-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
115 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
|
||
name: "latest pins" | ||
|
||
on: | ||
workflow_dispatch: | ||
schedule: | ||
- cron: '25 4,16 * * *' | ||
|
||
jobs: | ||
update_pins: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v3 | ||
with: | ||
ref: main | ||
- uses: actions/setup-python@v4 | ||
with: | ||
python-version: 3.11 | ||
|
||
- name: Install poetry from PyPI | ||
uses: install-pinned/poetry@d95a199a06c2eb4e23169dd4f7139bb645b9dbe2 # 1.3.2 | ||
|
||
- run: poetry init --name lockenv --python "^3.7" --directory ${{ runner.temp }} --no-interaction | ||
- name: "Run poetry add mitmproxy ..." | ||
shell: python | ||
run: | | ||
import re | ||
import subprocess | ||
def add(pyver: str): | ||
subprocess.run([ | ||
"poetry", "add", | ||
"--directory", "${{ runner.temp }}", | ||
"--no-interaction", | ||
"--lock", | ||
"--python", pyver, | ||
"mitmproxy" | ||
], check=True, capture_output=True, text=True) | ||
try: | ||
add("*") | ||
except subprocess.CalledProcessError as e: | ||
if (m := re.search(r'set the `python` property to "(.+?)"', e.stderr)) is None: | ||
raise | ||
print(f"Retrying with --python {m[1]}...") | ||
try: | ||
add(m[1]) | ||
except subprocess.CalledProcessError as e: | ||
if (m := re.search(r'set the `python` property to "(.+?)"', e.stderr)) is None: | ||
raise | ||
print(f"Retrying with --python {m[1]}...") | ||
# We need to retry twice for some projects. | ||
add(m[1]) | ||
- run: poetry export -o requirements.txt --directory ${{ runner.temp }} --no-interaction | ||
|
||
- run: | | ||
if [ -n "$(git status --porcelain)" ]; then | ||
git config --global user.name "install-pinned bot" | ||
git config --global user.email "[email protected]" | ||
git add --all | ||
ver=$(curl -Ls https://pypi.org/pypi/mitmproxy/json | jq -r .info.version) | ||
git commit -m "update pins (mitmproxy $ver)" | ||
commit=$(git rev-parse HEAD) | ||
sed -i -E "s/@[0-9a-f]{40}.*/@$commit # $ver/g" README.md | ||
git commit -am "update README.md (mitmproxy $ver)" | ||
git push | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
|
||
# install-pinned/mitmproxy | ||
<!-- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! --> | ||
<!-- ⚠️auto-generated from init.py, do not edit manually ⚠️--> | ||
<!-- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! --> | ||
|
||
![](https://shields.io/badge/python-%3E=3.7-blue) | ||
![](https://shields.io/badge/runner%20os-Windows%20%7C%20Linux%20%7C%20macOS-blue) | ||
|
||
Securely install the latest [mitmproxy](https://pypi.org/project/mitmproxy/) release from PyPI. | ||
|
||
This action installs a pinned version of **mitmproxy** and all its dependencies, making sure that file hashes match. Pinning your dependencies: | ||
|
||
1. Stops software supply chain attacks. | ||
2. Makes sure your CI does not break unexpectedly. | ||
|
||
## Usage | ||
|
||
In your GitHub Actions workflow, use this action like so: | ||
|
||
```yaml | ||
- name: Install mitmproxy from PyPI | ||
uses: install-pinned/mitmproxy@ffffffffffffffffffffffffffffffffffffffff | ||
``` | ||
You can [set up Dependabot](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot#example-dependabotyml-file-for-github-actions) | ||
so that your pins are updated regularly. | ||
## Alternatives | ||
This action is a relatively simple wrapper around [poetry](https://python-poetry.org/) and is most useful if there is no existing `requirements.txt`/`poetry.lock`/... infrastructure in place. If you already pin all your dependencies in a single place, you don't need it! | ||
|
||
## More Details | ||
|
||
See the [@install-pinned README](https://github.com/install-pinned) for details. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
name: 'install-pinned/mitmproxy' | ||
description: 'Securely install the latest mitmproxy release from PyPI' | ||
branding: | ||
icon: 'lock' | ||
color: 'green' | ||
runs: | ||
using: "composite" | ||
steps: | ||
- shell: bash | ||
run: python3 -m pip install -r $GITHUB_ACTION_PATH/requirements.txt |