name: Update Python requirements on: pull_request: types: [opened, synchronize, reopened] paths: - "cvat/requirements/*.in" - "utils/dataset_manifest/requirements.in" permissions: contents: read pull-requests: read jobs: update: # Only run on Dependabot branches from this repository. Regenerating # requirements can execute package build code, so fork PRs must not run this # workflow with access to the CVAT bot token. if: > github.event.pull_request.user.login == 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository && startsWith(github.event.pull_request.head.ref, 'dependabot/pip/') runs-on: ubuntu-latest steps: - uses: actions/checkout@v7 with: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} persist-credentials: false - uses: actions/setup-python@v6 with: python-version: "3.12" - name: Install system dependencies run: | sudo apt-get update sudo apt-get install --no-install-recommends -y \ cargo \ g++ \ gcc \ libhdf5-dev \ libldap2-dev \ libmp3lame-dev \ libsasl2-dev \ libxml2-dev \ libxmlsec1-dev \ libxmlsec1-openssl \ make \ nasm \ pkg-config \ python3-dev - name: Install pip-compile-multi run: python -m pip install pip-compile-multi - name: Regenerate Python requirements run: cvat/requirements/regenerate.sh --no-upgrade - name: Check generated requirements changes id: changes run: | if git diff --quiet -- cvat/requirements/*.txt utils/dataset_manifest/requirements.txt; then echo "No generated requirements changes" echo "changed=false" >> "$GITHUB_OUTPUT" else echo "changed=true" >> "$GITHUB_OUTPUT" fi # The default github.token does not trigger follow-up CI on push. Use the # same app token as the release workflow so the updated Dependabot PR runs # the normal validation pipeline. - name: Generate authentication token if: steps.changes.outputs.changed == 'true' id: gen-token uses: actions/create-github-app-token@v3 with: client-id: "${{ secrets.CVAT_BOT_CLIENT_ID }}" private-key: "${{ secrets.CVAT_BOT_PRIVATE_KEY }}" - name: Commit regenerated requirements if: steps.changes.outputs.changed == 'true' env: GH_TOKEN: "${{ steps.gen-token.outputs.token }}" run: | git config user.name "cvat-bot[bot]" git config user.email "147643061+cvat-bot[bot]@users.noreply.github.com" git add cvat/requirements/*.txt utils/dataset_manifest/requirements.txt git commit -m "Regenerate Python requirements" git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git" git push origin HEAD:${{ github.event.pull_request.head.ref }}