Repository Maintenance #11
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Repository Maintenance | |
| on: | |
| schedule: | |
| # Run weekly on Sundays at 2 AM UTC | |
| - cron: "0 2 * * 0" | |
| workflow_dispatch: # Allow manual triggering | |
| jobs: | |
| update-dependencies: | |
| name: Update Dependencies | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - name: Set up Pixi | |
| uses: prefix-dev/[email protected] | |
| with: | |
| pixi-version: v0.52.0 | |
| cache: true | |
| - name: Update pixi dependencies | |
| run: | | |
| pixi update | |
| - name: Update pre-commit hooks | |
| run: | | |
| pixi run -e default -- pre-commit autoupdate | |
| - name: Check for changes | |
| id: changes | |
| run: | | |
| if git diff --quiet; then | |
| echo "has-changes=false" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "has-changes=true" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Create Pull Request | |
| if: steps.changes.outputs.has-changes == 'true' | |
| uses: peter-evans/create-pull-request@v7 | |
| with: | |
| token: ${{ secrets.RELEASE_PAT }} | |
| commit-message: "chore(deps): update dependencies and pre-commit hooks" | |
| title: "chore(deps): automated dependency updates" | |
| body: | | |
| ## Automated Dependency Updates | |
| This PR contains automated updates to: | |
| - 📦 Pixi dependencies (pixi.lock) | |
| - 🔗 Pre-commit hooks (.pre-commit-config.yaml) | |
| ### Changes | |
| - Updated pixi dependencies to latest compatible versions | |
| - Updated pre-commit hooks to latest versions | |
| ### Verification | |
| - [ ] All tests pass | |
| - [ ] Pre-commit hooks run successfully | |
| - [ ] No breaking changes detected | |
| *This PR was automatically created by the Repository Maintenance workflow.* | |
| branch: automated/dependency-updates | |
| delete-branch: true | |
| labels: | | |
| dependencies | |
| automated | |
| maintenance | |
| cleanup-artifacts: | |
| name: Cleanup Artifacts | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: write | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - name: Delete old workflow runs | |
| uses: Mattraks/delete-workflow-runs@v2 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| repository: ${{ github.repository }} | |
| retain_days: 30 | |
| keep_minimum_runs: 10 | |
| security-audit: | |
| name: Security Audit | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - name: Set up Pixi | |
| uses: prefix-dev/[email protected] | |
| with: | |
| pixi-version: v0.52.0 | |
| cache: true | |
| - name: Install dependencies | |
| run: pixi install | |
| - name: Run security audit | |
| run: | | |
| # Run bandit security scan | |
| pixi run -e default -- bandit -r src/ -f json -o bandit-security-report.json || true | |
| # Run safety check (if requirements files exist) | |
| if ls requirements*.txt 1> /dev/null 2>&1; then | |
| pixi run -e default -- safety check --json --output safety-security-report.json || true | |
| fi | |
| - name: Upload security scan results | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: security-reports | |
| path: | | |
| bandit-security-report.json | |
| safety-security-report.json | |
| retention-days: 30 |