name: Sync requirements for Python dependency PRs on: pull_request: types: [opened, synchronize] permissions: contents: write pull-requests: read jobs: sync-python-dep-requirements: # This action is limited to upstream repo only due to write contents if: github.repository == 'apache/superset' && github.event.pull_request.user.login == 'dependabot[bot]' && github.event.pull_request.head.repo.fork == false runs-on: ubuntu-slim steps: - name: Fetch Dependabot metadata id: dependabot-metadata uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0 # zizmor: ignore[artipacked] - required persisted credentials to push synced requirement changes back to remote - name: Checkout source code if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'pip' }} uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ github.event.pull_request.head.sha }} persist-credentials: true - name: Setup Python if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'pip' }} uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version-file: 'pyproject.toml' - name: Install uv if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'pip' }} run: pip install uv - name: Sync requirements if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'pip' }} run: ./scripts/uv-pip-compile.sh - name: Push changes to remote PRs if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'pip' }} run: | git config user.name 'github-actions[bot]' git config user.email '41898282+github-actions[bot]@users.noreply.github.com' git add requirements git diff --cached --quiet && exit 0 git commit --signoff --message "build(deps) sync pinned requirements for Dependabot pip PRs" git push origin "HEAD:refs/heads/${GITHUB_EVENT_PULL_REQUEST_HEAD_REF}" env: GITHUB_EVENT_PULL_REQUEST_HEAD_REF: ${{ github.event.pull_request.head.ref }}