Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
123 changes: 123 additions & 0 deletions .github/workflows/update_dependencies.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
name: Update Dependencies

on:
schedule:
# Run at 9:00 AM UTC every Monday
- cron: 0 9 * * 1
# Allow manual runs
workflow_dispatch:
inputs:
package:
description: >
Specific package to update (e.g., numpy, librosa).
Leave empty to check all packages.
required: false
version:
description: >
Target version for the package. Leave empty to use latest.
required: false

env:
PYTHON_VERSION: 3.11
PIP_VERSION: 24.0

jobs:
check-and-update:
runs-on: ubuntu-latest
if: github.repository_owner == 'JaclynCodes'
permissions:
contents: write # Needed to push changes
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# Use default token for now, can be updated to use PAT if needed
token: ${{ secrets.GITHUB_TOKEN }}

- name: Set Git author
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"

- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}

- name: Upgrade pip
run: |
python -m pip install --upgrade pip==${{ env.PIP_VERSION }}

- name: Install dependencies
run: |
pip install -r requirements.txt

- name: Check for updates
id: check_updates
run: |
# Install pip-tools for dependency management
pip install pip-tools

# Check for outdated packages
Comment on lines +58 to +61
Copy link

Copilot AI Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow installs pip-tools but never uses it afterward. Either remove this install (to reduce runtime/network and simplify the workflow) or actually use pip-tools for compiling/updating requirements if that was the intent.

Suggested change
# Install pip-tools for dependency management
pip install pip-tools
# Check for outdated packages
# Check for outdated packages using pip

Copilot uses AI. Check for mistakes.
echo "Checking for outdated packages..."
pip list --outdated > outdated.txt
cat outdated.txt

if [ -s outdated.txt ]; then
echo "updates_available=true" >> $GITHUB_OUTPUT
else
echo "updates_available=false" >> $GITHUB_OUTPUT
Comment on lines +61 to +69
Copy link

Copilot AI Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pip list --outdated produces output even when no packages are outdated (e.g., table headers), so checking -s outdated.txt can incorrectly mark updates_available=true and run the update step every time. Prefer a machine-readable format (e.g., --format=json) and explicitly check whether the parsed list is non-empty (or use a format without headers).

Suggested change
# Check for outdated packages
echo "Checking for outdated packages..."
pip list --outdated > outdated.txt
cat outdated.txt
if [ -s outdated.txt ]; then
echo "updates_available=true" >> $GITHUB_OUTPUT
else
echo "updates_available=false" >> $GITHUB_OUTPUT
# Check for outdated packages using machine-readable JSON output
echo "Checking for outdated packages..."
pip list --outdated --format=json > outdated.json
cat outdated.json || true
updates_count=$(python - << 'PY'
import json
import pathlib
path = pathlib.Path("outdated.json")
if not path.exists():
# Treat missing output as no updates
print(0)
else:
try:
data = json.loads(path.read_text())
except json.JSONDecodeError:
# Treat malformed JSON as no updates
print(0)
else:
# data should be a list of outdated packages
print(len(data) if isinstance(data, list) else 0)
PY
)
if [ "$updates_count" -gt 0 ]; then
echo "updates_available=true" >> "$GITHUB_OUTPUT"
else
echo "updates_available=false" >> "$GITHUB_OUTPUT"

Copilot uses AI. Check for mistakes.
fi

- name: Update dependencies
if: steps.check_updates.outputs.updates_available == 'true'
run: |
# Create a new branch for the update
BRANCH_NAME="automated/update-dependencies-$(date +%Y%m%d)"
git checkout -b "$BRANCH_NAME"

# If specific package and version provided, update that
if [ -n "${{ inputs.package }}" ]; then
if [ -n "${{ inputs.version }}" ]; then
echo "Updating ${{ inputs.package }} to version \
${{ inputs.version }}"
# Use word boundaries to match exact package name
sed -i "s/^${{ inputs.package }}[>=<].*/${{ inputs.package }}==\
${{ inputs.version }}/" requirements.txt
else
Comment on lines +80 to +87
Copy link

Copilot AI Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

inputs.package / inputs.version are interpolated directly into shell and sed commands. A crafted input containing quotes/metacharacters can break the command line and execute unintended shell code, especially since this job has contents: write. Validate inputs against an allowlist regex (e.g., [A-Za-z0-9_.-]+), and escape values before using them in sed (or update requirements via a small Python script instead of shell string interpolation).

Copilot uses AI. Check for mistakes.
echo "Updating ${{ inputs.package }} to latest \
compatible version"
# Get latest version compatible with constraints
LATEST=$(pip index versions "${{ inputs.package }}" | \
grep "Available versions:" | head -1 | cut -d: -f2 | \
tr ',' '\n' | head -1 | xargs)
if [ -z "$LATEST" ]; then
echo "Error: Could not determine latest version for \
${{ inputs.package }}"
exit 1
fi
# Use word boundaries to match exact package name
sed -i "s/^${{ inputs.package }}[>=<].*/${{ inputs.package }}>=\
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: This sed replacement drops existing upper-bound constraints (e.g., librosa>=0.11.0,<0.12.0), so a “latest compatible” update can accidentally loosen requirements and allow incompatible versions. Preserve any trailing constraints instead of replacing the whole line.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/update_dependencies.yml, line 100:

<comment>This sed replacement drops existing upper-bound constraints (e.g., `librosa>=0.11.0,<0.12.0`), so a “latest compatible” update can accidentally loosen requirements and allow incompatible versions. Preserve any trailing constraints instead of replacing the whole line.</comment>

<file context>
@@ -0,0 +1,123 @@
+                exit 1
+              fi
+              # Use word boundaries to match exact package name
+              sed -i "s/^${{ inputs.package }}[>=<].*/${{ inputs.package }}>=\
+          $LATEST/" requirements.txt
+            fi
</file context>
Fix with Cubic

$LATEST/" requirements.txt
fi
Comment on lines +85 to +102
Copy link

Copilot AI Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The sed replacement overwrites the entire requirement line, which will drop additional constraints (e.g., librosa>=0.11.0,<0.12.0 would lose the <0.12.0 cap). This can unintentionally widen constraints and break compatibility. Consider preserving existing upper bounds/extras, or editing only the specific specifier being updated instead of replacing the whole line.

Copilot uses AI. Check for mistakes.
else
echo "No specific package provided for update."
echo "Please run manually with package name to update."
echo "Bulk updates require manual review and are not \
automated."
exit 0
fi

# Commit changes if there are any
if git diff --quiet requirements.txt; then
echo "No changes to commit"
exit 0
Comment on lines +111 to +114
Copy link

Copilot AI Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the provided inputs.package doesn't exist in requirements.txt, sed will succeed but make no changes, and the workflow exits with "No changes to commit". That makes it hard to distinguish "already up to date" from "package not found". Add an explicit check that the package line exists/matched (e.g., grep before/after) and fail with a clear error when it isn't found.

Copilot uses AI. Check for mistakes.
else
git add requirements.txt
COMMIT_MSG="Update ${{ inputs.package }} dependency"
git commit -m "$COMMIT_MSG"
git push origin "$BRANCH_NAME"

# Create PR using GitHub CLI would go here if available
echo "Branch $BRANCH_NAME created with updates"
fi
2 changes: 2 additions & 0 deletions docs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ Welcome to the Symphonic-Joules documentation! This directory contains comprehen
- **[Performance Optimization](performance-optimization.md)** - Best practices for efficient code
- **[Test Performance Guide](test-performance-guide.md)** - Writing fast and efficient tests
- **[Archive Review Process](archive-review-process.md)** - Guidelines for reviewing uploaded code and archives
- **[GitHub Workflows](workflows.md)** - Automated workflows and CI/CD documentation
- **[FAQ](faq.md)** - Frequently asked questions

## 🎯 Quick Navigation
Expand All @@ -27,6 +28,7 @@ Welcome to the Symphonic-Joules documentation! This directory contains comprehen
- [Architecture Overview](architecture.md)
- [Archive Review Process](archive-review-process.md)
- [Test Performance Guide](test-performance-guide.md)
- [GitHub Workflows](workflows.md)
- [API Reference](api-reference.md)

## 🔄 Keeping Documentation Updated
Expand Down
84 changes: 84 additions & 0 deletions docs/workflows.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
# GitHub Workflows

This document describes the GitHub Actions workflows used in the Symphonic-Joules project.

## Available Workflows

### Update Dependencies

**File:** `.github/workflows/update_dependencies.yml`

**Purpose:** Automates checking and updating Python package dependencies.

**Triggers:**
- **Schedule:** Runs automatically every Monday at 9:00 AM UTC
- **Manual:** Can be triggered manually via GitHub Actions UI

**Environment Variables:**
- `PYTHON_VERSION`: The Python version used for updates (default: 3.11)
- `PIP_VERSION`: The pip version used (default: 24.0)

**Manual Trigger Options:**
- `package`: Specify a particular package to update (e.g., `numpy`, `librosa`)
- `version`: Specify the target version for the package (leave empty for latest)

**What It Does:**
1. Checks out the repository
2. Sets up Python environment with configured version
3. Installs current dependencies
4. Checks for outdated packages
5. (Optional) Updates specific package if provided
6. Creates a new branch with updates
7. Commits and pushes changes

**Usage Examples:**

**Check all packages for updates:**
- Go to Actions tab
- Select "Update Dependencies" workflow
- Click "Run workflow"
- Leave inputs empty
- Click "Run workflow"

**Update specific package:**
- Go to Actions tab
- Select "Update Dependencies" workflow
- Click "Run workflow"
- Enter package name (e.g., `numpy`)
- Optionally enter version (e.g., `1.24.0`)
- Click "Run workflow"

**Notes:**
- The workflow only runs if the repository owner is `JaclynCodes`
- Changes are pushed to a new branch with format `automated/update-dependencies-YYYYMMDD`
- Manual review is recommended before merging dependency updates
- The workflow uses GitHub Actions bot for commits

## Other Workflows

### CI (Continuous Integration)
**File:** `.github/workflows/blank.yml`
- Runs on push and pull requests to main branch
- Performs linting, testing, and builds

### CodeQL Advanced
**File:** `.github/workflows/codeql.yml`
- Security scanning workflow
- Runs on schedule and PR events

### License Check
**File:** `.github/workflows/license-check.yml`
- Validates license compliance

### Static Content Deployment
**File:** `.github/workflows/static.yml`
- Deploys static content to GitHub Pages

## Contributing

When adding or modifying workflows:
1. Follow YAML best practices
2. Use environment variables for configuration
3. Add appropriate documentation
4. Test workflows before merging
5. Follow the repository's contribution guidelines
Loading