Pin dependencies #4

Workflow file for this run

.github/workflows/pin_deps.yml at 382789f

	name: Pin dependencies
	on:
	workflow_dispatch:
	schedule:
	- cron: '0 0 * * TUE' # run every Tuesday at midnight

	permissions: {}

	defaults:
	run:
	shell: bash

	jobs:
	pin:
	name: Generate dependency lock
	runs-on: ${{ matrix.os }}
	strategy:
	fail-fast: false # Don't cancel other jobs if one fails
	matrix:
	os: [ubuntu-latest, macos-latest, windows-latest]
	steps:
	- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	- uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
	with:
	python-version: 3.11
	cache: pip
	cache-dependency-path: \|
	model_signing/install/requirements_${{ runner.os }}.txt
	model_signing/install/requirements_test_${{ runner.os }}.txt
	slsa_for_models/install/requirements_${{ runner.os }}.txt
	- name: Create an empty virtualenv and install `pip-tools`
	run: \|
	set -exuo pipefail
	python -m venv venv
	.github/workflows/scripts/venv_activate.sh
	pip install pip-tools
	pip list # For debugging
	- name: Use `pip-compile` to generate all freeze files
	run: \|
	set -exuo pipefail
	.github/workflows/scripts/venv_activate.sh
	pip-compile --upgrade --generate-hashes --strip-extras --output-file=model_signing/install/requirements_${{ runner.os }}.txt model_signing/install/requirements.in
	pip-compile --upgrade --generate-hashes --strip-extras --output-file=model_signing/install/requirements_test_${{ runner.os }}.txt model_signing/install/requirements_test.in
	pip-compile --upgrade --generate-hashes --strip-extras --output-file=slsa_for_models/install/requirements_${{ runner.os }}.txt slsa_for_models/install/requirements.in
	- name: Test freeze file (for model signing)
	run: \|
	set -exuo pipefail
	rm -rf venv # Need clean sandbox
	python -m venv venv
	.github/workflows/scripts/venv_activate.sh
	pip install -r model_signing/install/requirements_${{ runner.os }}.txt
	pip list # For debugging
	- name: Test freeze file (for testing model signing)
	run: \|
	set -exuo pipefail
	rm -rf venv # Need clean sandbox
	python -m venv venv
	.github/workflows/scripts/venv_activate.sh
	pip install -r model_signing/install/requirements_test_${{ runner.os }}.txt
	pip list # For debugging
	- name: Test freeze file (for SLSA for models)
	run: \|
	set -exuo pipefail
	rm -rf venv # Need clean sandbox
	python -m venv venv
	.github/workflows/scripts/venv_activate.sh
	pip install -r slsa_for_models/install/requirements_${{ runner.os }}.txt
	pip list # For debugging
	- name: Upload freeze files
	uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
	with:
	name: freeze-files-${{ matrix.os }}
	path: .//install/requirements${{ runner.os }}*txt

	# Separate PR creation job to make sure it creates only one single PR with
	# all changed files, eliminate race-conditions and restrict permissions only
	# to this specific job.
	create-pr:
	needs: [pin]
	runs-on: ubuntu-latest
	permissions:
	contents: write
	pull-requests: write
	steps:
	- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	- uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
	with:
	path: .
	merge-multiple: true
	- name: Create dependent PR with dependency changes
	uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
	with:
	title: "Update frozen python dependencies"
	commit-message: "Bump frozen dependencies"
	committer: "Mihai Maruseac (automated) <mihaimaruseac@google.com>"
	author: "Mihai Maruseac (automated) <mihaimaruseac@google.com>"
	signoff: true
	delete-branch: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Pin dependencies #4

Workflow file

Pin dependencies #4

Jobs

Run details

Workflow file for this run