Update Pinned Tool Versions #2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # We use this workflow (instead of Renovate) because Renovate requires installing a GitHub App, | |
| # while this repository prefers a built-in scheduled updater with no additional app installation. | |
| name: Update Pinned Tool Versions | |
| on: | |
| schedule: | |
| - cron: '19 4 * * 1' | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: {} | |
| jobs: | |
| update-versions: | |
| name: Update pinned tool versions | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1 | |
| with: | |
| disable-sudo-and-containers: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| github.com:443 | |
| release-assets.githubusercontent.com:443 | |
| files.pythonhosted.org:443 | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Set up uv | |
| uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1 | |
| - name: Update versions manifest and hooks | |
| id: update | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: uv run --project .github/tools --group prek ./.github/scripts/update-tool-versions.sh "${GITHUB_OUTPUT}" | |
| - name: Create or update pull request | |
| if: ${{ steps.update.outputs.changed == 'true' }} | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| BRANCH="ci/update-pinned-tool-versions" | |
| TITLE="ci: update pinned tool versions" | |
| BODY=$(cat <<'BODY_EOF' | |
| Automated update of pinned tool versions in: | |
| - `.github/tools/versions.json` | |
| - `prek.toml` (`minimum_prek_version` synced from `.github/tools/pyproject.toml`) | |
| - `prek.toml` (`defusedxml` pin synced from `.github/tools/pyproject.toml`) | |
| - `prek.toml` (via `prek auto-update --freeze`) | |
| This keeps workflow binaries and hook revisions current. | |
| BODY_EOF | |
| ) | |
| # Configure git for commit and push | |
| git config user.name "github-actions[bot]" | |
| git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
| gh auth setup-git | |
| git checkout -B "${BRANCH}" | |
| git add -A | |
| git commit -m "${TITLE}" | |
| git push -u origin "${BRANCH}" --force-with-lease | |
| # Update existing PR or create a new one | |
| if gh pr view "${BRANCH}" --json state -q '.state' 2>/dev/null | grep -q "OPEN"; then | |
| gh pr edit "${BRANCH}" --title "${TITLE}" --body "${BODY}" | |
| else | |
| gh pr create --base main --head "${BRANCH}" --title "${TITLE}" --body "${BODY}" | |
| fi |