Update Deps #43
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is a workflow for updating Python dependencies with Poetry. | |
# Major version updates are handled separately, by Dependabot. | |
# It will also update the pre-commit hooks to use latest tags. | |
--- | |
name: Update Deps | |
on: | |
workflow_dispatch: | |
# Run every Monday at 1435 UTC | |
schedule: | |
- cron: '35 14 * * 1' | |
jobs: | |
workflow-auto-updates: | |
name: Update dependencies and hooks | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
# It's only one Python version specified in a "matrix", but on purpose to stay DRY | |
python-version: ["3.11"] | |
defaults: | |
run: | |
shell: bash | |
steps: | |
- name: Checkout the repo | |
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 | |
# This GPG key is for the `phylum-bot` account and used in order to ensure commits are signed/verified | |
- name: Import GPG key for bot account | |
uses: crazy-max/ghaction-import-gpg@72b6676b71ab476b77e676928516f6982eef7a41 # v5.3.0 | |
with: | |
gpg_private_key: ${{ secrets.PHYLUM_BOT_GPG_PRIVATE_KEY }} | |
passphrase: ${{ secrets.PHYLUM_BOT_GPG_PASSPHRASE }} | |
git_user_signingkey: true | |
git_commit_gpgsign: true | |
- name: Install poetry and pre-commit | |
run: | | |
pipx install poetry | |
pipx install pre-commit | |
- name: Configure poetry | |
run: poetry config virtualenvs.in-project true | |
- name: Set up Python | |
uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b # v4.6.0 | |
with: | |
python-version: ${{ matrix.python-version }} | |
cache: 'poetry' | |
# The project does not need to be installed to update the lockfile | |
- name: Update Python dependencies | |
run: | | |
poetry env use python${{ matrix.python-version }} | |
poetry update -vv --lock | |
poetry lock --check | |
- name: Update pre-commit hooks | |
run: pre-commit autoupdate --freeze | |
- name: Commit changes | |
id: commit | |
continue-on-error: true | |
# NOTE: The git user name and email used for commits is already configured, | |
# by the crazy-max/ghaction-import-gpg action. | |
run: | | |
git commit -a -m "build: Bump `poetry.lock` dependencies and `pre-commit` hooks" | |
git push --force origin HEAD:workflow-auto-updates | |
- name: Create Pull Request | |
if: ${{ steps.commit.outcome == 'success' }} | |
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 | |
with: | |
# This PAT is for the `phylum-bot` account and only has the `public_repo` scope to limit privileges. | |
github-token: ${{ secrets.GH_RELEASE_PAT }} | |
script: | | |
const response = await github.rest.pulls.create({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
head: "workflow-auto-updates", | |
base: context.ref, | |
title: "build: bump `poetry.lock` dependencies and `pre-commit` hooks", | |
body: "Bump dependencies in `poetry.lock` and hooks in `.pre-commit-config.yaml`.", | |
}); | |
console.log(response); |