.github: workflows: Introduce a new dependabot pip-compile workflow

This workflow is a direct consequence of the asynchronous release schedule of pydantic and pydantic core and the fact that pydantic is always pinned to a particular pydantic-core version. Dependabot doesn't see these transitive relations and so can't properly update the versions in this case (it always assumes the latest for every dependency). This will naturally lead to broken CI making these version updates impossible to merge. Since our project directly only cares about pydantic and not pydantic-core, we can ignore pydantic-core updates (future patch) and run a dedicated workflow on every dependabot pull request that would check whether any additional changes (i.e. transitive dependency version locks) to our requirements files are needed. If so, then the GitHub actions bot will comment on the pull request that a change to these files is needed and will provide a patch to the reviewer to apply and update the pull request. The workflow is only executed when changes to the requirements files are proposed (realistically only by dependabot). Note that it's not possible to specify the source branch as the workflow trigger, only the target branch, and so that could not have been used as a better filter for dependabot-proposed pull requests specifically. It is run using a Python Alpine docker image, saves the git diff produced by pip-compile to the default github actions environment followed by a github script action that will pop the diff out of the environment and use it to comment on the pull request. References: - https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#multiline-strings - https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/using-conditions-to-control-job-execution - https://github.com/actions/github-script?tab=readme-ov-file#comment-on-an-issue - actions/github-script#247 (comment) - actions/github-script#220 (comment) Signed-off-by: Erik Skultety <[email protected]>
containerbuildsystem · Jan 6, 2025 · 83c92e9 · 83c92e9
1 parent 10144e7
commit 83c92e9
Showing 1 changed file with 76 additions and 0 deletions.
diff --git a/.github/workflows/dependabot-pipcompile.yml b/.github/workflows/dependabot-pipcompile.yml
@@ -0,0 +1,76 @@
+name: Pip-compile
+
+on:
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+    paths:
+      - requirements.txt
+      - requirements-extras.txt
+  workflow_dispatch:
+    inputs: {}
+
+# Need these permissions for the GITHUB_TOKEN to be able to post a comment to a PR
+permissions:
+  issues: write
+  pull-requests: write
+
+jobs:
+  versions-check:
+    runs-on: ubuntu-24.04
+    container:
+      image: python:3.9-alpine
+
+    steps:
+      # Need to install git before running the checkout action in a container
+      - name: Install dependencies
+        run: apk update && apk add --no-cache git
+
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install pip-tools
+        run: |
+          pip install --upgrade pip
+          pip install --no-cache-dir pip-tools
+
+        # This step uses multi-line string injection to GitHub environment [1]
+        # [1] https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#multiline-strings
+      - name: Run pip-compile to update requirements.txt
+        run: |
+          git config --global --add safe.directory "*"
+          pip-compile --generate-hashes --output-file=requirements.txt pyproject.toml
+          pip-compile \
+              --all-extras \
+              --allow-unsafe \
+              --generate-hashes \
+              --output-file=requirements-extras.txt \
+              pyproject.toml
+          {
+            echo 'GIT_DIFF<<EOF'
+            git diff -p
+            echo EOF
+          } >> "$GITHUB_ENV"
+
+      # Only comment on PRs when changes to requirements files are needed, based on:
+      #   - https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/using-conditions-to-control-job-execution
+      #   - https://github.com/actions/github-script?tab=readme-ov-file#comment-on-an-issue
+      #   - https://github.com/actions/github-script/issues/247#issuecomment-1079839739
+      #   - https://github.com/actions/github-script/issues/220#issuecomment-1007633429
+      - name: Comment on pull request
+        uses: actions/github-script@v7
+        if: env.GIT_DIFF != ''
+        env:
+          DIFF: "Changes to requirements files are needed. If you're experiencing CI test failures, please apply the following patch and update the pull request:\n```diff\n${{ env.GIT_DIFF }}\n```"
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: process.env.DIFF
+            })