Pin dependencies #24

Workflow file for this run

.github/workflows/pin_deps.yml at 220d5c7

	name: Pin dependencies
	on:
	workflow_dispatch:
	schedule:
	- cron: '0 0 * * TUE' # run every Tuesday at midnight

	permissions: {}

	defaults:
	run:
	shell: bash

	jobs:
	pin:
	name: Generate dependency lock
	runs-on: ${{ matrix.os }}
	strategy:
	fail-fast: false # Don't cancel other jobs if one fails
	matrix:
	os: [ubuntu-latest, macos-latest, windows-latest]
	include:
	- os: ubuntu-latest
	os_family: Linux
	- os: macos-latest
	os_family: Darwin
	- os: windows-latest
	os_family: Windows
	steps:
	- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
	- uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
	with:
	python-version: 3.11
	cache: pip
	cache-dependency-path: \|
	model_signing/install/requirements_${{ matrix.os_family }}.txt
	model_signing/install/requirements_test_${{ matrix.os_family }}.txt
	slsa_for_models/install/requirements_${{ matrix.os_family }}.txt
	- name: Create an empty virtualenv and install `pip-tools`
	run: \|
	set -exuo pipefail
	python -m venv venv
	.github/workflows/scripts/venv_activate.sh
	pip install pip-tools
	pip list # For debugging
	- name: Use `pip-compile` to generate all freeze files
	run: \|
	set -exuo pipefail
	.github/workflows/scripts/venv_activate.sh
	pip-compile --upgrade --generate-hashes --strip-extras --output-file=model_signing/install/requirements_${{ matrix.os_family }}.txt model_signing/install/requirements.in
	pip-compile --upgrade --generate-hashes --strip-extras --output-file=model_signing/install/requirements_test_${{ matrix.os_family }}.txt model_signing/install/requirements_test.in
	pip-compile --upgrade --generate-hashes --strip-extras --output-file=slsa_for_models/install/requirements_${{ matrix.os_family }}.txt slsa_for_models/install/requirements.in
	- name: Test freeze file (for model signing)
	run: \|
	set -exuo pipefail
	rm -rf venv # Need clean sandbox
	python -m venv venv
	.github/workflows/scripts/venv_activate.sh
	pip install -r model_signing/install/requirements_${{ matrix.os_family }}.txt
	pip list # For debugging
	- name: Test freeze file (for testing model signing)
	run: \|
	set -exuo pipefail
	rm -rf venv # Need clean sandbox
	python -m venv venv
	.github/workflows/scripts/venv_activate.sh
	pip install -r model_signing/install/requirements_test_${{ matrix.os_family }}.txt
	pip list # For debugging
	- name: Test freeze file (for SLSA for models)
	run: \|
	set -exuo pipefail
	rm -rf venv # Need clean sandbox
	python -m venv venv
	.github/workflows/scripts/venv_activate.sh
	pip install -r slsa_for_models/install/requirements_${{ matrix.os_family }}.txt
	pip list # For debugging
	- name: Upload freeze files
	uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
	with:
	name: freeze-files-${{ matrix.os }}
	path: .//install/requirements${{ matrix.os_family }}*txt

	# Separate PR creation job to make sure it creates only one single PR with
	# all changed files, eliminate race-conditions and restrict permissions only
	# to this specific job.
	create-pr:
	needs: [pin]
	runs-on: ubuntu-latest
	permissions:
	contents: write
	pull-requests: write
	steps:
	- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
	- uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
	with:
	path: .
	merge-multiple: true
	- name: Create dependent PR with dependency changes
	uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
	with:
	title: "Update frozen python dependencies"
	commit-message: "Bump frozen dependencies"
	signoff: true
	delete-branch: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Pin dependencies #24

Workflow file

Pin dependencies #24

Jobs

Run details

Workflow file for this run