Merge pull request #135 from casework/schedule_pre_commit_refreshing

Review pre-commit pinned versions as prerelease step
casework · Nov 13, 2023 · 88b3e95 · 88b3e95
2 parents 96ccf86 + e142f71
commit 88b3e95
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 0 deletions.
diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml
@@ -0,0 +1,42 @@
+# Portions of this file contributed by NIST are governed by the
+# following statement:
+#
+# This software was developed at the National Institute of Standards
+# and Technology by employees of the Federal Government in the course
+# of their official duties. Pursuant to Title 17 Section 105 of the
+# United States Code, this software is not subject to copyright
+# protection within the United States. NIST assumes no responsibility
+# whatsoever for its use by other parties, and makes no guarantees,
+# expressed or implied, about its quality, reliability, or any other
+# characteristic.
+#
+# We would appreciate acknowledgement if the software is used.
+
+# This workflow uses Make to review direct dependencies of this
+# repository.
+
+name: Prerelease
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version:
+          - '3.9'
+          - '3.12'
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Python ${{ matrix.python-version }}
+      uses: actions/setup-python@v4
+      with:
+        python-version: ${{ matrix.python-version }}
+    - name: Review dependencies
+      run: make check-supply-chain-pre-commit
diff --git a/Makefile b/Makefile
@@ -28,6 +28,8 @@ all: \
   .venv-pre-commit/var/.pre-commit-built.log
 
 .PHONY: \
+  check-supply-chain \
+  check-supply-chain-pre-commit \
   download
 
 .git_submodule_init.done.log: \
@@ -89,6 +91,19 @@ check: \
 	  --directory tests \
 	  check
 
+# This target's dependencies potentially modify the working directory's Git state, so it is intentionally not a dependency of check.
+check-supply-chain: \
+  check-supply-chain-pre-commit
+
+# This target is scheduled to run as part of prerelease review.
+check-supply-chain-pre-commit: \
+  .venv-pre-commit/var/.pre-commit-built.log
+	source .venv-pre-commit/bin/activate \
+	  && pre-commit autoupdate
+	git diff \
+	  --exit-code \
+	  .pre-commit-config.yaml
+
 clean:
 	@$(MAKE) \
 	  PYTHON3=$(PYTHON3) \