Skip to content

Pin dependencies

Pin dependencies #24

Workflow file for this run

name: Pin dependencies
on:
workflow_dispatch:
schedule:
- cron: '0 0 * * TUE' # run every Tuesday at midnight
permissions: {}
defaults:
run:
shell: bash
jobs:
pin:
name: Generate dependency lock
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false # Don't cancel other jobs if one fails
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
include:
- os: ubuntu-latest
os_family: Linux
- os: macos-latest
os_family: Darwin
- os: windows-latest
os_family: Windows
steps:
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
with:
python-version: 3.11
cache: pip
cache-dependency-path: |
model_signing/install/requirements_${{ matrix.os_family }}.txt
model_signing/install/requirements_test_${{ matrix.os_family }}.txt
slsa_for_models/install/requirements_${{ matrix.os_family }}.txt
- name: Create an empty virtualenv and install `pip-tools`
run: |
set -exuo pipefail
python -m venv venv
.github/workflows/scripts/venv_activate.sh
pip install pip-tools
pip list # For debugging
- name: Use `pip-compile` to generate all freeze files
run: |
set -exuo pipefail
.github/workflows/scripts/venv_activate.sh
pip-compile --upgrade --generate-hashes --strip-extras --output-file=model_signing/install/requirements_${{ matrix.os_family }}.txt model_signing/install/requirements.in
pip-compile --upgrade --generate-hashes --strip-extras --output-file=model_signing/install/requirements_test_${{ matrix.os_family }}.txt model_signing/install/requirements_test.in
pip-compile --upgrade --generate-hashes --strip-extras --output-file=slsa_for_models/install/requirements_${{ matrix.os_family }}.txt slsa_for_models/install/requirements.in
- name: Test freeze file (for model signing)
run: |
set -exuo pipefail
rm -rf venv # Need clean sandbox
python -m venv venv
.github/workflows/scripts/venv_activate.sh
pip install -r model_signing/install/requirements_${{ matrix.os_family }}.txt
pip list # For debugging
- name: Test freeze file (for testing model signing)
run: |
set -exuo pipefail
rm -rf venv # Need clean sandbox
python -m venv venv
.github/workflows/scripts/venv_activate.sh
pip install -r model_signing/install/requirements_test_${{ matrix.os_family }}.txt
pip list # For debugging
- name: Test freeze file (for SLSA for models)
run: |
set -exuo pipefail
rm -rf venv # Need clean sandbox
python -m venv venv
.github/workflows/scripts/venv_activate.sh
pip install -r slsa_for_models/install/requirements_${{ matrix.os_family }}.txt
pip list # For debugging
- name: Upload freeze files
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: freeze-files-${{ matrix.os }}
path: ./*/install/requirements*${{ matrix.os_family }}*txt
# Separate PR creation job to make sure it creates only one single PR with
# all changed files, eliminate race-conditions and restrict permissions only
# to this specific job.
create-pr:
needs: [pin]
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
steps:
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
path: .
merge-multiple: true
- name: Create dependent PR with dependency changes
uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
with:
title: "Update frozen python dependencies"
commit-message: "Bump frozen dependencies"
signoff: true
delete-branch: true