Pin requirements on releases with a workflow (#548)

* workflows/pin-requirements: init Signed-off-by: Andrew Pan <a@tny.town> workflows/release: don't trigger pin on prerelease Signed-off-by: Andrew Pan <a@tny.town> workflows/pin-requirements: fetch pypi version Signed-off-by: Andrew Pan <a@tny.town> workflows/pin-requirements: use pypi version Signed-off-by: Andrew Pan <a@tny.town> workflows/pin-requirements: no release trigger Signed-off-by: Andrew Pan <a@tny.town> workflows/pin-requirements: tune perms workflows/pin-requirements: more perms issues Signed-off-by: Andrew Pan <a@tny.town> workflows/pin-requirements: punctuation Signed-off-by: Andrew Pan <a@tny.town> workflows/release: fix syntax Signed-off-by: Andrew Pan <a@tny.town> workflows/release: scope permissions per-job Signed-off-by: Andrew Pan <a@tny.town> * Apply suggestions from code review Co-authored-by: William Woodruff <william@yossarian.net> Signed-off-by: Andrew Pan <3821575+tnytown@users.noreply.github.com> * pin-requirements: suggestions from review Signed-off-by: Andrew Pan <a@tny.town> * workflows/{pin-requirements,release}: comments Signed-off-by: Andrew Pan <a@tny.town> * workflows/pin-requirements: use RUNNER_TEMP tmpdir Signed-off-by: Andrew Pan <a@tny.town> * workflows/pin-requirements: preserve wheel path Signed-off-by: Andrew Pan <a@tny.town> * dependabot: disable for hashed requirements file Signed-off-by: Andrew Pan <a@tny.town> * Implement suggestions from code review Signed-off-by: Andrew Pan <a@tny.town> * workflows/pin-requirements: no more input.tag Signed-off-by: Andrew Pan <a@tny.town> * Apply suggestions from code review Co-authored-by: William Woodruff <william@yossarian.net> Signed-off-by: Andrew Pan <3821575+tnytown@users.noreply.github.com> --------- Signed-off-by: Andrew Pan <a@tny.town> Signed-off-by: Andrew Pan <3821575+tnytown@users.noreply.github.com> Co-authored-by: William Woodruff <william@yossarian.net>
sigstore · Mar 15, 2023 · 07ffaaa · 07ffaaa
1 parent 37483bc
commit 07ffaaa
Show file tree

Hide file tree

Showing 3 changed files with 93 additions and 10 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,16 +1,6 @@
 version: 2
 
 updates:
-  - package-ecosystem: pip
-    directory: "/install"
-    schedule:
-      interval: daily
-    open-pull-requests-limit: 99
-    allow:
-    - dependency-type: direct
-    - dependency-type: indirect
-    rebase-strategy: "disabled"
-
   - package-ecosystem: pip
     directory: /
     schedule:

diff --git a/.github/workflows/pin-requirements.yml b/.github/workflows/pin-requirements.yml
@@ -0,0 +1,79 @@
+name: Pin Requirements
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: Tag to pin dependencies against.
+        required: true
+        type: string
+
+  workflow_call:
+    inputs:
+      tag:
+        description: Tag to pin dependencies against.
+        required: true
+        type: string
+
+permissions:
+  contents: read
+
+jobs:
+  update-pinned-requirements:
+    runs-on: ubuntu-latest
+
+    env:
+      SIGSTORE_RELEASE_TAG: ${{ inputs.tag }}
+
+    permissions:
+      pull-requests: write # Pull Request creation.
+      contents: write # Branch creation for PR.
+
+    steps:
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        with:
+          ref: main
+
+      - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435
+        with:
+          python-version-file: install/.python-version
+          cache: "pip"
+          cache-dependency-path: pyproject.toml
+
+      - run: pip install pip-tools
+
+      - name: Compute version from tag
+        run: |
+          echo "SIGSTORE_RELEASE_VERSION=$(echo "${SIGSTORE_RELEASE_TAG}" | sed 's/^v//')" >> "${GITHUB_ENV}"
+
+      - name: Download wheel from GitHub release
+        run: |
+          wheel_name="sigstore-${SIGSTORE_RELEASE_VERSION}-py3-none-any.whl"
+          wheel_url="https://github.com/sigstore/sigstore-python/releases/download/${env.SIGSTORE_RELEASE_TAG}/${wheel_name}"
+          wheel_path="${RUNNER_TEMP}/${wheel_name}"
+
+          curl -L "${wheel_url}" -o "${wheel_path}" 
+          echo "SIGSTORE_WHEEL_PATH=${wheel_path}" >> "${GITHUB_ENV}"
+      - name: Update requirements
+        run: |
+          cd install
+
+          # Pin on the downloaded wheel, as PyPI might not have updated yet.
+          echo "${SIGSTORE_WHEEL_PATH}" > requirements.in
+          pip-compile --allow-unsafe --generate-hashes --output-file=requirements.txt requirements.in
+
+          # Replace requirements.in. People should be able to run the `pip-compile` invocation provided in `requirements.txt`.
+          echo "sigstore==${SIGSTORE_RELEASE_VERSION}" > requirements.in
+
+      - name: Open pull request
+        id: pr
+        uses: peter-evans/create-pull-request@2b011faafdcbc9ceb11414d64d0573f37c774b04 # v4.2.3
+        with:
+          title: |
+            Update pinned requirements for ${SIGSTORE_RELEASE_TAG}
+          body: |
+            Pins dependencies for <https://github.com/sigstore/sigstore-python/releases/tag/${SIGSTORE_RELEASE_TAG}>.
+          commit-message: "[BOT] install: update pinned requirements"
+          branch: "pin-requirements/sigstore/${SIGSTORE_RELEASE_TAG}"
+          signoff: true
+          delete-branch: true
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -147,3 +147,17 @@ jobs:
           files: |
             built-packages/*
             smoketest-artifacts/*
+
+  # Trigger workflow to generate pinned requirements.txt.
+  pin-requirements:
+    permissions:
+      # Needed to create branch and pull request.
+      pull-requests: write
+      contents: write
+    # Workflow depends on uploaded release assets.
+    needs: [release-github]
+    # Only trigger workflow on full releases.
+    if: ${{ !github.event.release.prerelease }}
+    uses: ./.github/workflows/pin-requirements.yml
+    with:
+      tag: ${{ github.ref_name }}