When developing Python applications it is considered a best practice to include lockfiles, typically in the form of
requirements.txt files. The problem is keeping these up to date. It tends to be a thankless task so people push it off, which can lead to an issue where developers have to update a ton of dependencies all at once. This is obviously no fun, so like most things in life that are no fun I decided to automate it using Github Actions.
The action-python-lockfile-update project is a Github Action, freely available for anyone to use, that uses pip-tools to rebuild your
requirements.txt files on a schedule. When changes are detected it makes a brand new pull request. It even works with package “extra” requirements so that production and development lockfiles can live side by side and stay up to date.
One of the really nice things about this action is that it can trigger tests on the Pull Requests. Github Actions by default does not run any workflows that are triggered by a GIthub Action, which includes running tests on Pull Requests from a Github Action.
This action gets around this by optionally using a Github Deploy Key to push the updates. Since the commit comes from the Deploy Key, not the Github Action Secret, all tests are run.
Using a deploy key isn’t required unless you want tests to run. There are example workflows for both options.