Merge branch 'master' into feat/run-uv-compile-for-python-deps-pr

feat(ci): add workflow to automatically sync pinned requirements for pip Dependabot PRs
Signed-off-by: hainenber <dotronghai96@gmail.com>
2026-06-10 01:59:17 +00:00 · 2026-05-30 16:08:45 +07:00 · 2026-05-30 16:05:36 +07:00 · 2026-05-30 16:04:52 +07:00 · 2026-05-30 16:04:06 +07:00
4 changed files with 53 additions and 3 deletions
--- a/.github/workflows/bump-python-package.yml
+++ b/.github/workflows/bump-python-package.yml
@@ -46,7 +46,7 @@ jobs:
          python-version: "3.10"

      - name: Install uv
-        run: pip install uv
+        run: pip install uv==0.11.17

      - name: supersetbot bump-python -p "${{ github.event.inputs.package }}"
        env:
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -43,7 +43,7 @@ jobs:
          #   the latest version. It's MIT: https://github.com/nbubna/store/blob/master/LICENSE-MIT
          # pkg:npm/node-forge@1.3.1
          #   selecting BSD-3-Clause licensing terms for node-forge to ensure compatibility with Apache
-          allow-dependencies-licenses: pkg:npm/store2@2.14.2, pkg:npm/node-forge@1.3.1, pkg:npm/rgbcolor, pkg:npm/jszip@3.10.1
+          allow-dependencies-licenses: pkg:npm/rgbcolor, pkg:npm/jszip@3.10.1

  python-dependency-liccheck:
    # NOTE: Configuration for liccheck lives in our pyproject.yml.
--- a/.github/workflows/sync-requirements-for-python-dep-upgrade-pr.yml
+++ b/.github/workflows/sync-requirements-for-python-dep-upgrade-pr.yml
@@ -0,0 +1,50 @@
+name: Sync requirements for Python dependency PRs
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+
+permissions:
+  contents: write
+  pull-requests: read
+
+jobs:
+  sync-python-dep-requirements:
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
+    runs-on: ubuntu-slim
+    steps:
+      - name: Fetch Dependabot metadata
+        id: dependabot-metadata
+        uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
+
+      - name: Checkout source code
+        if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'pip' }}
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
+
+      - name: Setup Python
+        if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'pip' }}
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version-file: 'pyproject.toml'
+
+      - name: Install uv
+        run: pip install uv==0.11.17
+
+      - name: Sync requirements
+        if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'pip' }}
+        run: ./scripts/uv-pip-compile.sh
+
+      - name: Push changes to remote PRs
+        if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'pip' }}
+        run: |
+          git config user.name 'github-actions[bot]'
+          git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
+          git add requirements
+          git diff --cached --quiet && exit 0
+          git commit --signoff "build(deps) sync pinned requirements for Dependabot pip PRs"
+          git push origin "HEAD:refs/heads/${GITHUB_EVENT_PULL_REQUEST_HEAD_REF}"
+        env:
+          GITHUB_EVENT_PULL_REQUEST_HEAD_REF: ${{github.event.pull_request.head.ref}}
--- a/scripts/uv-pip-compile.sh
+++ b/scripts/uv-pip-compile.sh
@@ -31,7 +31,7 @@ if [ -z "$RUNNING_IN_DOCKER" ]; then
    -w /app \
    -e RUNNING_IN_DOCKER=1 \
    python:${PYTHON_VERSION}-slim \
-    bash -c "pip install uv && ./scripts/uv-pip-compile.sh $*"
+    bash -c "pip install uv==0.11.17 && ./scripts/uv-pip-compile.sh $*"

  exit $?
 fi
Author	SHA1	Message	Date
Đỗ Trọng Hải	d91c25d3d8	Merge branch 'master' into feat/run-uv-compile-for-python-deps-pr	2026-05-30 16:08:45 +07:00
hainenber	07e1faed5f	feat(ci): add workflow to automatically sync pinned requirements for `pip` Dependabot PRs Signed-off-by: hainenber <dotronghai96@gmail.com>	2026-05-30 16:05:36 +07:00
hainenber	bbe1fe8aa2	chore: pin `uv` to latest 0.11.17 for futureproofing Signed-off-by: hainenber <dotronghai96@gmail.com>	2026-05-30 16:04:52 +07:00
hainenber	8fd42aadee	chore: remove nonexistent packages from license allowlist Signed-off-by: hainenber <dotronghai96@gmail.com>	2026-05-30 16:04:06 +07:00