTORE_RELEASE_TAG=${effective_tag}" >> "${GITHUB_ENV}" | |
| echo "SIGSTORE_NEW_BRANCH=pin-requirements/sigstore/${effective_tag}" >> "${GITHUB_ENV}" | |
| # Outputs | |
| echo "sigstore-release-tag=${effective_tag}" >> "${GITHUB_OUTPUT}" | |
| echo "sigstore-pin-requirements-branch=pin-requirements/sigstore/${effective_tag}" >> "${GITHUB_OUTPUT}" | |
| - name: Configure git | |
| run: | | |
| # Set up committer info. | |
| # https://github.com/orgs/community/discussions/26560 | |
| git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
| git config user.name "github-actions[bot]" | |
| - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 | |
| with: | |
| python-version-file: install/.python-version | |
| cache: "pip" | |
| cache-dependency-path: pyproject.toml | |
| - run: pip install pip-tools | |
| - name: Compute version from tag | |
| run: | | |
| echo "SIGSTORE_RELEASE_VERSION=$(echo "${SIGSTORE_RELEASE_TAG}" | sed 's/^v//')" >> "${GITHUB_ENV}" | |
| - name: Update requirements | |
| run: | | |
| cd install | |
| echo "sigstore==${SIGSTORE_RELEASE_VERSION}" > requirements.in | |
| pip-compile --allow-unsafe --generate-hashes --upgrade --output-file=requirements.txt requirements.in | |
| - name: Commit changes and push to branch | |
| run: | | |
| git commit --all -s -m "[BOT] install: update pinned requirements" | |
| git push -f origin "main:${SIGSTORE_NEW_BRANCH}" | |
| test-requirements: | |
| needs: update-pinned-requirements | |
| uses: ./.github/workflows/requirements.yml | |
| with: | |
| # We can't use `env` variables in this context. | |
| # https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability | |
| ref: ${{ needs.update-pinned-requirements.outputs.sigstore-pin-requirements-branch }} | |
| create-pr: | |
| needs: | |
| - update-pinned-requirements | |
| - test-requirements | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write # Pull Request branch modification. | |
| pull-requests: write # Pull Request creation. | |
| env: | |
| SIGSTORE_RELEASE_TAG: ${{ needs.update-pinned-requirements.outputs.sigstore-release-tag }} | |
| SIGSTORE_PIN_REQUIREMENTS_BRANCH: ${{ needs.update-pinned-requirements.outputs.sigstore-pin-requirements-branch }} | |
| steps: | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| with: | |
| ref: ${{ env.SIGSTORE_PIN_REQUIREMENTS_BRANCH }} | |
| - name: Reset remote PR branch | |
| run: | | |
| git fetch origin main | |
| git push -f origin "origin/main:${SIGSTORE_PIN_REQUIREMENTS_BRANCH}" | |
| - name: Open pull request | |
| uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 | |
| with: | |
| title: | | |
| Update pinned requirements for ${{ env.SIGSTORE_RELEASE_TAG }} | |
| body: | | |
| Pins dependencies for <https://github.com/sigstore/sigstore-python/releases/tag/${{ env.SIGSTORE_RELEASE_TAG }}>. | |
| base: main | |
| branch: ${{ env.SIGSTORE_PIN_REQUIREMENTS_BRANCH }} | |
| delete-branch: true |