ci: re-generate requirements.txt files on push

Author: jdobes

.github/workflows/generate-requirements-txt.yaml

@@ -0,0 +1,51 @@
+name: Generate requirements.txt
+
+on:
+  push:
+    branches:
+      - "master"
+      - 'foreman-*.*'
+
+jobs:
+  generate-requirements-txt:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GH_TOKEN }}
+
+      - name: Install Python tools
+        run: |
+          # https://github.com/hermetoproject/pybuild-deps/issues/295
+          pip install --upgrade "pip<25.1" && pip install --upgrade poetry~=2.1.3 poetry-plugin-export pybuild-deps pip-tools
+
+      - name: Export requirements.txt
+        run: |
+          poetry export -f requirements.txt --output requirements.txt
+          poetry export --only dev -f requirements.txt --output requirements-dev.txt
+          pybuild-deps compile --generate-hashes requirements.txt -o requirements-build.txt
+
+          # Prepare requirements-build.in from pyproject.toml
+          sed -n '/^\[build-system\]/,/^\[/p' pyproject.toml | \
+            grep 'requires[[:space:]]*=' | \
+            sed 's/.*requires[[:space:]]*=[[:space:]]*\[\(.*\)\]/\1/' | \
+            sed 's/"//g; s/,[[:space:]]*/\n/g' | \
+            sed 's/^[[:space:]]*//; s/[[:space:]]*$$//; /^$$/d' > requirements-build.in
+
+          pip-compile --allow-unsafe --generate-hashes -o requirements-extra.txt requirements-build.in
+
+      - name: Commit and Push
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+
+          git add .
+
+          if git diff --staged --quiet; then
+            echo "No changes to commit"
+          else
+            git commit -m "chore: re-generate requirements.txt files"
+            git push
+          fi

.hermetic_builds/generate_requirements_build.sh

@@ -5,4 +5,4 @@ pip3 install "pip<25"
 cd /var/tmp
 
 pybuild-deps compile --generate-hashes requirements.txt -o requirements-build.txt
-pip-compile requirements-build.in --allow-unsafe --generate-hashes -o requirements-extras.txt
+pip-compile requirements-build.in --allow-unsafe --generate-hashes -o requirements-extra.txt

.tekton/vulnerability-engine-pull-request.yaml

@@ -34,7 +34,7 @@ spec:
   - name: hermetic
     value: "true"
   - name: prefetch-input
-    value: '[{"type": "pip", "path": ".", "requirements_files": ["requirements.txt", "requirements-build.txt", "requirements-extras.txt"]}, {"type": "rpm", "path": "./.hermetic_builds"}]'
+    value: '[{"type": "pip", "path": ".", "requirements_files": ["requirements.txt", "requirements-build.txt", "requirements-extra.txt"]}, {"type": "rpm", "path": "./.hermetic_builds"}]'
   - name: prefetch-dev-package-managers
     value: "true"
   pipelineRef:

.tekton/vulnerability-engine-push.yaml

@@ -31,7 +31,7 @@ spec:
   - name: hermetic
     value: "true"
   - name: prefetch-input
-    value: '[{"type": "pip", "path": ".", "requirements_files": ["requirements.txt", "requirements-build.txt", "requirements-extras.txt"]}, {"type": "rpm", "path": "./.hermetic_builds"}]'
+    value: '[{"type": "pip", "path": ".", "requirements_files": ["requirements.txt", "requirements-build.txt", "requirements-extra.txt"]}, {"type": "rpm", "path": "./.hermetic_builds"}]'
   - name: prefetch-dev-package-managers
     value: "true"
   pipelineRef: