Copilot commented on code in PR #40557:
URL: https://github.com/apache/superset/pull/40557#discussion_r3337850397
##########
.github/workflows/sync-requirements-for-python-dep-upgrade-pr.yml:
##########
@@ -0,0 +1,50 @@
+name: Sync requirements for Python dependency PRs
+
+on:
+ pull_request:
+ types: [opened, synchronize]
+
+permissions:
+ contents: write
+ pull-requests: read
+
+jobs:
+ sync-python-dep-requirements:
+ if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
+ runs-on: ubuntu-slim
Review Comment:
`runs-on: ubuntu-slim` is not a valid GitHub-hosted runner label (workflows
in this repo use e.g. `ubuntu-24.04`). This will prevent the job from starting.
##########
.github/workflows/sync-requirements-for-python-dep-upgrade-pr.yml:
##########
@@ -0,0 +1,50 @@
+name: Sync requirements for Python dependency PRs
+
+on:
+ pull_request:
+ types: [opened, synchronize]
+
+permissions:
+ contents: write
+ pull-requests: read
+
+jobs:
+ sync-python-dep-requirements:
+ if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
+ runs-on: ubuntu-slim
+ steps:
+ - name: Fetch Dependabot metadata
+ id: dependabot-metadata
+ uses:
dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
+
+ - name: Checkout source code
+ if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'pip' }}
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
+ with:
+ ref: ${{ github.event.pull_request.head.sha }}
+ persist-credentials: false
+
+ - name: Setup Python
+ if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'pip' }}
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #
v6.2.0
+ with:
+ python-version-file: 'pyproject.toml'
+
+ - name: Install uv
+ run: pip install uv==0.11.17
+
Review Comment:
`Install uv` runs unconditionally, but the rest of the workflow is gated to
`package-ecosystem == 'pip'`. For non-pip Dependabot PRs (npm, github-actions,
etc.), this step is unnecessary and can fail if the environment differs from
expectations.
##########
.github/workflows/sync-requirements-for-python-dep-upgrade-pr.yml:
##########
@@ -0,0 +1,50 @@
+name: Sync requirements for Python dependency PRs
+
+on:
+ pull_request:
+ types: [opened, synchronize]
+
+permissions:
+ contents: write
+ pull-requests: read
+
+jobs:
+ sync-python-dep-requirements:
+ if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
+ runs-on: ubuntu-slim
+ steps:
+ - name: Fetch Dependabot metadata
+ id: dependabot-metadata
+ uses:
dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
+
+ - name: Checkout source code
+ if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'pip' }}
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
+ with:
+ ref: ${{ github.event.pull_request.head.sha }}
+ persist-credentials: false
+
Review Comment:
This workflow commits and pushes back to the Dependabot PR branch, but
`actions/checkout` is configured with `persist-credentials: false`, so the
checkout token won’t be available for `git push`. The push step will fail with
authentication errors.
##########
.github/workflows/sync-requirements-for-python-dep-upgrade-pr.yml:
##########
@@ -0,0 +1,50 @@
+name: Sync requirements for Python dependency PRs
+
+on:
+ pull_request:
+ types: [opened, synchronize]
+
+permissions:
+ contents: write
+ pull-requests: read
+
+jobs:
+ sync-python-dep-requirements:
+ if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
+ runs-on: ubuntu-slim
+ steps:
+ - name: Fetch Dependabot metadata
+ id: dependabot-metadata
+ uses:
dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
+
+ - name: Checkout source code
+ if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'pip' }}
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
+ with:
+ ref: ${{ github.event.pull_request.head.sha }}
+ persist-credentials: false
+
+ - name: Setup Python
+ if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'pip' }}
+ uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #
v6.2.0
+ with:
+ python-version-file: 'pyproject.toml'
+
+ - name: Install uv
+ run: pip install uv==0.11.17
+
+ - name: Sync requirements
+ if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'pip' }}
+ run: ./scripts/uv-pip-compile.sh
+
+ - name: Push changes to remote PRs
+ if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'pip' }}
+ run: |
+ git config user.name 'github-actions[bot]'
+ git config user.email
'41898282+github-actions[bot]@users.noreply.github.com'
+ git add requirements
+ git diff --cached --quiet && exit 0
+ git commit --signoff "build(deps) sync pinned requirements for
Dependabot pip PRs"
Review Comment:
`git commit --signoff "..."` is not valid usage; without `-m`, the string is
treated as a pathspec and the commit will fail (or drop into an editor). Use
`-m` (and optionally keep the conventional-commit style in the message).
##########
.github/workflows/dependency-review.yml:
##########
@@ -43,7 +43,7 @@ jobs:
# the latest version. It's MIT:
https://github.com/nbubna/store/blob/master/LICENSE-MIT
# pkg:npm/[email protected]
# selecting BSD-3-Clause licensing terms for node-forge to ensure
compatibility with Apache
- allow-dependencies-licenses: pkg:npm/[email protected],
pkg:npm/[email protected], pkg:npm/rgbcolor, pkg:npm/[email protected]
+ allow-dependencies-licenses: pkg:npm/rgbcolor, pkg:npm/[email protected]
Review Comment:
The allowlist entries for `store2` and `node-forge` were removed, but the
explanatory comments for those exceptions are still present. This is now
misleading and should be removed or updated to reflect the remaining allowlist
items.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
