actions: Add dependency upgrade workflow

This workflow automates the process of upgrading dependencies by generating a quarantined lockfile and creating a pull request with the updated lockfile. It runs daily and only includes releases older than 14 days.
2026-06-13 18:51:36 +00:00 · 2026-05-08 15:11:16 -04:00
parent 0cafde359e
commit dfdc03ba28
1 changed files with 47 additions and 0 deletions
--- a/.github/workflows/upgrade-deps.yml
+++ b/.github/workflows/upgrade-deps.yml
@@ -0,0 +1,47 @@
+name: "Dependency Upgrade"
+
+on:
+  schedule:
+    - cron: '0 4 * * *' # Runs daily at 4:00 AM
+  workflow_dispatch:
+
+jobs:
+  upgrade-dependencies:
+    runs-on: ubuntu-slim
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b
+        with:
+          enable-cache: true
+
+      - name: Calculate Cutoff Date
+        id: date
+        run: |
+          CUTOFF=$(date -d '14 days ago' +%Y-%m-%d)
+          echo "cutoff_date=$CUTOFF" >> $GITHUB_OUTPUT
+
+      - name: Generate Quarantined Lockfile
+        run: |
+          # Reads pyproject.toml and creates/updates uv.lock
+          # Ignores releases newer than 14 days and calculates all hashes
+          uv lock \
+            --exclude-newer "${{ steps.date.outputs.cutoff_date }}T00:00:00Z" \
+            --upgrade
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: "chore: lockfile dependency upgrade (${{ steps.date.outputs.cutoff_date }})"
+          title: "Dependency Upgrade: Quarantine Buffer Applied"
+          body: |
+            Update `uv.lock` file to the latest package versions available as of **${{ steps.date.outputs.cutoff_date }}**.
+            
+            - **Single Source of Truth:** Dependencies are still read from `pyproject.toml`.
+            - **14-Day Buffer:** Only releases older than 2 weeks are included.
+            - **Cryptographic Integrity:** The lockfile contains SHA-256 hashes for all packages to prevent tampering.
+          branch: sys-deps-upgrade
+          delete-branch: true