Re: [PR] feat(ci): add workflow to automatically sync pinned requirements for `pip` Dependabot PRs [superset]

Mon, 01 Jun 2026 17:14:39 -0700 


rusackas commented on PR #40557:
URL: https://github.com/apache/superset/pull/40557#issuecomment-4597537655

   
   ### New `sync-requirements-for-python-dep-upgrade-pr.yml` — has a real bug
   
   **`persist-credentials: false` + `git push` will fail.** This is the main 
issue. The checkout sets `persist-credentials: false`, which removes the 
GITHUB_TOKEN credential from `.git/config`. The subsequent push step then has 
no credentials to authenticate with and will fail. The detached-HEAD checkout 
(via `ref: head.sha`) compounds this — git has neither credentials nor a branch 
tracking ref. The fix is either:
   
   ```yaml
   # Option A: let checkout keep credentials (the default)
   # just remove persist-credentials: false
   
   # Option B: explicitly re-configure git credentials before pushing
   - name: Configure git credentials
     run: |
       git remote set-url origin https://x-access-token:${{ github.token 
}}@github.com/${{ github.repository }}
   ```
   
   **Minor nit — `Install uv` runs on all Dependabot PRs.** The step is missing 
the `if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'pip' }}` 
guard that all the other steps have. It runs even for npm/GitHub-Actions 
Dependabot PRs. Wasted CI time.
   
   **Running the script from checked-out PR code.** The workflow checks out the 
Dependabot PR's HEAD SHA and then executes `./scripts/uv-pip-compile.sh` from 
it. This is fine in practice — `dependabot[bot]` only modifies requirement 
version pins, not scripts — but it's worth being intentional about. If you 
wanted to be maximally cautious you'd check out master for the script and the 
PR only for the requirements files, but that's over-engineering for Dependabot.
   
   ### Verdict
   
   Request changes — specifically the credential bug (the push will silently 
fail on every pip Dependabot PR, making the workflow inert). 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to