Quantco
diff --git a/‎.github/CODEOWNERS
+1-1 b/‎.github/CODEOWNERS
+1-1
diff --git a/‎.github/workflows/bump-versions.yml
+4-4 b/‎.github/workflows/bump-versions.yml
+4-4
diff --git a/‎.github/workflows/ci-copier.yml
+14-8 b/‎.github/workflows/ci-copier.yml
+14-8
diff --git a/‎pixi.lock
+4-97 b/‎pixi.lock
+4-97
diff --git a/‎pixi.toml
+9-5 b/‎pixi.toml
+9-5
diff --git a/‎scripts/update_actions.py
+32-46 b/‎scripts/update_actions.py
+32-46
@@ -1 +1 @@
-* @pavelzw @0xbe7a @AdrianFreundQC
+* @pavelzw
@@ -15,16 +15,16 @@ jobs:
             name: gh-actions
     steps:
       - name: Checkout branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       - name: Set up pixi
-        uses: prefix-dev/setup-pixi@ba3bb36eb2066252b2363392b7739741bb777659
+        uses: prefix-dev/setup-pixi@ba3bb36eb2066252b2363392b7739741bb777659 # v0.8.1
         with:
           activate-environment: true
       - name: Update ${{ matrix.name }}
         run: python -m scripts.${{ matrix.script }}
         env:
           GH_TOKEN: ${{ github.token }}
-      - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c
+      - uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
         with:
           commit-message: Auto-update ${{ matrix.name }}
           title: Auto-update ${{ matrix.name }}
@@ -35,7 +35,7 @@ jobs:
           delete-branch: true
       - name: Create issue on failure
         if: failure()
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             github.rest.issues.listForRepo({
 
@@ -14,9 +14,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       - name: Set up pixi
-        uses: prefix-dev/setup-pixi@ba3bb36eb2066252b2363392b7739741bb777659
+        uses: prefix-dev/setup-pixi@ba3bb36eb2066252b2363392b7739741bb777659 # v0.8.1
         with:
           environments: default lint
       - name: pre-commit
@@ -27,9 +27,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       - name: Set up pixi
-        uses: prefix-dev/setup-pixi@ba3bb36eb2066252b2363392b7739741bb777659
+        uses: prefix-dev/setup-pixi@ba3bb36eb2066252b2363392b7739741bb777659 # v0.8.1
       - name: Test
         run: pixi run test --color=yes
         env:
@@ -45,13 +45,17 @@ jobs:
         minimal-python-version: [py38, py310]
     steps:
       - name: Checkout branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           ssh-key: ${{ secrets.SSH_PRIVATE_KEY }}
       - name: Set up pixi
-        uses: prefix-dev/setup-pixi@ba3bb36eb2066252b2363392b7739741bb777659
+        uses: prefix-dev/setup-pixi@ba3bb36eb2066252b2363392b7739741bb777659 # v0.8.1
         with:
           activate-environment: true
+      - name: Generate branch name
+        id: branch
+        run: |
+          echo "name=ci/$GITHUB_SHA-${{ matrix.minimal-python-version }}" >> $GITHUB_OUTPUT
       - name: Test generated package CI
         run: |
           # Name of the generated package.
@@ -86,10 +90,10 @@ jobs:
           git commit -m "Create pixi.lock"
           # Push the generated package's HEAD commit to a `ci/*` branch
           cid=$(git rev-parse HEAD)
-          git push -f "${GITHUB_SERVER_URL/https:\/\//git@}:$GITHUB_REPOSITORY" $cid:refs/heads/ci/${GITHUB_SHA}-${{ matrix.minimal-python-version }}
+          git push -f "${GITHUB_SERVER_URL/https:\/\//git@}:$GITHUB_REPOSITORY" $cid:refs/heads/${{ steps.branch.outputs.name }}
           # Use the GitHub API to wait for the generated package's CI to complete (success or failure).
           # We look for a GitHub Actions run for the HEAD commit ID.
-          WORKFLOW_URL="$GITHUB_API_URL/repos/${GITHUB_REPOSITORY}/actions/runs?branch=ci/${GITHUB_SHA}-${{ matrix.minimal-python-version }}&head_sha=${cid}"
+          WORKFLOW_URL="$GITHUB_API_URL/repos/${GITHUB_REPOSITORY}/actions/runs?branch=${{ steps.branch.outputs.name }}&head_sha=${cid}"
           echo "Waiting for inner CI to start"
           while (( $(curl -Ls --header "$AUTH" "$WORKFLOW_URL" | jq -r ".workflow_runs | length") < 1 )); do
             sleep 10
@@ -106,12 +110,14 @@ jobs:
       - name: Clean up CI branch
         if: always()
         run: |
+          set -x
           AUTH='authorization: Bearer ${{ secrets.GITHUB_TOKEN }}'
           eval $(ssh-agent)
           ssh-add - <<< "${{ secrets.SSH_PRIVATE_KEY }}"
 
           git push -d "${GITHUB_SERVER_URL/https:\/\//git@}:$GITHUB_REPOSITORY" refs/heads/ci/$GITHUB_SHA-${{ matrix.minimal-python-version }}
 
+          cid=$(git rev-parse HEAD)
           for line in $(curl -Ls --header "$AUTH" "$GITHUB_API_URL/repos/${GITHUB_REPOSITORY}/actions/runs?branch=ci/${GITHUB_SHA}-${{ matrix.minimal-python-version }}&head_sha=${cid}" | jq -r ".workflow_runs | .[] | select(.status != \"completed\") | .id")
           do
             curl -Ls --header "$AUTH" --request POST "$GITHUB_API_URL/repos/${GITHUB_REPOSITORY}/actions/runs/$line/cancel" > /dev/null
 
@@ -8,13 +8,20 @@ platforms = ["linux-64", "osx-arm64", "osx-64", "win-64"]
 python = ">=3.12"
 copier = ">=9.3.1,<10"
 pytest = ">=8.2,<9"
-"ruamel.yaml" = ">=0.17,<0.18"
-"ruamel.yaml.jinja2" = ">=0.2.4,<0.3"
+"ruamel.yaml" = "*"
 mypy = "*"
 pre-commit = "*"
 gh = "*"
 go-yq = "*"
 
+[tasks]
+test = "pytest"
+generate-temp-repo = """
+export COPIER_PATH="$(mktemp -d)" && \
+copier copy --trust --vcs-ref=HEAD . "$COPIER_PATH" && \
+echo "Generated repo to $COPIER_PATH"
+"""
+
 [feature.lint.dependencies]
 pre-commit = "*"
 insert-license-header = "*"
@@ -28,9 +35,6 @@ typos = "*"
 pre-commit-install = "pre-commit install"
 pre-commit-run = "pre-commit run -a"
 
-[tasks]
-test = "pytest"
-
 [environments]
 default = []
 lint = { features = ["lint"], no-default-feature = true }
@@ -1,56 +1,42 @@
 import os
 from pathlib import Path
 
-import ruamel.yaml
-
 from scripts.common import get_latest_github_tag
 
 
-def get_latest_pin(action: str, current_version: str) -> str:
-    latest_tag_name, latest_tag_sha = get_latest_github_tag(action)
-
-    pin_by_major = current_version.startswith("v")
-
-    if pin_by_major:
-        major = latest_tag_name.split(".")[0]
-        return major
-    else:
-        return latest_tag_sha
-
-
-def update_workflow_actions(file_path: Path, dry_run: bool = False):
-    yaml = ruamel.yaml.YAML(typ="jinja2")
-    yaml.preserve_quotes = True
-    yaml.indent(mapping=2, sequence=4, offset=2)
-    yaml.width = 1000  # Prevent default wrapping
-
-    with open(file_path) as f:
-        workflow = yaml.load(f)
-
-    for job in workflow.get("jobs", {}).values():
-        for step in job.get("steps", []):
-            if "uses" in step:
-                action_ref = step["uses"]
-                action, _, current_version = action_ref.partition("@")
-                new_version = get_latest_pin(action, current_version)
-                print(
-                    f"{action}:"
-                    f" current version: {current_version},"
-                    f" latest version: {new_version}"
-                )
-                if new_version != current_version and not dry_run:
-                    step["uses"] = f"{action}@{new_version}"
-
-    with open(file_path, "w") as f:
-        yaml.dump(workflow, f)
-
-
-def update_project_workflows(
-    path: str = "template/.github/workflows/", dry_run: bool = False
-):
+def update_workflow_actions(file_path: Path):
+    text = file_path.read_text()
+    lines = text.splitlines(keepends=True)
+
+    new_lines: list[str] = []
+
+    for line in lines:
+        if "uses: " not in line:
+            new_lines.append(line)
+        else:
+            action_with_rest = line.split(":")[1].strip()
+            action, current_sha_with_version = action_with_rest.split("@")
+            current_sha, current_version = current_sha_with_version.split("#")
+            current_sha = current_sha.strip()
+            current_version = current_version.strip()
+            new_version, new_sha = get_latest_github_tag(action)
+            print(
+                f"{action}:"
+                f" current version: {current_version},"
+                f" latest version: {new_version}"
+            )
+            new_line = line.replace(current_sha, new_sha).replace(
+                current_version, new_version
+            )
+            new_lines.append(new_line)
+
+    file_path.write_text("".join(new_lines))
+
+
+def update_project_workflows(path: str = "template/.github/workflows/"):
     for file in os.listdir(path):
-        print(f"Updating {file}")
-        update_workflow_actions(Path(path) / file, dry_run=dry_run)
+        print(f"Updating `{file}`")
+        update_workflow_actions(Path(path) / file)
 
 
 if __name__ == "__main__":
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-* @pavelzw @0xbe7a @AdrianFreundQC`
	`1`	`+* @pavelzw`