Skip to content

CI: auto-regenerate service requirements.txt on Dependabot PRs#319

Merged
martsokha merged 1 commit into
mainfrom
ci/dependabot-regen
Jul 6, 2026
Merged

CI: auto-regenerate service requirements.txt on Dependabot PRs#319
martsokha merged 1 commit into
mainfrom
ci/dependabot-regen

Conversation

@martsokha

Copy link
Copy Markdown
Member

Summary

Fixes the recurring red CI on Python dependency bump PRs (e.g. #316) without switching off Dependabot.

Problem: Dependabot bumps `pyproject.toml` + `uv.lock` but has no hook to regenerate the per-service `requirements.txt` files. `py-build.yml`'s `gen_requirements.py --check` step then fails on every Python bump, requiring a manual follow-up commit to unstick the PR.

Fix: A new `Dependabot Regen` workflow that fires on Dependabot-authored PRs, regenerates `packages/*/requirements.txt`, and commits the diff back to the PR branch. Py Build's strict check stays, but the PR arrives already green.

Why not #310 (Renovate)?

Renovate isn't a native GitHub approach — it needs a self-hosted runner (for `postUpgradeTasks`), a GitHub App token, and a separate config file (`renovate.json`) replacing native `dependabot.yml`. This PR keeps native Dependabot untouched and adds one workflow file plus one PAT secret.

What's here

  • `.github/workflows/dependabot-regen.yml`: `pull_request` workflow gated on `pull_request.user.login == 'dependabot[bot]'`. Checks out the PR branch (via PAT), runs `uv sync --locked --all-packages`, runs `scripts/gen_requirements.py`, and commits + pushes if any `packages/*/requirements.txt` changed.

Why the PAT

Pushes signed by the built-in `GITHUB_TOKEN` do not trigger downstream workflows on the same PR. Without a PAT, `Py Build` would stay red on the PR even after regen lands. The PAT (`DEPENDABOT_REGEN_PAT`, contents:write on this repo) is owned by the `nvisybot` service account.

Trust surface

  • One new workflow, ~80 lines.
  • One repo secret (already configured).
  • The workflow only runs on PRs whose author is `dependabot[bot]`. A human pushing to a Dependabot branch doesn't retrigger regen — manual overrides are preserved.
  • The guard is on `pull_request.user.login` rather than `github.actor`, so a maintainer rebasing a Dependabot PR still fires regen (rebases don't change the PR author).

Test plan

Related

🤖 Generated with Claude Code

Dependabot bumps `pyproject.toml` + `uv.lock` but doesn't
regenerate the per-service `requirements.txt` files, which
`py-build.yml` checks strictly. Every Python bump PR therefore
fails CI until a maintainer runs `gen_requirements.py` locally
and pushes a follow-up commit.

Adds a `pull_request` workflow that:

- Fires on Dependabot-authored PRs touching `pyproject.toml`,
  `uv.lock`, or any `packages/**/pyproject.toml`.
- Runs `scripts/gen_requirements.py` inside the checkout.
- Commits + pushes changed `packages/*/requirements.txt` back
  onto the PR branch.

The push uses `DEPENDABOT_REGEN_PAT` — a fine-grained PAT owned
by the `nvisybot` service account with `contents:write` on this
repo — instead of the built-in `GITHUB_TOKEN`, because a push
signed by the workflow token does not trigger downstream
workflows on the same PR. With the PAT, `Py Build` reruns after
regen and the PR arrives green.

The guard is on `pull_request.user.login` rather than
`github.actor`, so a maintainer rebasing a Dependabot PR still
triggers regen.
@martsokha martsokha added the chore maintenance, dependency updates, code cleanup label Jul 6, 2026
@martsokha martsokha self-assigned this Jul 6, 2026
@martsokha martsokha merged commit 615068f into main Jul 6, 2026
@martsokha martsokha deleted the ci/dependabot-regen branch July 6, 2026 23:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

chore maintenance, dependency updates, code cleanup

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant