Add requirements updater workflow and actions (#6)

* refactor: Update test-code.yml to use the secrets input type to get the secrets necessary, rather than requiring calling workflows to pass inherited secrets * feat: Started working on the workflow/actions needed to enable updating python and pre-commit dependencies in-sync * docs: Added links to the source code of the workflow files * docs: Added information about the workflows that use concurrency * refactor: Update sorting method for requirements files * refactor: Convert the CodeQL action into a workflow to reduce the code needed to take advantage of the workflow * feat: Added an action that can update python development dependencies using poetry and pre-commit * docs: Added documentation for the reusable workflow for updating Python and pre-commit dependencies * docs: Add new action and workflow to the documentation
tektronix · Aug 19, 2024 · 518709a · 518709a
1 parent 346cb0a
commit 518709a
Show file tree

Hide file tree

Showing 26 changed files with 885 additions and 101 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -2,7 +2,7 @@
 version: 2
 updates:
   - package-ecosystem: github-actions
-    directory: /
+    directories: [/, actions/**/*]
     schedule:
       interval: weekly
     groups:
@@ -13,7 +13,7 @@ updates:
       prefix: gh-actions
       include: scope
   - package-ecosystem: pip
-    directory: /
+    directories: [/, actions/**/*]
     schedule:
       interval: weekly
     versioning-strategy: increase-if-necessary

diff --git a/.github/workflows/_reusable-codeql-analysis.yml b/.github/workflows/_reusable-codeql-analysis.yml
@@ -0,0 +1,37 @@
+---
+name: CodeQL
+on:
+  workflow_call:
+    inputs:
+      languages-array:
+        type: string
+        description: A valid JSON array of languages to analyze.
+        required: true
+      codeql-queries:
+        type: string
+        description: A comma-separate list of CodeQL query sets to use.
+        default: security-extended,security-and-quality
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ${{ fromJSON(inputs.languages-array) }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          queries: ${{ inputs.codeql-queries }}
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: /language:${{matrix.language}}
diff --git a/.github/workflows/_reusable-test-code.yml b/.github/workflows/_reusable-test-code.yml
@@ -23,6 +23,11 @@ on:
         required: false
         default: false
         type: boolean
+    secrets:
+      codecov-token:
+        description: The token to use to upload coverage results to Codecov. Only
+          required when the `upload-codecov` input variable is set to `true`.
+        required: false
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }} (Reusable)
   cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
@@ -84,9 +89,9 @@ jobs:
             .coverage*
       - name: Upload coverage to Codecov
         uses: codecov/[email protected]
-        if: ${{ github.repository == env.REPO_NAME && !cancelled() }}
+        if: ${{ inputs.upload-to-codecov && github.repository == env.REPO_NAME && !cancelled() }}
         with:
-          token: ${{ secrets.CODECOV_TOKEN }}
+          token: ${{ secrets.codecov-token }}
           files: ./.coverage_tests.xml
           name: codecov-${{ matrix.os-name }}
           fail_ci_if_error: true

diff --git a/.github/workflows/_reusable-update-python-and-pre-commit-dependencies.yml b/.github/workflows/_reusable-update-python-and-pre-commit-dependencies.yml
@@ -0,0 +1,89 @@
+---
+name: Update python linting dependencies in-sync with pre-commit
+on:
+  workflow_call:
+    inputs:
+      commit-user-name:
+        description: The name of the user to use when committing changes to the repository.
+        required: true
+        type: string
+      commit-user-email:
+        description: The email of the user to use when committing changes to the repository.
+        required: true
+        type: string
+    dependency-dict:
+      description: 'Specify a valid dictionary of dependency groups to update, where
+        each key is a dependency group name, and each value is a tuple of dependencies
+        to update within that group, e.g. {"dev": ("pylint", "ruff"), "tests": ("ruff")}.'
+      required: false
+      type: string
+      default: ''
+    update-pre-commit:
+      description: A boolean indicating if the pre-commit hooks should be updated.
+      required: false
+      type: boolean
+      default: false
+    run-pre-commit:
+      description: A boolean indicating to run the pre-commit hooks to perform auto-fixing
+        after updating the dependencies. Setting this input to `true` will also set
+        the update-pre-commit input to `true`.
+      required: false
+      type: boolean
+      default: false
+    pre-commit-hook-skip-list:
+      description: A comma-separated list of pre-commit hooks to skip (only applicable
+        when `run-pre-commit=true`).
+      required: false
+      default: ''
+    export-dependency-groups:
+      description: A comma-separated list of dependency groups that should have their
+        requirements exported. An output folder can be specified by appending a ":"
+        followed by the custom output folder path to the provided group name, e.g.
+        "tests:custom/folder/path". The created file will always be named "requirements.txt",
+        and the folder will default to matching the group name if no custom folder
+        path is given.
+      required: false
+      default: ''
+    secrets:
+      checkout-token:
+        description: The token to use for checking out the repository, must have permissions
+          to write back to the repository.
+        required: true
+      gpg-signing-key-private:
+        description: The private GPG key to use for signing the commit.
+        required: true
+      gpg-signing-key-passphrase:
+        description: The passphrase for the private GPG key.
+        required: true
+jobs:
+  update-python-and-pre-commit-deps:
+    name: Update python linters and pre-commit dependencies
+    runs-on: ubuntu-latest
+    if: ${{ github.actor == 'dependabot[bot]' && contains(github.head_ref, '/pip/') }}
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.head_ref }}
+          token: ${{ secrets.checkout-token }}
+      - uses: crazy-max/ghaction-import-gpg@v6
+        with:
+          gpg_private_key: ${{ secrets.gpg-signing-key-private }}
+          passphrase: ${{ secrets.gpg-signing-key-passphrase }}
+          git_user_signingkey: true
+          git_commit_gpgsign: true
+      - uses: tektronix/python-package-ci-cd/actions/update-development-dependencies@main  # TODO: pin to a version
+        with:
+          dependency-dict: ${{ inputs.dependency-dict }}
+          update-pre-commit: ${{ inputs.update-pre-commit }}
+          run-pre-commit: ${{ inputs.run-pre-commit }}
+          pre-commit-hook-skip-list: ${{ inputs.pre-commit-hook-skip-list }}
+          export-dependency-groups: ${{ inputs.export-dependency-groups }}
+      - uses: stefanzweifel/git-auto-commit-action@v5
+        with:
+          commit_message: 'chore: Update python linters and pre-commit dependencies.'
+          commit_user_name: ${{ inputs.commit-user-name }}
+          commit_user_email: ${{ inputs.commit-user-email }}
+          commit_author: ${{ inputs.commit-user-name }} <${{ inputs.commit-user-email }}>
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -9,19 +9,11 @@ on:
     - cron: 17 16 * * 4
 jobs:
   analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
+    uses: ./.github/workflows/_reusable-codeql-analysis.yml
+    with:
+      languages-array: '["python", "javascript"]'
+      codeql-queries: security-extended,security-and-quality
     permissions:
       actions: read
       contents: read
       security-events: write
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [python, javascript]
-    steps:
-      - name: Run CodeQL Analysis
-        uses: ./actions/codeql-analysis
-        with:
-          language: ${{ matrix.language }}
-          codeql-queries: security-extended,security-and-quality
diff --git a/.github/workflows/update-python-and-pre-commit-dependencies.yml b/.github/workflows/update-python-and-pre-commit-dependencies.yml
@@ -0,0 +1,37 @@
+---
+name: Update python linting dependencies in-sync with pre-commit
+on:
+  pull_request:
+    branches: [main]
+jobs:
+  update-python-and-pre-commit-deps:
+    # TODO: switch to using the Reusable Workflow
+    name: Update python linters and pre-commit dependencies
+    runs-on: ubuntu-latest
+    if: ${{ github.actor == 'dependabot[bot]' && contains(github.head_ref, '/pip/') }}
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.head_ref }}
+          token: ${{ secrets.TEK_OPENSOURCE_TOKEN }}
+      - uses: crazy-max/ghaction-import-gpg@v6
+        with:
+          gpg_private_key: ${{ secrets.TEK_OPENSOURCE_GPG_SIGNING_KEY_PRIVATE }}
+          passphrase: ${{ secrets.TEK_OPENSOURCE_GPG_SIGNING_KEY_PASSPHRASE }}
+          git_user_signingkey: true
+          git_commit_gpgsign: true
+      - uses: ./actions/update-development-dependencies
+        with:
+          update-pre-commit: true
+          run-pre-commit: true
+          pre-commit-hook-skip-list: pyright,poetry-audit
+          export-dependency-groups: udd:actions/update-development-dependencies
+      - uses: stefanzweifel/git-auto-commit-action@v5
+        with:
+          commit_message: 'chore: Update python linters and pre-commit dependencies.'
+          commit_user_name: ${{ vars.TEK_OPENSOURCE_NAME }}
+          commit_user_email: ${{ vars.TEK_OPENSOURCE_EMAIL }}
+          commit_author: ${{ vars.TEK_OPENSOURCE_NAME }} <${{ vars.TEK_OPENSOURCE_EMAIL }}>
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -54,6 +54,12 @@ repos:
     rev: 47039c9bf8039e81f092c9777a1bc8be32fb7870  # frozen: 1.16.0
     hooks:
       - id: yamlfix
+        additional_dependencies: [maison<2.0.0]
+  - repo: https://github.com/AleksaC/hadolint-py
+    rev: e70baeefd566058716df2f29eae8fe8ffc213a9f  # frozen: v2.12.1b3
+    hooks:
+      - id: hadolint
+        args: [--ignore=DL3008]
   - repo: https://github.com/executablebooks/mdformat
     rev: 08fba30538869a440b5059de90af03e3502e35fb  # frozen: 0.7.17
     hooks:

diff --git a/README.md b/README.md
@@ -11,15 +11,19 @@ Python Packaging CI/CD.
 
 ## Actions
 
-- [`codeql-analysis`](./actions/codeql-analysis/readme.md)
-    - This composite Action will checkout the code and then run a CodeQL analysis against the
-        provided languages in the repository.
+- [`update-development-dependencies`](./actions/update-development-dependencies.md)
+    - This action enables updating Python development dependencies using the
+        [`Poetry`](https://python-poetry.org/) package manager in-sync with
+        [`pre-commit`](https://pre-commit.com/) hooks.
 
 ## Reusable Workflows
 
 - [`check-api-for-breaking-changes.yml`](./workflows/check-api-for-breaking-changes.md)
     - This workflow will use the [`griffe`](https://mkdocstrings.github.io/griffe/) Python package to check for
         any major or breaking changes in a package's API.
+- [`codeql-analysis.yml`](./workflows/codeql-analysis.md)
+    - This workflow will checkout the code and then run a CodeQL analysis against the
+        specified languages.
 - [`enforce-community-standards.yml`](./workflows/enforce-community-standards.md)
     - This workflow will ensure that all necessary files are in place in order to meet the
         Open Source Community Standards for a repository.
@@ -46,6 +50,12 @@ Python Packaging CI/CD.
 - [`test-docs.yml`](./workflows/test-docs.md)
     - This workflow will run the documentation tests for the code in the repository that are defined by its
         [`tox`](https://tox.wiki/en/stable/) configuration.
+- [`update-python-and-pre-commit-dependencies.yml`](./workflows/update-python-and-pre-commit-dependencies.md)
+    - This workflow updates Python development dependencies using the
+        [`Poetry`](https://python-poetry.org/) package manager in-sync with
+        [`pre-commit`](https://pre-commit.com/) hooks when triggered as a part of
+        [`Dependabot`](https://docs.github.com/en/code-security/getting-started/dependabot-quickstart-guide)
+        updates for the Python dependencies.
 
 ## Maintainers
 

diff --git a/actions/codeql-analysis/action.yml b/actions/codeql-analysis/action.yml
diff --git a/actions/codeql-analysis/readme.md b/actions/codeql-analysis/readme.md
diff --git a/actions/update-development-dependencies/Dockerfile b/actions/update-development-dependencies/Dockerfile
@@ -0,0 +1,16 @@
+FROM python:3.12-slim-bullseye
+
+# Copy over necessary files
+COPY requirements.txt /requirements.txt
+COPY update_development_dependencies.py /update_development_dependencies.py
+
+# Install dependencies
+RUN echo 'APT::Install-Recommends "0";' > /etc/apt/apt.conf.d/00-docker && \
+    apt-get update --quiet && \
+    apt-get install --quiet --assume-yes --no-install-recommends git && \
+    apt-get clean && \
+    rm --force --recursive /var/lib/apt/lists/*
+RUN python -m pip install --no-cache-dir --requirement /requirements.txt
+
+# Run the updater script as the entrypoint
+CMD ["python", "-u", "/update_development_dependencies.py"]