Skip to content

Proof of concept for a simple GitHub Actions workflow to bump uv lockfile versions

Notifications You must be signed in to change notification settings

EdmundGoodman/update-bot

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Update bot

Proof of concept for a simple GitHub Actions workflow to bump uv lockfile versions.

Motivation

At time of writing (23rd October 2024), Dependabot does not support uv as a package ecosystem. However, the behaviour of PRs to version bump dependencies, especially relating to security vulnerabilities, is still very desirable.

Whilst there is ongoing work to support this, it is not ready yet. There are also some other solutions around this suggested in the uv docs for this functionality, such as using an alternative like Renovate. However, Renovate has compromises such as being non-native to GitHub and requiring complicated configuration.

In the meantime, a small GitHub Actions workflow to approximate the functionality in a lightweight way is a helpful thing to have.

Workflow

The workflow to create pull requests to bump lockfile versions is shown in its entirety below, duplicated from .github/workflows/update-bot.yaml:

name: update-bot

on:
  workflow_dispatch:
  # Set the schedule, for example every week at 8:00am on Monday
  schedule:
    - cron: 0 8 * * 1

permissions:
  contents: write
  pull-requests: write

jobs:
  lock:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: astral-sh/setup-uv@v3

      - run: |
          echo "\`\`\`" > uv_output.md
          uv lock --upgrade 2>&1 | tee -a uv_output.md
          echo "\`\`\`" >> uv_output.md

      - name: Create pull request
        uses: peter-evans/create-pull-request@v7
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          commit-message: Update uv lockfile
          title: Update uv lockfile
          body-path: uv_output.md
          branch: update-uv
          base: main
          labels: install
          delete-branch: true
          add-paths: uv.lock

Usage

  1. In your repository's "Settings>Actions>General" menu (https://github.com/USER/REPO/settings/actions), select the "Allow GitHub Actions to create and approve pull requests" checkbox at the bottom of the page
  2. Copy the workflow YAML file shown above to .github/workflows/update-bot.yaml

That's it! The workflow will automagically run on a cron schedule, creating a PR to version bump your uv dependencies. An example PR generated by the action on this demo repo is available here, and shown in the screenshot below:

Screenshot of the generated pull request

In combination with GitHub Actions running your test suite against PRs, you should be able to merge them with confidence!

Provenance

This workflow was created to fill the need identified in the xDSL project when switching to uv.

Some other workflows to perform a similar task (blog post here) have been created, but these directly commit to the main branch, which could result in broken code on the release branch if the dependencies change in an unexpected way.

The mechanism for pull requesting the change rather than directly committing it was shown here, but targeting a different package manager

About

Proof of concept for a simple GitHub Actions workflow to bump uv lockfile versions

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages