Update dependency lock file #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update dependency lock file | |
| on: | |
| # Run every Monday at 08:00 UTC — picks up upstream patch / security | |
| # releases that land within the bounded ranges in requirements.txt. | |
| schedule: | |
| - cron: "0 8 * * 1" | |
| # Allow manual trigger from the Actions tab for ad-hoc refreshes. | |
| workflow_dispatch: | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| jobs: | |
| update-lock: | |
| name: Regenerate requirements-lock.txt | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Python | |
| uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| with: | |
| python-version: "3.12" | |
| - name: Install pip-tools | |
| # Pin matches tests.yml lockfile job so lock generation and verification agree. | |
| run: python -m pip install 'pip-tools==7.5.3' | |
| - name: Regenerate lock file | |
| run: | | |
| pip-compile requirements.txt \ | |
| --output-file requirements-lock.txt \ | |
| --no-header \ | |
| --annotation-style=line \ | |
| --allow-unsafe \ | |
| --upgrade | |
| - name: Prepend lock file header | |
| # pip-compile --no-header strips our docs header every run; restore via | |
| # heredoc (single-quoted HEADER=... would leave literal \n characters). | |
| run: | | |
| cat > /tmp/lock-header <<'EOF' | |
| # Pinned lock file — generated by pip-compile (pip-tools). | |
| # Install: pip install -r requirements-lock.txt | |
| # Update: pip-compile requirements.txt --output-file requirements-lock.txt --no-header --annotation-style=line --allow-unsafe --upgrade | |
| # Run periodically (e.g. via the "Update dependency lock file" CI workflow) to pick up | |
| # upstream patch / security releases within the bounded ranges in requirements.txt. | |
| EOF | |
| cat /tmp/lock-header requirements-lock.txt > /tmp/lock.tmp | |
| mv /tmp/lock.tmp requirements-lock.txt | |
| - name: Open PR if lock file changed | |
| uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 | |
| with: | |
| commit-message: "chore: update requirements-lock.txt" | |
| branch: "chore/update-lock-file" | |
| delete-branch: true | |
| title: "chore: update dependency lock file" | |
| body: | | |
| Automated weekly refresh of `requirements-lock.txt`. | |
| Generated by `pip-compile --upgrade` from the bounded specifiers | |
| in `requirements.txt` (must match `pyproject.toml` `[project.dependencies]`). | |
| **Dependabot pip PRs** may bump bounds in `requirements.txt` / `pyproject.toml` | |
| but do not regenerate this lock file — merge those first, then merge this PR | |
| (or run **Actions → Update dependency lock file → Run workflow**). | |
| Review the diff to confirm no unexpected major-version jumps before merging. | |
| labels: dependencies |