Make the dependency pinning action create a PR and update all depende…

…ncies (#99)

* Try updating dependencies

Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>

* Use real person

Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>

---------

Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>

.github/workflows/pin_deps.yml

@@ -1,72 +1,98 @@
-name: Pin dependencies
-on:
-  workflow_dispatch
-
-permissions: {}
-
-defaults:
-  run:
-    shell: bash
-
-jobs:
-  pin:
-    name: Generate dependency lock
-    runs-on: ${{ matrix.os }}
-    strategy:
-      fail-fast: false # Don't cancel other jobs if one fails
-      matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-    steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-    - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
-      with:
-        python-version: 3.11
-        cache: pip
-        cache-dependency-path: |
-          model_signing/install/requirements_${{ runner.os }}.txt
-          model_signing/install/requirements_test_${{ runner.os }}.txt
-          slsa_for_models/install/requirements_${{ runner.os }}.txt
-    - name: Create an empty virtualenv and install `pip-tools`
-      run: |
-        set -exuo pipefail
-        python -m venv venv
-        .github/workflows/scripts/venv_activate.sh
-        pip install pip-tools
-        pip list  # For debugging
-    - name: Use `pip-compile` to generate all freeze files
-      run: |
-        set -exuo pipefail
-        .github/workflows/scripts/venv_activate.sh
-        # TODO(mihaimaruseac): Should we separate these into separate steps?
-        pip-compile --upgrade --generate-hashes --strip-extras --output-file=model_signing/install/requirements_${{ runner.os }}.txt model_signing/install/requirements.in
-        pip-compile --upgrade --generate-hashes --strip-extras --output-file=model_signing/install/requirements_test_${{ runner.os }}.txt model_signing/install/requirements_test.in
-        pip-compile --upgrade --generate-hashes --strip-extras --output-file=slsa_for_models/install/requirements_${{ runner.os }}.txt slsa_for_models/install/requirements.in
-    - name: Test freeze file (for model signing)
-      run: |
-        set -exuo pipefail
-        rm -rf venv  # Need clean sandbox
-        python -m venv venv
-        .github/workflows/scripts/venv_activate.sh
-        pip install -r model_signing/install/requirements_${{ runner.os }}.txt
-        pip list  # For debugging
-    - name: Test freeze file (for testing model signing)
-      run: |
-        set -exuo pipefail
-        rm -rf venv  # Need clean sandbox
-        python -m venv venv
-        .github/workflows/scripts/venv_activate.sh
-        pip install -r model_signing/install/requirements_test_${{ runner.os }}.txt
-        pip list  # For debugging
-    - name: Test freeze file (for SLSA for models)
-      run: |
-        set -exuo pipefail
-        rm -rf venv  # Need clean sandbox
-        python -m venv venv
-        .github/workflows/scripts/venv_activate.sh
-        pip install -r slsa_for_models/install/requirements_${{ runner.os }}.txt
-        pip list  # For debugging
-    - name: Upload freeze files
-      uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
-      with:
-        name: freeze-files-${{ matrix.os }}
-        path: ./*/install/requirements*txt
+name: Pin dependencies
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 0 * * TUE' # run every Tuesday at midnight
+
+permissions: {}
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  pin:
+    name: Generate dependency lock
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false # Don't cancel other jobs if one fails
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+    steps:
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+      with:
+        python-version: 3.11
+        cache: pip
+        cache-dependency-path: |
+          model_signing/install/requirements_${{ runner.os }}.txt
+          model_signing/install/requirements_test_${{ runner.os }}.txt
+          slsa_for_models/install/requirements_${{ runner.os }}.txt
+    - name: Create an empty virtualenv and install `pip-tools`
+      run: |
+        set -exuo pipefail
+        python -m venv venv
+        .github/workflows/scripts/venv_activate.sh
+        pip install pip-tools
+        pip list  # For debugging
+    - name: Use `pip-compile` to generate all freeze files
+      run: |
+        set -exuo pipefail
+        .github/workflows/scripts/venv_activate.sh
+        pip-compile --upgrade --generate-hashes --strip-extras --output-file=model_signing/install/requirements_${{ runner.os }}.txt model_signing/install/requirements.in
+        pip-compile --upgrade --generate-hashes --strip-extras --output-file=model_signing/install/requirements_test_${{ runner.os }}.txt model_signing/install/requirements_test.in
+        pip-compile --upgrade --generate-hashes --strip-extras --output-file=slsa_for_models/install/requirements_${{ runner.os }}.txt slsa_for_models/install/requirements.in
+    - name: Test freeze file (for model signing)
+      run: |
+        set -exuo pipefail
+        rm -rf venv  # Need clean sandbox
+        python -m venv venv
+        .github/workflows/scripts/venv_activate.sh
+        pip install -r model_signing/install/requirements_${{ runner.os }}.txt
+        pip list  # For debugging
+    - name: Test freeze file (for testing model signing)
+      run: |
+        set -exuo pipefail
+        rm -rf venv  # Need clean sandbox
+        python -m venv venv
+        .github/workflows/scripts/venv_activate.sh
+        pip install -r model_signing/install/requirements_test_${{ runner.os }}.txt
+        pip list  # For debugging
+    - name: Test freeze file (for SLSA for models)
+      run: |
+        set -exuo pipefail
+        rm -rf venv  # Need clean sandbox
+        python -m venv venv
+        .github/workflows/scripts/venv_activate.sh
+        pip install -r slsa_for_models/install/requirements_${{ runner.os }}.txt
+        pip list  # For debugging
+    - name: Upload freeze files
+      uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
+      with:
+        name: freeze-files-${{ matrix.os }}
+        path: ./*/install/requirements*${{ runner.os }}*txt
+
+  # Separate PR creation job to make sure it creates only one single PR with
+  # all changed files, eliminate race-conditions and restrict permissions only
+  # to this specific job.
+  create-pr:
+    needs: [pin]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
+      with:
+        path: .
+        merge-multiple: true
+    - name: Create dependent PR with dependency changes
+      uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
+      with:
+        title: "Update frozen python dependencies"
+        commit-message: "Bump frozen dependencies"
+        committer: "Mihai Maruseac (automated) <mihaimaruseac@google.com>"
+        author: "Mihai Maruseac (automated) <mihaimaruseac@google.com>"
+        signoff: true
+        delete-branch: true

slsa_for_models/install/requirements.in

@@ -1,2 +1,3 @@
 tensorflow
 torch
+torchvision