CI Add workflow to update lock files#27622
Conversation
6b588ae to
3af05b9
Compare
glemaitre
left a comment
There was a problem hiding this comment.
I am happy with this PR. It is exactly what I was dreaming of ;)
So now there is 2 things that we can think of:
- Having a weekly CRON job for
main. IMO, it could straight in a new PR and merge (we can keep it out of this PR if someone wants to try the action first). - Adding an auto-merge of the PR if the CI does not fail. I think that we can wait for some time to see how the manual step is going but we can trigger the option quite soon.
|
@lesteve Could solve the conflicts. Do you think that we could already have the auto-merge but commented with a comment? |
…nto update-lock-files-bot
I would leave auto-merge for later for now and do it manually one or two times to make sure everything works as expected. Adding auto-merge would be something like this: - name: Enable Pull Request Automerge
run: gh pr merge --merge --auto "1"
env:
GH_TOKEN: ${{ secrets.PAT }}For this to work we will need to create a bot that has admin privileges so that it can merge PRs. There probably needs to be an auto-approval too, so that required checks are met (we require one approval right now). |
I don't think we can auto-approve our own PRs, but it's possible for a maintainer to override the review checks. |
ogrisel
left a comment
There was a problem hiding this comment.
This is great. I just have a few questions:
- what would be the github account set as author of the automatically opened PR (not the committer). On your fork it's @lesteve. Will this be
scikit-learn(the org) on the main repo? I am fine with that but it would be implicit.
Some inline questions and comments below:
| author: "Lock file bot <noreply@github.com>" | ||
| delete-branch: true | ||
| branch: auto-update-lock-files-${{ matrix.name }} | ||
| title: ":lock: :robot: CI Update lock files for ${{ matrix.name }} CI build(s) :lock: :robot:" |
There was a problem hiding this comment.
What happens at that step if the diff is empty? For instance where the lock files are already up to date?
- does it create an empty commit PR?
- does the workflow fail?
Ideally, I would like neither option but a message that says that there are no changes to commit and therefore no pull request has been created.
There was a problem hiding this comment.
No PR is created if there are no changes and the workflow does not fail.
The peter-evans/create-pull-request hash some log that you can look at with all the details:
- build log existing PR which needs to be updated you see at one point
Pushing pull request branch to 'origin/auto-update-lock-files-scipy-dev'
- build log no change needed, no PR created you don't see the
Pushing pull request branchstep
| each | ||
| for each in filtered_conda_build_metadata_list | ||
| if not re.search(skip_build, each["build_name"]) | ||
| ] |
There was a problem hiding this comment.
filtered_pip_build_metadata_list should be filtered the same way below.
I have used put the scikit-learn-bot token (the one that automatically opens an issue when the CI fails) so that will be the PR author. |
Yeah I thought about that, this needs to be looked into in more details, there is a chance that a |
|
So by testing a bit more in my fork, I realised that there were some issues when the PR is created by another user. Right now, I see two main solutions:
There may be other work-arounds of course. |
I found a work-around to create scikit-learn-bot/scikit-learn with the GITHUB_BOT_TOKEN from the CI so I think all is good for this PR to be merged and tested for real! |
glemaitre
left a comment
There was a problem hiding this comment.
OK so let's merge and make a live-test.
|
I launched the workflow here: https://github.com/scikit-learn/scikit-learn/actions/runs/6666949772 |
|
So the workflow does not work because on the push to scikit-learn-bot/scikit-learn it sees there is a new worfklow There is more explanation there The easiest fix is to add the workflow scope to |
|
Rather than granting elevated token privileges to the third-party managed action ( The EDIT: or alternatively use the github API manually via our own Python script, similarly to what is done for |
|
I am pretty sure irrespective of the method you use, you will still need the Updating scikit-learn-bot/scikit-learn to main could make the bot work for a while until a new workflow is added in I don't think this is likely to be a security issue as the |
|
The scikit-learn-bot user account does not have any elevated permissions to the scikit-learn repo so I think it's safe to give I gave the current token the workflow permission and synced the scikit-learn-bot/scikit-learn fork with upstream. |
|
Nice, thanks a lot! I ran the workflow manually, looks like the first actions have run fine and some pull requests created 🎉 |
|
Nice. Thanks @thomasjpfan and @lesteve |
Reference Issues/PRs
Towards #22425
What does this implement/fix? Explain your changes.
This adds a github workflow to manually update the lock files. Right now this will open three PRs:
It adds only a manual trigger (
workflow_dispatch) for now but eventually it will be a cron job that updates lock files every one or two weeks.Another thing that can be done when we are more confident about the bot, is that PRs can be auto-merged: https://github.com/peter-evans/create-pull-request#auto-merge.
This is the kind of PR that is hard to test without it getting merged first.
I did some basic testing in my fork, you can see some PRs created by the bot:
https://github.com/lesteve/scikit-learn/pulls?q=is%3Apr+is%3Aopen+sort%3Aupdated-desc
I drew some inspiration from Scitools/iris since they have a similar setup #22425 (comment)