Update Deps #173
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is a workflow for updating Python dependencies with Poetry. | |
# Major version updates are handled separately, by Dependabot. | |
# It will also update the pre-commit hooks to use latest tags. | |
--- | |
name: Update Deps | |
on: | |
workflow_dispatch: | |
# Run every Monday at 1435 UTC | |
schedule: | |
- cron: '35 14 * * 1' | |
jobs: | |
workflow-auto-updates: | |
name: Update dependencies and hooks | |
runs-on: ubuntu-latest | |
env: | |
PYTHON_VERSION: "3.13" | |
POETRY_VERSION: "1.8.5" | |
defaults: | |
run: | |
shell: bash | |
steps: | |
- name: Checkout the repo | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
# This GPG key is for the `phylum-bot` account and used in order to ensure commits are signed/verified | |
- name: Import GPG key for bot account | |
uses: crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5 # v6.2.0 | |
with: | |
gpg_private_key: ${{ secrets.PHYLUM_BOT_GPG_PRIVATE_KEY }} | |
passphrase: ${{ secrets.PHYLUM_BOT_GPG_PASSPHRASE }} | |
git_user_signingkey: true | |
git_commit_gpgsign: true | |
- name: Install poetry | |
run: pipx install poetry==${{ env.POETRY_VERSION }} | |
- name: Configure poetry | |
run: poetry config virtualenvs.in-project true | |
- name: Set up Python | |
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 | |
with: | |
python-version: ${{ env.PYTHON_VERSION }} | |
cache: 'poetry' | |
- name: Install the project with poetry | |
run: | | |
poetry env use python${{ env.PYTHON_VERSION }} | |
poetry check --lock | |
poetry lock --no-update --no-cache | |
poetry install --verbose --no-root --sync --with qa | |
# Update hooks before dependencies because otherwise `pre-commit` may be updated and used before it can be trusted | |
# | |
# NOTE: Specific repos are specified for update since the autoupdated/frozen version here may not always be the | |
# latest version. This is the case for `poetry`, which has described the limitations of `pre-commit` here: | |
# https://python-poetry.org/docs/pre-commit-hooks/#why-does-pre-commit-autoupdate-not-update-to-the-latest-version | |
- name: Update pre-commit hooks | |
run: | | |
poetry run pre-commit autoupdate --freeze \ | |
--repo https://github.com/pre-commit/pre-commit-hooks \ | |
--repo https://github.com/psf/black \ | |
--repo https://github.com/charliermarsh/ruff-pre-commit \ | |
--repo https://github.com/dosisod/refurb \ | |
--repo https://github.com/jendrikseipp/vulture \ | |
--repo https://github.com/adrienverge/yamllint | |
- name: Update Python dependencies | |
run: | | |
poetry update -vv --lock --no-cache | |
poetry check --lock | |
- name: Commit changes | |
id: commit | |
continue-on-error: true | |
# NOTE: The git user name and email used for commits is already configured, | |
# by the crazy-max/ghaction-import-gpg action. | |
run: | | |
git commit -a -m "build: bump \`poetry.lock\` dependencies and \`pre-commit\` hooks" | |
git push --force origin HEAD:workflow-auto-updates | |
- name: Create Pull Request | |
if: ${{ steps.commit.outcome == 'success' }} | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
with: | |
# This PAT is for the `phylum-bot` account and only has the `public_repo` scope to limit privileges. | |
github-token: ${{ secrets.GH_RELEASE_PAT }} | |
script: | | |
const response = await github.rest.pulls.create({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
head: "workflow-auto-updates", | |
base: context.ref, | |
title: "build: bump `poetry.lock` dependencies and `pre-commit` hooks", | |
body: "Bump dependencies in `poetry.lock` and hooks in `.pre-commit-config.yaml`.", | |
}); | |
console.log(response); |