Add update-conda-lockfiles. (#4)

* Add update-conda-lockfiles workflow.

* Test update-conda-lockfiles

* Use app token to trigger checks on created pull requests.

* Use official action to generate tokens.

* Correct branch name condition.

* Allow "All tests" to pass.

* Add test lock file.

* Document update-conda-lockfiles.

* Run pre-commit.

.github/workflows/test.yaml

@@ -78,6 +78,14 @@ jobs:
       uses: ./setup-cargo-bundle-licenses
     - run: cargo bundle-licenses --version
 
+  update_conda_lockfiles:
+    if: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.ref != 'update-conda-lockfiles' }}
+    uses: ./.github/workflows/update-conda-lockfiles.yaml
+    secrets: inherit
+    with:
+      branch: ${{ github.event.pull_request.head.ref }}
+      path: test/update-conda-lockfile
+
   tests_complete:
     name: All tests
     if: always()

.github/workflows/update-conda-lockfiles.yaml

@@ -0,0 +1,62 @@
+name: Update conda lockfiles
+
+on:
+  workflow_call:
+    inputs:
+      branch:
+        required: true
+        type: string
+      command:
+        default: ./update-lockfiles.sh
+        required: false
+        type: string
+      path:
+        default: .github/workflows/environments
+        required: false
+        type: string
+
+jobs:
+  update:
+    runs-on: ubuntu-24.04
+    steps:
+    - name: Checkout
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      with:
+        path: code
+        ref: ${{ inputs.branch }}
+
+    - uses: actions/create-github-app-token@c8f55efbd427e7465d6da1106e7979bc8aaee856 # v1.10.1
+      id: generate-token
+      with:
+        app-id: ${{ secrets.PR_SUBMITTER_APP_ID }}
+        private-key: ${{ secrets.PR_SUBMITTER_PRIVATE_KEY }}
+
+    - name: Create python environment
+      uses: mamba-org/setup-micromamba@f8b8a1e23a26f60a44c853292711bacfd3eac822 # v1.9.0
+      with:
+        micromamba-version: '1.5.8-0'
+        environment-name: update
+        create-args: >-
+          python=3.12
+          conda-lock
+        micromamba-root-path: ${{ github.workspace }}/micromamba
+
+    - name: Configure conda environment variables
+      run: |
+        echo "$MAMBA_ROOT_PREFIX/envs/update/bin" >> $GITHUB_PATH
+
+    - name: Update lockfiles
+      run: ${{ inputs.command }}
+      working-directory: code/${{ inputs.path }}
+
+    - name: Create pull request
+      uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0
+      with:
+        base: ${{ inputs.branch }}
+        path: code
+        commit-message: "Update conda lockfiles"
+        branch: update-conda-lockfiles
+        delete-branch: true
+        title: Update conda lockfiles on ${{ inputs.branch }}
+        body: Automated changes by `${{ inputs.command }}`.
+        token: ${{ steps.generate-token.outputs.token }}

README.md

@@ -82,3 +82,30 @@ jobs:
   stale:
     uses: glotzerlab/workflows/.github/workflows/stale.yaml@5cfac9da9cb78e16ae97a9119b6fd13c1c2d6f5e # 0.1.0
 ```
+
+## update-conda-lockfiles
+
+To automatically update conda lock files monthly:
+1. Prepare a directory with the base `environment.yaml` and a script that updates all
+  lock files (see https://github.com/glotzerlab/hoomd-blue/tree/trunk-minor/.github/workflows/environments
+  for an example).
+2. Ask an organization admin to install the pull request submitter bot.
+3. Create a workflow `update-conda-lockfiles.yaml` with the contents:
+
+  ```yaml
+  name: Update conda lockfiles.
+
+  on:
+    schedule:
+      - cron: '0 12 1 * *'
+
+    workflow_dispatch:
+
+  jobs:
+    update:
+      uses: glotzerlab/workflows/.github/workflows/update-conda-lockfiles.yaml@TODO # 0.1.0
+      secrets: inherit
+      with:
+        branch: trunk-minor
+  ```
+

test/update-conda-lockfile/environment.yaml

@@ -0,0 +1,4 @@
+channels:
+- conda-forge
+dependencies:
+- python==3.12