Skip to content

Pin Requirements

Pin Requirements #16

name: Pin Requirements
on:
workflow_dispatch:
inputs:
tag:
description: Tag to pin dependencies against.
required: false
type: string
workflow_call:
inputs:
tag:
description: Tag to pin dependencies against.
required: false
type: string
permissions:
contents: read
jobs:
update-pinned-requirements:
runs-on: ubuntu-latest
permissions:
contents: write # Branch creation for PR.
steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.3.0
with:
ref: main
# NOTE: Needed for `git describe` below.
fetch-tags: true
- name: Get latest tag
run: |
latest_tag=$(git describe --tags --abbrev=0)
[[ -z "${latest_tag}" ]] && exit 1
echo "LATEST_TAG=${latest_tag}" >> "$GITHUB_ENV"
- name: Set SIGSTORE_RELEASE_TAG and SIGSTORE_NEW_BRANCH
env:
INPUT_TAG: "${{ inputs.tag }}"
run: |
if [ -n "${INPUT_TAG}" ]; then
echo "SIGSTORE_RELEASE_TAG=${INPUT_TAG}" >> "$GITHUB_ENV"
echo "SIGSTORE_NEW_BRANCH=pin-requirements/sigstore/${INPUT_TAG}" >> "$GITHUB_ENV"
else
echo "SIGSTORE_RELEASE_TAG=${LATEST_TAG}" >> "$GITHUB_ENV"
echo "SIGSTORE_NEW_BRANCH=pin-requirements/sigstore/${LATEST_TAG}" >> "$GITHUB_ENV"
fi
- name: Configure git
run: |
# Set up committer info.
# https://github.com/orgs/community/discussions/26560
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git config user.name "github-actions[bot]"
- uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1
with:
python-version-file: install/.python-version
cache: "pip"
cache-dependency-path: pyproject.toml
- run: pip install pip-tools
- name: Compute version from tag
run: |
echo "SIGSTORE_RELEASE_VERSION=$(echo "${SIGSTORE_RELEASE_TAG}" | sed 's/^v//')" >> "${GITHUB_ENV}"
- name: Update requirements
run: |
cd install
echo "sigstore==${SIGSTORE_RELEASE_VERSION}" > requirements.in
pip-compile --allow-unsafe --generate-hashes --upgrade --output-file=requirements.txt requirements.in
- name: Commit changes and push to branch
run: |
git commit --all -s -m "[BOT] install: update pinned requirements"
git push -f origin "main:${SIGSTORE_NEW_BRANCH}"
test-requirements:
needs: update-pinned-requirements
uses: ./.github/workflows/requirements.yml
with:
# We can't use `env` variables in this context.
# https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability
ref: "pin-requirements/sigstore/${{ inputs.tag }}"
create-pr:
needs: test-requirements
runs-on: ubuntu-latest
permissions:
contents: write # Pull Request branch modification.
pull-requests: write # Pull Request creation.
steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.3.0
with:
ref: ${{ env.SIGSTORE_NEW_BRANCH }}
- name: Reset remote PR branch
run: |
git fetch origin main
git push -f origin "origin/main:${SIGSTORE_NEW_BRANCH}"
- name: Open pull request
uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
with:
title: |
Update pinned requirements for ${{ env.SIGSTORE_RELEASE_TAG }}
body: |
Pins dependencies for <https://github.com/sigstore/sigstore-python/releases/tag/${{ env.SIGSTORE_RELEASE_TAG }}>.
base: main
branch: ${{ env.SIGSTORE_NEW_BRANCH }}
delete-branch: true