Build allow lists #1107
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Build allow lists | |
# Run workflow on pushes to matching branches | |
on: # yamllint disable-line rule:truthy | |
push: | |
branches: [develop] | |
schedule: | |
- cron: "0 0 */6 * *" # run every six days in order to keep the cache fresh | |
workflow_dispatch: # allow this workflow to be manually triggered | |
# checkout needs 'contents:read' | |
# pull request needs 'pull-requests:write' and 'contents:write' | |
permissions: | |
contents: write | |
pull-requests: write | |
env: | |
TIMEOUT_REACHED: 0 | |
jobs: | |
build_allow_lists: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
- name: Cache dependencies | |
uses: actions/cache@v3 | |
with: | |
path: environment_configs/package_lists/dependency-cache.json | |
key: dependencies-${{ github.sha }} # request a cache that does not yet exist | |
restore-keys: dependencies- # use prefix matching to fallback to the most recently created SHA-specific cache | |
- name: Check PyPI allow list | |
shell: pwsh | |
env: | |
LIBRARIES_IO_API_KEY: ${{ secrets.LIBRARIES_IO_API_KEY }} | |
run: ./deployment/administration/SHM_Expand_Allowlist_Dependencies.ps1 -Repository pypi -TimeoutMinutes 60 -ApiKey "$env:LIBRARIES_IO_API_KEY" # this will set TIMEOUT_REACHED if the timeout is reached | |
- name: Check CRAN allow list | |
shell: pwsh | |
env: | |
LIBRARIES_IO_API_KEY: ${{ secrets.LIBRARIES_IO_API_KEY }} | |
run: ./deployment/administration/SHM_Expand_Allowlist_Dependencies.ps1 -Repository cran -TimeoutMinutes 240 -ApiKey "$env:LIBRARIES_IO_API_KEY" # this will set TIMEOUT_REACHED if the timeout is reached | |
- name: Check for changes | |
shell: bash | |
run: git --no-pager diff -- . ':!environment_configs/package_lists/dependency-cache.json' | |
- name: Get current date | |
id: date | |
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT | |
- name: Create pull request | |
if: ${{ (env.TIMEOUT_REACHED == 0) && (! env.ACT) }} | |
id: pull-request | |
uses: peter-evans/create-pull-request@38e0b6e68b4c852a5500a94740f0e535e0d7ba54 # This commit corresponds to tag 4.2.4 | |
with: | |
commit-message: Update PyPI and CRAN allow lists | |
committer: GitHub Actions <[email protected]> | |
author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com> | |
base: develop | |
branch: package-allowlist-updates | |
delete-branch: true | |
title: Update PyPI and CRAN allow lists | |
body: | | |
### :arrow_heading_up: Summary | |
- Apply package allowlist diff from ${{ github.sha }} on ${{ steps.date.outputs.date }} | |
### :closed_umbrella: Related issues | |
None | |
### :microscope: Tests | |
Allow-list only | |
labels: | | |
affected: developers | |
severity: minor | |
type: enhancement | |
draft: false |