Weekly dependency upgrade #16
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Weekly dependency upgrade | |
| on: | |
| schedule: | |
| - cron: '0 7 * * 1' # Monday 7am UTC | |
| workflow_dispatch: | |
| jobs: | |
| upgrade: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 | |
| - name: Upgrade all dependencies | |
| run: uv lock --upgrade | |
| - name: Open PR if lockfile changed | |
| id: create-pr | |
| uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 | |
| with: | |
| commit-message: "chore: uv lock --upgrade" | |
| branch: chore/uv-upgrade | |
| delete-branch: true | |
| title: "chore: weekly dependency upgrade" | |
| body: | | |
| Automated weekly `uv lock --upgrade`. Auto-merges when CI | |
| passes (branch protection catches any regression). | |
| Check the Security tab after merging — Dependabot alerts for packages | |
| bumped here will auto-close once the new versions land on main. | |
| labels: dependencies | |
| - name: Enable auto-merge on the PR | |
| if: steps.create-pr.outputs.pull-request-number | |
| run: gh pr merge --auto --squash "$PR_NUM" | |
| env: | |
| PR_NUM: ${{ steps.create-pr.outputs.pull-request-number }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |