From d7d651dfeb1ecbf59197668cbc6a2a3d800ba384 Mon Sep 17 00:00:00 2001 From: Julio Quinteros Pro Date: Thu, 19 Feb 2026 19:13:54 -0300 Subject: [PATCH 1/4] ci: auto-regenerate poetry.lock when pyproject.toml changes on main Adds a workflow that triggers whenever pyproject.toml is merged into main and opens a PR with the refreshed lock file, fixing the recurring CI failure: "pyproject.toml changed significantly since poetry.lock was last generated." Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/regenerate-poetry-lock.yml | 69 ++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 .github/workflows/regenerate-poetry-lock.yml diff --git a/.github/workflows/regenerate-poetry-lock.yml b/.github/workflows/regenerate-poetry-lock.yml new file mode 100644 index 0000000000..b9747676ce --- /dev/null +++ b/.github/workflows/regenerate-poetry-lock.yml @@ -0,0 +1,69 @@ +name: Regenerate poetry.lock + +# Runs whenever pyproject.toml is merged into main (the most common cause of +# the "pyproject.toml changed significantly since poetry.lock was last generated" +# CI failure). Can also be triggered manually. +on: + push: + branches: + - main + paths: + - pyproject.toml + workflow_dispatch: + +jobs: + regenerate-lock: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: "3.11" + + - name: Install Poetry + run: pip install poetry + + - name: Regenerate poetry.lock + # --no-update: re-solve only what pyproject.toml requires without + # upgrading packages that are already in the lock file. + run: poetry lock --no-update + + - name: Check whether poetry.lock actually changed + id: diff + run: | + if git diff --quiet poetry.lock; then + echo "changed=false" >> "$GITHUB_OUTPUT" + else + echo "changed=true" >> "$GITHUB_OUTPUT" + fi + + - name: Open PR with the refreshed lock file + if: steps.diff.outputs.changed == 'true' + run: | + BRANCH="auto/regenerate-poetry-lock-$(date +'%Y%m%d%H%M%S')" + git config user.name "github-actions[bot]" + git config user.email "github-actions[bot]@users.noreply.github.com" + git checkout -b "$BRANCH" + git add poetry.lock + git commit -m "chore: regenerate poetry.lock to match pyproject.toml" + git push origin "$BRANCH" + gh pr create \ + --title "chore: regenerate poetry.lock to match pyproject.toml" \ + --body "$(cat <<'EOF' +Automated regeneration of \`poetry.lock\` after \`pyproject.toml\` was updated on \`main\`. + +Fixes the recurring CI failure: +\`\`\` +pyproject.toml changed significantly since poetry.lock was last generated. +Run \`poetry lock\` to fix the lock file. +\`\`\` + +Regenerated with \`poetry lock --no-update\` (existing package versions are preserved; only the lock file metadata is updated to match the new constraints). +EOF +)" \ + --head "$BRANCH" \ + --base main + env: + GH_TOKEN: ${{ secrets.GH_TOKEN }} From dfbf14e6263f53f13897a3ad0b541bf5e52b2603 Mon Sep 17 00:00:00 2001 From: Julio Quinteros Pro Date: Thu, 19 Feb 2026 19:18:18 -0300 Subject: [PATCH 2/4] fix(ci): pass GH_TOKEN to checkout so git push can create the branch Without the token in the checkout step the subsequent `git push` uses the default GITHUB_TOKEN which lacks permission to push new branches, causing the workflow to fail silently. Fixes issue flagged by Greptile review. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/regenerate-poetry-lock.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/regenerate-poetry-lock.yml b/.github/workflows/regenerate-poetry-lock.yml index b9747676ce..b2d2e058f6 100644 --- a/.github/workflows/regenerate-poetry-lock.yml +++ b/.github/workflows/regenerate-poetry-lock.yml @@ -16,6 +16,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + token: ${{ secrets.GH_TOKEN }} - name: Set up Python uses: actions/setup-python@v5 From 5681229e7c34605bf54f0a3d8187f15ff0a25b6e Mon Sep 17 00:00:00 2001 From: Julio Quinteros Pro Date: Thu, 19 Feb 2026 19:20:01 -0300 Subject: [PATCH 3/4] fix(ci): force-push bot branch to handle pre-existing branch from prior run A re-run within the same second (or a leftover branch) would cause `git push` to fail. Adding -f is safe since this is a bot-owned branch that is immediately turned into a PR and never used for anything else. Fixes inline suggestion from Greptile review. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/regenerate-poetry-lock.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/regenerate-poetry-lock.yml b/.github/workflows/regenerate-poetry-lock.yml index b2d2e058f6..83f53277ef 100644 --- a/.github/workflows/regenerate-poetry-lock.yml +++ b/.github/workflows/regenerate-poetry-lock.yml @@ -50,7 +50,7 @@ jobs: git checkout -b "$BRANCH" git add poetry.lock git commit -m "chore: regenerate poetry.lock to match pyproject.toml" - git push origin "$BRANCH" + git push -f origin "$BRANCH" gh pr create \ --title "chore: regenerate poetry.lock to match pyproject.toml" \ --body "$(cat <<'EOF' From b9e79cc07b1977fe9aa74d3280cbbb1a2081fff4 Mon Sep 17 00:00:00 2001 From: Julio Quinteros Pro Date: Thu, 19 Feb 2026 19:24:57 -0300 Subject: [PATCH 4/4] fix(ci): restrict GITHUB_TOKEN to contents:read via explicit permissions block GitHub Advanced Security flagged that the workflow had no permissions block, leaving GITHUB_TOKEN with its default broad scope. All write operations (git push, gh pr create) already use GH_TOKEN (PAT), so the implicit GITHUB_TOKEN only needs read access. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/regenerate-poetry-lock.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/regenerate-poetry-lock.yml b/.github/workflows/regenerate-poetry-lock.yml index 83f53277ef..7e4bac017d 100644 --- a/.github/workflows/regenerate-poetry-lock.yml +++ b/.github/workflows/regenerate-poetry-lock.yml @@ -11,6 +11,9 @@ on: - pyproject.toml workflow_dispatch: +permissions: + contents: read # GITHUB_TOKEN is not used for writes; GH_TOKEN (PAT) handles push + PR creation + jobs: regenerate-lock: runs-on: ubuntu-latest