From 83c92e9963c0c4f52af616639c5a1cffbb7fce43 Mon Sep 17 00:00:00 2001
From: Erik Skultety <eskultet@redhat.com>
Date: Mon, 25 Nov 2024 12:56:30 +0100
Subject: [PATCH] .github: workflows: Introduce a new dependabot pip-compile
 workflow

This workflow is a direct consequence of the asynchronous release
schedule of pydantic and pydantic core and the fact that pydantic is
always pinned to a particular pydantic-core version. Dependabot doesn't
see these transitive relations and so can't properly update the
versions in this case (it always assumes the latest for every
dependency). This will naturally lead to broken CI making these version
updates impossible to merge.

Since our project directly only cares about pydantic and not
pydantic-core, we can ignore pydantic-core updates (future patch) and
run a dedicated workflow on every dependabot pull request that would
check whether any additional changes (i.e. transitive dependency
version locks) to our requirements files are needed. If so, then the
GitHub actions bot will comment on the pull request that a change to
these files is needed and will provide a patch to the reviewer to apply
and update the pull request.

The workflow is only executed when changes to the requirements files
are proposed (realistically only by dependabot). Note that it's not
possible to specify the source branch as the workflow trigger, only the
target branch, and so that could not have been used as a better filter
for dependabot-proposed pull requests specifically. It is run using a
Python Alpine docker image, saves the git diff produced by pip-compile
to the default github actions environment followed by a github script
action that will pop the diff out of the environment and use it to
comment on the pull request.

References:
- https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#multiline-strings
- https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/using-conditions-to-control-job-execution
- https://github.com/actions/github-script?tab=readme-ov-file#comment-on-an-issue
- https://github.com/actions/github-script/issues/247#issuecomment-1079839739
- https://github.com/actions/github-script/issues/220#issuecomment-1007633429

Signed-off-by: Erik Skultety <eskultet@redhat.com>
---
 .github/workflows/dependabot-pipcompile.yml | 76 +++++++++++++++++++++
 1 file changed, 76 insertions(+)
 create mode 100644 .github/workflows/dependabot-pipcompile.yml

diff --git a/.github/workflows/dependabot-pipcompile.yml b/.github/workflows/dependabot-pipcompile.yml
new file mode 100644
index 000000000..282b2678e
--- /dev/null
+++ b/.github/workflows/dependabot-pipcompile.yml
@@ -0,0 +1,76 @@
+name: Pip-compile
+
+on:
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+    paths:
+      - requirements.txt
+      - requirements-extras.txt
+  workflow_dispatch:
+    inputs: {}
+
+# Need these permissions for the GITHUB_TOKEN to be able to post a comment to a PR
+permissions:
+  issues: write
+  pull-requests: write
+
+jobs:
+  versions-check:
+    runs-on: ubuntu-24.04
+    container:
+      image: python:3.9-alpine
+
+    steps:
+      # Need to install git before running the checkout action in a container
+      - name: Install dependencies
+        run: apk update && apk add --no-cache git
+
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install pip-tools
+        run: |
+          pip install --upgrade pip
+          pip install --no-cache-dir pip-tools
+
+        # This step uses multi-line string injection to GitHub environment [1]
+        # [1] https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#multiline-strings
+      - name: Run pip-compile to update requirements.txt
+        run: |
+          git config --global --add safe.directory "*"
+          pip-compile --generate-hashes --output-file=requirements.txt pyproject.toml
+          pip-compile \
+              --all-extras \
+              --allow-unsafe \
+              --generate-hashes \
+              --output-file=requirements-extras.txt \
+              pyproject.toml
+          {
+            echo 'GIT_DIFF<<EOF'
+            git diff -p
+            echo EOF
+          } >> "$GITHUB_ENV"
+
+      # Only comment on PRs when changes to requirements files are needed, based on:
+      #   - https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/using-conditions-to-control-job-execution
+      #   - https://github.com/actions/github-script?tab=readme-ov-file#comment-on-an-issue
+      #   - https://github.com/actions/github-script/issues/247#issuecomment-1079839739
+      #   - https://github.com/actions/github-script/issues/220#issuecomment-1007633429
+      - name: Comment on pull request
+        uses: actions/github-script@v7
+        if: env.GIT_DIFF != ''
+        env:
+          DIFF: "Changes to requirements files are needed. If you're experiencing CI test failures, please apply the following patch and update the pull request:\n```diff\n${{ env.GIT_DIFF }}\n```"
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: process.env.DIFF
+            })