Right now our deps are basically wrong, and impossible to use with lowest version resolution. Let's start trying to specify minimums so our deps are properly accurate.
* ci: Update GitHub owned actions to be referenced by SHA. Work automated using StepSecurity
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
* ci: create hash-pinned requirements files for build and publish processes
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* ci: change ci files to install build and publish dependencies using hashes
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* ci: fix path to requirements files
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* ci: rebuild the requirement.txt files using `--allow-unsafe`
The flag is needed to create hash-pinned requirements for pip and
setup-tools. Find more information about this at these issues from [pip-tools](https://github.com/jazzband/pip-tools/issues/806) and from [pip](https://github.com/pypa/pip/issues/6459).
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* refactor(workflows): move build requirements files to a separated folder
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* fix(workflow): requirements download was erasing work from previous steps
Using the actions/checkout to download the requirements.txt was erasing
some necessary files that came from previous steps. Thus, this commit
changes moves the checkout action to the beginnig of the jobs.
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* ci: remove reference to inexistent input in pypi-publish.yml
* docs(workflows): remove comment related to a line already delated from code
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* refactor(workflows): use a workflow-level env var to define path to build requirements file
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* fix(workflows): refer to env vars using ${{ }} sintax
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* refactor(workflows): move build and publish requirements files
Moved from .github/workflows/requirements/ to .github/requirements/
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* docs(workflows): add comments on requirements files explaining their relation
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* ci(workflows): update build dependencies to match exactly the ones at pyproject.toml
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
* ci: remove unnecessary parameter
When calling actions/checkout , we were passing the `ref` parameter as `github.ref`, but it will likely be always main, or the vary same value as the default for this parameter.
* Update dependabot config to cover build/publish dependencies
---------
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
Co-authored-by: StepSecurity Bot <bot@stepsecurity.io>
