-
Notifications
You must be signed in to change notification settings - Fork 50
140 lines (115 loc) · 4.66 KB
/
pin-requirements.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
name: Pin Requirements
on:
workflow_dispatch:
inputs:
tag:
description: Tag to pin dependencies against.
required: false
type: string
workflow_call:
inputs:
tag:
description: Tag to pin dependencies against.
required: false
type: string
permissions:
contents: read
jobs:
update-pinned-requirements:
runs-on: ubuntu-latest
permissions:
contents: write # Branch creation for PR.
outputs:
sigstore-release-tag: ${{ steps.get-branch.outputs.sigstore-release-tag }}
sigstore-pin-requirements-branch: ${{ steps.get-branch.outputs.sigstore-pin-requirements-branch }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: main
# NOTE: Needed for `git describe` below.
fetch-depth: 0
fetch-tags: true
# NOTE: Needed to push back to the repo.
persist-credentials: true
- name: Get latest tag
run: |
latest_tag=$(git describe --tags --abbrev=0)
echo "LATEST_TAG=${latest_tag}" >> "${GITHUB_ENV}"
- name: Set SIGSTORE_RELEASE_TAG and SIGSTORE_NEW_BRANCH
id: get-branch
env:
INPUT_TAG: "${{ inputs.tag }}"
run: |
if [[ -n "${INPUT_TAG}" ]]; then
effective_tag="${INPUT_TAG}"
else
effective_tag="${LATEST_TAG}"
fi
# Environment
echo "SIGSTORE_RELEASE_TAG=${effective_tag}" >> "${GITHUB_ENV}"
echo "SIGSTORE_NEW_BRANCH=pin-requirements/sigstore/${effective_tag}" >> "${GITHUB_ENV}"
# Outputs
echo "sigstore-release-tag=${effective_tag}" >> "${GITHUB_OUTPUT}"
echo "sigstore-pin-requirements-branch=pin-requirements/sigstore/${effective_tag}" >> "${GITHUB_OUTPUT}"
- name: Configure git
run: |
# Set up committer info.
# https://github.com/orgs/community/discussions/26560
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git config user.name "github-actions[bot]"
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version-file: install/.python-version
cache: "pip"
cache-dependency-path: pyproject.toml
- run: pip install pip-tools
- name: Compute version from tag
run: |
echo "SIGSTORE_RELEASE_VERSION=$(echo "${SIGSTORE_RELEASE_TAG}" | sed 's/^v//')" >> "${GITHUB_ENV}"
- name: Update requirements
run: |
cd install
echo "sigstore==${SIGSTORE_RELEASE_VERSION}" > requirements.in
pip-compile --allow-unsafe --generate-hashes --upgrade --output-file=requirements.txt requirements.in
- name: Commit changes and push to branch
run: |
git commit --all -s -m "[BOT] install: update pinned requirements"
git push -f origin "main:${SIGSTORE_NEW_BRANCH}"
test-requirements:
needs: update-pinned-requirements
uses: ./.github/workflows/requirements.yml
with:
# We can't use `env` variables in this context.
# https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability
ref: ${{ needs.update-pinned-requirements.outputs.sigstore-pin-requirements-branch }}
create-pr:
needs:
- update-pinned-requirements
- test-requirements
runs-on: ubuntu-latest
permissions:
contents: write # Pull Request branch modification.
pull-requests: write # Pull Request creation.
env:
SIGSTORE_RELEASE_TAG: ${{ needs.update-pinned-requirements.outputs.sigstore-release-tag }}
SIGSTORE_PIN_REQUIREMENTS_BRANCH: ${{ needs.update-pinned-requirements.outputs.sigstore-pin-requirements-branch }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ env.SIGSTORE_PIN_REQUIREMENTS_BRANCH }}
# NOTE: Needed to push back to the repo.
persist-credentials: true
- name: Reset remote PR branch
run: |
git fetch origin main
git push -f origin "origin/main:${SIGSTORE_PIN_REQUIREMENTS_BRANCH}"
- name: Open pull request
uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
with:
title: |
Update pinned requirements for ${{ env.SIGSTORE_RELEASE_TAG }}
body: |
Pins dependencies for <https://github.com/sigstore/sigstore-python/releases/tag/${{ env.SIGSTORE_RELEASE_TAG }}>.
base: main
branch: ${{ env.SIGSTORE_PIN_REQUIREMENTS_BRANCH }}
delete-branch: true