Refine uv dependency upgrade workflow #240
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out repository | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up uv | ||
| uses: astral-sh/setup-uv@v2 | ||
|
|
||
| - name: Generate timestamp | ||
| id: timestamp | ||
| run: | | ||
| echo "date=$(date -u '+%Y-%m-%d')" >> "$GITHUB_OUTPUT" | ||
| echo "slug=$(date -u '+%Y%m%d-%H%M%S')" >> "$GITHUB_OUTPUT" | ||
| - name: Upgrade dependencies | ||
| id: upgrade | ||
| shell: bash | ||
| run: | | ||
| set -o pipefail | ||
| uv lock --upgrade 2>&1 | tee /tmp/uv-upgrade.log | ||
| { | ||
| echo "output<<'EOF'" | ||
| cat /tmp/uv-upgrade.log | ||
| echo "EOF" | ||
| } >> "$GITHUB_OUTPUT" | ||
| - name: Create pull request | ||
| uses: peter-evans/create-pull-request@v6 | ||
| with: | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
| commit-message: "chore: upgrade uv dependencies" | ||
| committer: agent-lightning-bot <[email protected]> | ||
| author: agent-lightning-bot <[email protected]> | ||
| title: "chore: upgrade uv dependencies (${{ steps.timestamp.outputs.date }})" | ||
| body: | | ||
| Automated uv dependency upgrade. | ||
| ``` | ||
| ${{ steps.upgrade.outputs.output }} | ||
| ``` | ||
| branch: chore/uv-dependency-upgrade-${{ steps.timestamp.outputs.slug }} | ||
| delete-branch: true |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
To fix the issue, you should add an explicit permissions block to the workflow to grant only the minimum necessary permissions that the job requires. Since the workflow creates a pull request with changes (commits), the job needs contents: write and pull-requests: write permissions. To minimize risk, add the following block to the job ("upgrade"), immediately after runs-on: ubuntu-latest.
No other changes are required.
File to edit: .github/workflows/uv-upgrade.yml
Change: Add a permissions: block to the upgrade job, specifying only the necessary permissions.
| @@ -8,6 +8,9 @@ | ||
| jobs: | ||
| upgrade: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| pull-requests: write | ||
|
|
||
| steps: | ||
| - name: Check out repository |
There was a problem hiding this comment.
Pull Request Overview
This PR introduces an automated workflow for upgrading UV dependencies on a weekly schedule. The workflow creates pull requests with the upgrade results, streamlining the dependency maintenance process.
- Adds a GitHub Actions workflow that runs weekly on Mondays to upgrade UV dependencies
- Implements automatic PR creation with upgrade logs included in the PR body
- Configures the workflow to use a bot account for commits and PR authorship
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| shell: bash | ||
| run: | | ||
| set -o pipefail | ||
| uv lock --upgrade 2>&1 | tee /tmp/uv-upgrade.log |
There was a problem hiding this comment.
The command captures output but doesn't check if uv lock --upgrade actually made any changes. Consider checking if the lock file was modified before creating a PR to avoid creating empty PRs when no upgrades are available. You could add a git diff check after this step to set a conditional flag.
| - name: Create pull request |
There was a problem hiding this comment.
The create-pull-request action will succeed even when no changes exist, creating unnecessary workflow runs. Consider adding a condition to skip PR creation when there are no changes, or rely on the action's default behavior by not explicitly setting all parameters when changes might be empty.
| - name: Create pull request | |
| - name: Check for changes | |
| id: changes | |
| run: | | |
| if [[ -n "$(git status --porcelain)" ]]; then | |
| echo "has_changes=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "has_changes=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Create pull request | |
| if: steps.changes.outputs.has_changes == 'true' |
Summary
uv lock --upgradeoutput for use in the automated PR descriptionTesting
git status -sbhttps://chatgpt.com/codex/tasks/task_e_69017e4b88e8832e8f05de93d4bc448d