Several CI workflows additions and improvements.

..."borrowed" from other projects I'm working on.

Author: jmfernandez

.github/dependabot.yml

@@ -0,0 +1,13 @@
+version: 2
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      # Check for updates to GitHub Actions every week
+      interval: "weekly"
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+

.github/workflows/build_n_deploy.yml

@@ -9,9 +9,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Setup Python environment
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: '3.x'
       - name: Install development dependencies
@@ -21,7 +21,7 @@ jobs:
       - name: Build packages to be uploaded
         run: python -m build
       - name: pypi-publish
-        uses: pypa/gh-action-pypi-publish@v1.12.4
+        uses: pypa/gh-action-pypi-publish@v1.13.0
         with:
           user: __token__
           password: ${{ secrets.PYPI_API_TOKEN }}

.github/workflows/pip-audit.yml

@@ -0,0 +1,138 @@
+name: pip-audit
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 12 * * 1"
+
+jobs:
+  pip-audit:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: [ "3.10", "3.11", "3.12", "3.13" ]
+    name: pip-audit python ${{ matrix.python-version }}
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-python@v6
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: 'pip'
+          cache-dependency-path: |
+            requirements.txt
+          architecture: x64
+      - name: 'Install requirements (standard or constraints ${{ matrix.python-version }})'
+        run: |
+          python -mvenv /tmp/PIPAUDIT
+          source /tmp/PIPAUDIT/bin/activate
+          pip install --upgrade pip wheel
+          pip install pip-audit
+#      - name: 'Freeze Python ${{ matrix.python-version }} constraints'
+#        run: |
+#          pip freeze > constraints-${{ matrix.python-version }}.txt
+      - id: gen-cve-output
+        run: |
+          source /tmp/PIPAUDIT/bin/activate
+          set +e
+          pip-audit --desc=on --progress-spinner=off -r constraints-${{ matrix.python-version }}.txt --no-deps --disable-pip -f markdown -o /tmp/report-before.md
+          refreeze=$?
+          set -e
+          
+          if [ "$refreeze" != 0 ] ; then
+            deactivate
+            python -mvenv /tmp/PIPFREEZE
+            source /tmp/PIPFREEZE/bin/activate
+            pip install --upgrade pip wheel
+            pip install -r requirements.txt
+            pip freeze > constraints-${{ matrix.python-version }}.txt
+            
+            # Re-audit the populated environment
+            deactivate
+            source /tmp/PIPAUDIT/bin/activate
+            set +e
+            pip-audit --desc=on --progress-spinner=off -r constraints-${{ matrix.python-version }}.txt --no-deps --disable-pip -f markdown -o /tmp/report-after.md
+            auditres=$?
+            set -e
+            
+            if [ "$auditres" = 0 ] ; then
+              echo "# Fixed dependency issues for Python ${{ matrix.python-version }}" > audit-report-${{ matrix.python-version }}.md
+              cat /tmp/report-before.md >> audit-report-${{ matrix.python-version }}.md
+            else
+              # Time to emit the report
+              echo "# Dependency issues not solved for Python ${{ matrix.python-version }}" > audit-report-${{ matrix.python-version }}.md
+              cat /tmp/report-after.md >> audit-report-${{ matrix.python-version }}.md
+            fi
+            cat audit-report-${{ matrix.python-version }}.md >> "$GITHUB_STEP_SUMMARY"
+          fi
+      - uses: actions/upload-artifact@v4
+        with:
+          name: audit-${{ matrix.python-version }}
+          retention-days: 2
+          path: |
+            constraints-${{ matrix.python-version }}.txt
+            audit-report-${{ matrix.python-version }}.md
+
+  pull_request_changes:
+    # Do this only when it is not a pull request validation
+    if: github.event_name != 'pull_request'
+    runs-on: ubuntu-latest
+    name: Pull request with the newly generated contents
+    needs:
+      - pip-audit
+    steps:
+      - name: Get analysis timestamp
+        id: timestamp
+        run: echo "timestamp=$(date -Is)" >> "$GITHUB_OUTPUT"
+      - uses: actions/checkout@v5
+      - uses: actions/download-artifact@v5
+        id: download
+        with:
+          pattern: audit-*
+          merge-multiple: true
+          path: changes-dir
+      - name: Move artifacts to their right place
+        id: move
+        run: |
+          skip=true
+          if [ -d "${{steps.download.outputs.download-path}}" ] ; then
+            for con in "${{steps.download.outputs.download-path}}"/constraints-*.txt ; do
+              case "$con" in
+                */constraints-\*.txt)
+                  break
+                  ;;
+                *)
+                  cp -p "$con" .
+                  skip=false
+                  ;;
+              esac
+            done
+            for aud in "${{steps.download.outputs.download-path}}"/audit-report-*.md ; do
+              case "$aud" in
+                */audit-report-\*.md)
+                  touch pull-body.md
+                  break
+                  ;;
+                *)
+                  cat "$aud" >> pull-body.md
+                  ;;
+              esac
+            done
+          fi
+          ls -l
+          echo "skip=$skip" >> "$GITHUB_OUTPUT"
+      - name: Create Pull Request
+        id: cpr
+        uses: peter-evans/create-pull-request@v7
+        if: steps.move.outputs.skip == 'false'
+        with:
+          title: Updated constraints due security reasons (triggered on ${{ steps.timestamp.outputs.timestamp }} by ${{ github.sha }})
+          branch: create-pull-request/patch-audit-constraints
+          add-paths: constraints-*.txt
+          delete-branch: true
+          commit-message: "[create-pull-request] Automatically updated constraints due security reasons"
+          body-path: pull-body.md
+      - name: Check outputs
+        if: ${{ steps.cpr.outputs.pull-request-number }}
+        run: |
+          echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}" >> "$GITHUB_STEP_SUMMARY"
+          echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" >> "$GITHUB_STEP_SUMMARY"

.github/workflows/pre-commit.yml

@@ -15,10 +15,10 @@ jobs:
         python-version: [ "3.8", "3.9", "3.10", "3.11", "3.12", "3.13" ]
     name: Pre-commit python ${{ matrix.python-version }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 100
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         id: cachepy
         with:
           python-version: ${{ matrix.python-version }}
@@ -28,32 +28,35 @@ jobs:
             mypy-requirements.txt
             dev-requirements.txt
           architecture: x64
-      - name: Changed requirements.txt
-        id: changed-requirements-txt
-        uses: tj-actions/changed-files@v44
-        with:
-          files: requirements.txt
-
-      - name: 'Install requirements (standard)'
-        run: |
-          pip install --upgrade pip wheel
-          pip install -r requirements.txt
-      - name: 'Install requirements (standard with freeze) or constraints (Python ${{ matrix.python-version }})'
+      - name: 'Install requirements (standard or constraints ${{ matrix.python-version }})'
         run: |
           pip install --upgrade pip wheel
-          if [ ${{ steps.changed-requirements-txt.outputs.any_changed }} != 'true' ] && [ -f constraints-${{ matrix.python-version }}.txt ] ; then
-            pip install -r requirements.txt -c constraints-${{ matrix.python-version }}.txt
+          constraints_file="constraints-${{ matrix.python-version }}.txt"
+          regen_constraints=
+          if [ -f "$constraints_file" ] ; then
+            at="$(git --no-pager log -p -1 "--format=tformat:%at" --no-patch -- "$constraints_file")"
+            dat="$(git --no-pager log -p -1 "--format=tformat:%at" --no-patch -- "requirements.txt")"
+            if [ "$at" -lt "$dat" ] ; then
+              regen_constraints=true
+            fi
           else
+            regen_constraints=true
+          fi
+          if [ -n "$regen_constraints" ] ; then
             pip install -r requirements.txt
-            pip freeze > constraints-${{ matrix.python-version }}.txt
+            pip freeze > "$constraints_file"
+            grep -vF git+ "$constraints_file" > "$constraints_file"-relaxed
+          else
+            grep -vF git+ "$constraints_file" > "$constraints_file"-relaxed
+            pip install -r requirements.txt -c "$constraints_file"-relaxed
           fi
-      - name: 'Install dev requirements'
+      - name: 'Install development requirements'
         run: |
-          pip install -r dev-requirements.txt -r mypy-requirements.txt -c constraints-${{ matrix.python-version }}.txt
+          pip install -r dev-requirements.txt -r mypy-requirements.txt -c constraints-${{ matrix.python-version }}.txt-relaxed
       - name: MyPy cache
         uses: actions/cache@v4
         with:
-          path: .mypy_cache/${{ matrix.python-version }}
+          path: '.mypy_cache/[0-9]*'
           key: mypy-${{ matrix.python-version }}
       - name: 'pre-commit'
         uses: pre-commit/action@v3.0.1
@@ -65,18 +68,25 @@ jobs:
  #       if: ${{ matrix.python-version == '3.6' }}
  #       with:
  #         extra_args: --all -c .pre-commit-config-gh-${{ matrix.python-version }}.yaml
+      - name: Get transitive dependencies licences
+        id: license_check_print_report
+#        uses: pilosus/action-pip-license-checker@v1.0.0
+#        continue-on-error: true
+        uses: pilosus/action-pip-license-checker@v3.1.0
+        with:
+          requirements: constraints-${{ matrix.python-version }}.txt
       - name: Check transitive dependencies licences
         id: license_check_report
 #        uses: pilosus/action-pip-license-checker@v1.0.0
 #        continue-on-error: true
-        uses: pilosus/action-pip-license-checker@v2.0.0
+        uses: pilosus/action-pip-license-checker@v3.1.0
         with:
           requirements: constraints-${{ matrix.python-version }}.txt
           fail: 'StrongCopyleft'
           exclude: 'pylint.*'
       - name: Print licences report
         if: ${{ always() }}
-        run: echo "${{ steps.license_check_report.outputs.report }}"
+        run: echo "${{ steps.license_check_print_report.outputs.report }}"
       - uses: actions/upload-artifact@v4
         with:
           name: constraints-artifacts-${{ matrix.python-version }}
@@ -90,10 +100,10 @@ jobs:
         python-version: [ "3.7" ]
     name: Pre-commit python ${{ matrix.python-version }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 100
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         id: cachepy
         with:
           python-version: ${{ matrix.python-version }}
@@ -103,32 +113,34 @@ jobs:
             mypy-requirements.txt
             dev-requirements.txt
           architecture: x64
-      - name: Changed requirements.txt
-        id: changed-requirements-txt
-        uses: tj-actions/changed-files@v44
-        with:
-          files: requirements.txt
-
-      - name: 'Install requirements (standard)'
-        run: |
-          pip install --upgrade pip wheel
-          pip install -r requirements.txt
-      - name: 'Install requirements (standard with freeze) or constraints (Python ${{ matrix.python-version }})'
+      - name: 'Install requirements (standard or constraints ${{ matrix.python-version }})'
         run: |
           pip install --upgrade pip wheel
-          if [ ${{ steps.changed-requirements-txt.outputs.any_changed }} != 'true' ] && [ -f constraints-${{ matrix.python-version }}.txt ] ; then
-            pip install -r requirements.txt -c constraints-${{ matrix.python-version }}.txt
+          constraints_file="constraints-${{ matrix.python-version }}.txt"
+          regen_constraints=
+          if [ -f "$constraints_file" ] ; then
+            at="$(git --no-pager log -p -1 "--format=tformat:%at" --no-patch -- "$constraints_file")"
+            dat="$(git --no-pager log -p -1 "--format=tformat:%at" --no-patch -- "requirements.txt")"
+            if [ "$at" -lt "$dat" ] ; then
+              regen_constraints=true
+            fi
           else
+            regen_constraints=true
+          fi
+          if [ -n "$regen_constraints" ] ; then
             pip install -r requirements.txt
-            pip freeze > constraints-${{ matrix.python-version }}.txt
+            pip freeze > "$constraints_file"
+            grep -vF git+ "$constraints_file" > "$constraints_file"-relaxed
+          else
+            grep -vF git+ "$constraints_file" > "$constraints_file"-relaxed
+            pip install -r requirements.txt -c "$constraints_file"-relaxed
           fi
-      - name: 'Install dev requirements'
-        run: |
-          pip install -r dev-requirements.txt -r mypy-requirements.txt -c constraints-${{ matrix.python-version }}.txt
+      - run: |
+          pip install -r dev-requirements.txt -r mypy-requirements.txt -c constraints-${{ matrix.python-version }}.txt-relaxed
       - name: MyPy cache
         uses: actions/cache@v4
         with:
-          path: .mypy_cache/${{ matrix.python-version }}
+          path: '.mypy_cache/[0-9]*'
           key: mypy-${{ matrix.python-version }}
       - name: 'pre-commit'
         uses: pre-commit/action@v3.0.1
@@ -140,18 +152,25 @@ jobs:
  #       if: ${{ matrix.python-version == '3.6' }}
  #       with:
  #         extra_args: --all -c .pre-commit-config-gh-${{ matrix.python-version }}.yaml
+      - name: Get transitive dependencies licences
+        id: license_check_print_report
+#        uses: pilosus/action-pip-license-checker@v1.0.0
+#        continue-on-error: true
+        uses: pilosus/action-pip-license-checker@v3.1.0
+        with:
+          requirements: constraints-${{ matrix.python-version }}.txt
       - name: Check transitive dependencies licences
         id: license_check_report
 #        uses: pilosus/action-pip-license-checker@v1.0.0
 #        continue-on-error: true
-        uses: pilosus/action-pip-license-checker@v2.0.0
+        uses: pilosus/action-pip-license-checker@v3.1.0
         with:
           requirements: constraints-${{ matrix.python-version }}.txt
           fail: 'StrongCopyleft'
-          exclude: 'pylint.*'
+          exclude: '(?i)^(pylint|dulwich).*'
       - name: Print licences report
         if: ${{ always() }}
-        run: echo "${{ steps.license_check_report.outputs.report }}"
+        run: echo "${{ steps.license_check_print_report.outputs.report }}"
       - uses: actions/upload-artifact@v4
         with:
           name: constraints-artifacts-${{ matrix.python-version }}
@@ -169,8 +188,8 @@ jobs:
       - name: Get analysis timestamp
         id: timestamp
         run: echo "timestamp=$(date -Is)" >> "$GITHUB_OUTPUT"
-      - uses: actions/checkout@v4
-      - uses: actions/download-artifact@v4
+      - uses: actions/checkout@v5
+      - uses: actions/download-artifact@v5
         id: download
         with:
           pattern: constraints-artifacts-*
@@ -199,7 +218,7 @@ jobs:
         uses: peter-evans/create-pull-request@v7
         if: steps.move.outputs.skip == 'false'
         with:
-          title: Updated constraints (triggered by ${{ github.sha }})
+          title: Updated constraints (triggered on ${{ steps.timestamp.outputs.timestamp }} by ${{ github.sha }})
           add-paths: constraints-*.txt
           delete-branch: true
           commit-message: "[create-pull-request] Automatically commit updated contents (constraints)"