-
Notifications
You must be signed in to change notification settings - Fork 49
119 lines (98 loc) · 3.79 KB
/
pin-requirements.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
name: Pin Requirements
on:
workflow_dispatch:
inputs:
tag:
description: Tag to pin dependencies against.
required: false
type: string
workflow_call:
inputs:
tag:
description: Tag to pin dependencies against.
required: false
type: string
permissions:
contents: read
jobs:
update-pinned-requirements:
runs-on: ubuntu-latest
permissions:
contents: write # Branch creation for PR.
steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.3.0
with:
ref: main
# NOTE: Needed for `git describe` below.
fetch-tags: true
- name: Get latest tag
run: |
latest_tag=$(git describe --tags --abbrev=0)
[[ -z "${latest_tag}" ]] && exit 1
echo "LATEST_TAG=${latest_tag}" >> "$GITHUB_ENV"
- name: Set SIGSTORE_RELEASE_TAG and SIGSTORE_NEW_BRANCH
env:
INPUT_TAG: "${{ inputs.tag }}"
run: |
if [ -n "${INPUT_TAG}" ]; then
echo "SIGSTORE_RELEASE_TAG=${INPUT_TAG}" >> "$GITHUB_ENV"
echo "SIGSTORE_NEW_BRANCH=pin-requirements/sigstore/${INPUT_TAG}" >> "$GITHUB_ENV"
else
echo "SIGSTORE_RELEASE_TAG=${LATEST_TAG}" >> "$GITHUB_ENV"
echo "SIGSTORE_NEW_BRANCH=pin-requirements/sigstore/${LATEST_TAG}" >> "$GITHUB_ENV"
fi
- name: Configure git
run: |
# Set up committer info.
# https://github.com/orgs/community/discussions/26560
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git config user.name "github-actions[bot]"
- uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1
with:
python-version-file: install/.python-version
cache: "pip"
cache-dependency-path: pyproject.toml
- run: pip install pip-tools
- name: Compute version from tag
run: |
echo "SIGSTORE_RELEASE_VERSION=$(echo "${SIGSTORE_RELEASE_TAG}" | sed 's/^v//')" >> "${GITHUB_ENV}"
- name: Update requirements
run: |
cd install
echo "sigstore==${SIGSTORE_RELEASE_VERSION}" > requirements.in
pip-compile --allow-unsafe --generate-hashes --upgrade --output-file=requirements.txt requirements.in
- name: Commit changes and push to branch
run: |
git commit --all -s -m "[BOT] install: update pinned requirements"
git push -f origin "main:${SIGSTORE_NEW_BRANCH}"
test-requirements:
needs: update-pinned-requirements
uses: ./.github/workflows/requirements.yml
with:
# We can't use `env` variables in this context.
# https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability
ref: "pin-requirements/sigstore/${{ inputs.tag }}"
create-pr:
needs: test-requirements
runs-on: ubuntu-latest
permissions:
contents: write # Pull Request branch modification.
pull-requests: write # Pull Request creation.
steps:
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.3.0
with:
ref: ${{ env.SIGSTORE_NEW_BRANCH }}
- name: Reset remote PR branch
run: |
git fetch origin main
git push -f origin "origin/main:${SIGSTORE_NEW_BRANCH}"
- name: Open pull request
uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
with:
title: |
Update pinned requirements for ${{ env.SIGSTORE_RELEASE_TAG }}
body: |
Pins dependencies for <https://github.com/sigstore/sigstore-python/releases/tag/${{ env.SIGSTORE_RELEASE_TAG }}>.
base: main
branch: ${{ env.SIGSTORE_NEW_BRANCH }}
delete-branch: true