Skip to content

Pin dependencies

Pin dependencies #15

Workflow file for this run

name: Pin dependencies
on:
workflow_dispatch:
schedule:
- cron: '0 0 * * TUE' # run every Tuesday at midnight
permissions: {}
defaults:
run:
shell: bash
jobs:
pin:
name: Generate dependency lock
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false # Don't cancel other jobs if one fails
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
steps:
- uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
with:
python-version: 3.11
cache: pip
cache-dependency-path: |
model_signing/install/requirements_${{ runner.os }}.txt
model_signing/install/requirements_test_${{ runner.os }}.txt
slsa_for_models/install/requirements_${{ runner.os }}.txt
- name: Create an empty virtualenv and install `pip-tools`
run: |
set -exuo pipefail
python -m venv venv
.github/workflows/scripts/venv_activate.sh
pip install pip-tools
pip list # For debugging
- name: Use `pip-compile` to generate all freeze files
run: |
set -exuo pipefail
.github/workflows/scripts/venv_activate.sh
pip-compile --upgrade --generate-hashes --strip-extras --output-file=model_signing/install/requirements_${{ runner.os }}.txt model_signing/install/requirements.in
pip-compile --upgrade --generate-hashes --strip-extras --output-file=model_signing/install/requirements_test_${{ runner.os }}.txt model_signing/install/requirements_test.in
pip-compile --upgrade --generate-hashes --strip-extras --output-file=slsa_for_models/install/requirements_${{ runner.os }}.txt slsa_for_models/install/requirements.in
- name: Test freeze file (for model signing)
run: |
set -exuo pipefail
rm -rf venv # Need clean sandbox
python -m venv venv
.github/workflows/scripts/venv_activate.sh
pip install -r model_signing/install/requirements_${{ runner.os }}.txt
pip list # For debugging
- name: Test freeze file (for testing model signing)
run: |
set -exuo pipefail
rm -rf venv # Need clean sandbox
python -m venv venv
.github/workflows/scripts/venv_activate.sh
pip install -r model_signing/install/requirements_test_${{ runner.os }}.txt
pip list # For debugging
- name: Test freeze file (for SLSA for models)
run: |
set -exuo pipefail
rm -rf venv # Need clean sandbox
python -m venv venv
.github/workflows/scripts/venv_activate.sh
pip install -r slsa_for_models/install/requirements_${{ runner.os }}.txt
pip list # For debugging
- name: Upload freeze files
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: freeze-files-${{ matrix.os }}
path: ./*/install/requirements*${{ runner.os }}*txt
# Separate PR creation job to make sure it creates only one single PR with
# all changed files, eliminate race-conditions and restrict permissions only
# to this specific job.
create-pr:
needs: [pin]
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
steps:
- uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
path: .
merge-multiple: true
- name: Create dependent PR with dependency changes
uses: peter-evans/create-pull-request@70a41aba780001da0a30141984ae2a0c95d8704e # v6.0.2
with:
title: "Update frozen python dependencies"
commit-message: "Bump frozen dependencies"
signoff: true
delete-branch: true