Proof of concept for a simple GitHub Actions workflow to bump uv
lockfile
versions.
At time of writing (23rd October 2024), Dependabot does not support uv
as a
package ecosystem. However, the behaviour of PRs to version bump dependencies,
especially relating to security vulnerabilities, is still very desirable.
Whilst there is ongoing work to support this, it is not ready yet. There are also some other solutions around this suggested in the uv docs for this functionality, such as using an alternative like Renovate. However, Renovate has compromises such as being non-native to GitHub and requiring complicated configuration.
In the meantime, a small GitHub Actions workflow to approximate the functionality in a lightweight way is a helpful thing to have.
The workflow to create pull requests to bump lockfile versions is shown in its
entirety below, duplicated from .github/workflows/update-bot.yaml
:
name: update-bot
on:
workflow_dispatch:
# Set the schedule, for example every week at 8:00am on Monday
schedule:
- cron: 0 8 * * 1
permissions:
contents: write
pull-requests: write
jobs:
lock:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: astral-sh/setup-uv@v3
- run: |
echo "\`\`\`" > uv_output.md
uv lock --upgrade 2>&1 | tee uv_output.md
echo "\`\`\`" >> uv_output.md
- name: Create pull request
uses: peter-evans/create-pull-request@v7
with:
token: ${{ secrets.GITHUB_TOKEN }}
commit-message: Update uv lockfile
title: Update uv lockfile
body-path: uv_output.md
branch: update-uv
base: main
labels: install
delete-branch: true
add-paths: uv.lock
- In your repository's "Settings>Actions>General" menu (https://github.com/USER/REPO/settings/actions), select the "Allow GitHub Actions to create and approve pull requests" checkbox at the bottom of the page
- Copy the workflow YAML file shown above to
.github/workflows/update-bot.yaml
That's it! The workflow will automagically run on a cron schedule, creating
a PR to version bump your uv
dependencies. An example PR generated by the
action on this demo repo is available
here, and shown in the
screenshot below:
In combination with GitHub Actions running your test suite against PRs, you should be able to merge them with confidence!
This workflow was created to fill the need identified in the xDSL project when switching to uv.
Some other workflows to perform a similar task (blog post here) have been created, but these directly commit to the main branch, which could result in broken code on the release branch if the dependencies change in an unexpected way.
The mechanism for pull requesting the change rather than directly committing it was shown here, but targeting a different package manager