CI: auto-regenerate service requirements.txt on Dependabot PRs#319
Merged
Conversation
Dependabot bumps `pyproject.toml` + `uv.lock` but doesn't regenerate the per-service `requirements.txt` files, which `py-build.yml` checks strictly. Every Python bump PR therefore fails CI until a maintainer runs `gen_requirements.py` locally and pushes a follow-up commit. Adds a `pull_request` workflow that: - Fires on Dependabot-authored PRs touching `pyproject.toml`, `uv.lock`, or any `packages/**/pyproject.toml`. - Runs `scripts/gen_requirements.py` inside the checkout. - Commits + pushes changed `packages/*/requirements.txt` back onto the PR branch. The push uses `DEPENDABOT_REGEN_PAT` — a fine-grained PAT owned by the `nvisybot` service account with `contents:write` on this repo — instead of the built-in `GITHUB_TOKEN`, because a push signed by the workflow token does not trigger downstream workflows on the same PR. With the PAT, `Py Build` reruns after regen and the PR arrives green. The guard is on `pull_request.user.login` rather than `github.actor`, so a maintainer rebasing a Dependabot PR still triggers regen.
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the recurring red CI on Python dependency bump PRs (e.g. #316) without switching off Dependabot.
Problem: Dependabot bumps `pyproject.toml` + `uv.lock` but has no hook to regenerate the per-service `requirements.txt` files. `py-build.yml`'s `gen_requirements.py --check` step then fails on every Python bump, requiring a manual follow-up commit to unstick the PR.
Fix: A new `Dependabot Regen` workflow that fires on Dependabot-authored PRs, regenerates `packages/*/requirements.txt`, and commits the diff back to the PR branch. Py Build's strict check stays, but the PR arrives already green.
Why not #310 (Renovate)?
Renovate isn't a native GitHub approach — it needs a self-hosted runner (for `postUpgradeTasks`), a GitHub App token, and a separate config file (`renovate.json`) replacing native `dependabot.yml`. This PR keeps native Dependabot untouched and adds one workflow file plus one PAT secret.
What's here
Why the PAT
Pushes signed by the built-in `GITHUB_TOKEN` do not trigger downstream workflows on the same PR. Without a PAT, `Py Build` would stay red on the PR even after regen lands. The PAT (`DEPENDABOT_REGEN_PAT`, contents:write on this repo) is owned by the `nvisybot` service account.
Trust surface
Test plan
Related
🤖 Generated with Claude Code