Add Github Actions to check and update poetry.lock file

[NV-Karthik]

Lack of github action to update outdated poetry.lock files can cause automated checks to fail.

poetry.lock file becomes outdated when the dependencies or their versions in pyproject.toml file change, and if it is not updated accordingly.

Fix

Adding a Github action (job step) to

1. Check if the poetry.lock file is outdated using the bash command poetry check --lock
2. And if the file is outdated, run the bash command poetry lock --no-interaction before running the Install toqito + dependencies job step
3. If the file is up-to-date, continue to Install toqito + dependencies as it was before

More Info

• Committing poetry.lock file to version control

While it is a workaround for now. Official documentation discourages doing this for library developers.

Library developers have more to consider. Your users are application developers, and your library will run in a Python environment you don’t control.

The application ignores your library’s lock file. It can use whatever dependency version meets the constraints in your pyproject.toml. The application will probably use the latest compatible dependency version. If your library’s poetry.lock falls behind some new dependency version that breaks things for your users, you’re likely to be the last to find out about it.

If you do not want to give up the reproducibility and performance benefits, consider a regular refresh of poetry.lock to stay up-to-date and reduce the risk of sudden breakage for users.

https://python-poetry.org/docs/basic-usage/#committing-your-poetrylock-file-to-version-control

Other Possible Fixes

• Adding a github action to delete the poetry.lock file before every installation

Doing this will resolve dependencies on every install using pyproject.toml only. And creates another lock file on every install. More info here (Thanks @purva-thakre)

https://python-poetry.org/docs/basic-usage/#installing-without-poetrylock

[RohitP2005]

hey @purva-thakre @NV-Karthik is this being worked on I would like to address this if this not

[purva-thakre]

If you look at the top right section of the screen, you can see it is assigned to someone. When an issue is assigned, the expectation is is they are working on it.

[RohitP2005]

I am aware of that . I am up for working on it if its being unattended 😅

[purva-thakre]

I'd suggest you focus on one issue at a time.

[RohitP2005]

Yeah sure , I adhere to it .

[purva-thakre]

Closed by #1198

[purva-thakre]

Reopening this as the PR that added the workflow is not working as intended. See https://github.com/vprusso/toqito/pull/1198#issuecomment-2889063942

I reverted the added changes in c58d2a51825a2808a3e0917dce065f8da9a2e454

[purva-thakre]

Maybe write permissions could be the source of these issues......

I reverted the previous reversion, and the workflows were triggered as expected.

Keeping this issue open until we get a PR with an out of date lock file such that we can see the update lock file workflow in action.

[vprusso]

Maybe write permissions could be the source of these issues......

I reverted the previous reversion, and the workflows were triggered as expected.

Keeping this issue open until we get a PR with an out of date lock file such that we can see the update lock file workflow in action.

I recently fixed an automerge workflow on metriq-gym: https://github.com/unitaryfoundation/metriq-gym/blob/main/.github/workflows/dependabot-automerge.yml

This seems to have worked there, maybe using this approach could also work here as well? I also don't recall having needed to set up anything with tokens, etc., but maybe there's difference between what is being done here?

[purva-thakre]

@vprusso I think you are mixing up issues. The auto-merge workflow is in #1205

Feel free to correct me if I have misunderstood. This workflow will update the poetry lock file which is why I believe it needed the token.

I can look into it later. Have a lot on my plate right now.

[vprusso]

@vprusso I think you are mixing up issues. The auto-merge workflow is in #1205

Feel free to correct me if I have misunderstood. This workflow will update the poetry lock file which is why I believe it needed the token.

I can look into it later. Have a lot on my plate right now.

No, you are correct, I definitely conflated those two issues. Right, the poetry lock update seems to be the problematic thing. Thanks for pointing that out, and I'll try and spend some cycles on figuring out why this might be the case as well. Thanks, @purva-thakre !

[purva-thakre]

@vprusso It looks like the workflow works as expected! Do you want to keep this issue open to verify if we still need to use the token?

In #1222, I removed sphinx-copybutton from the toml file without updating the lock file. You can see the workflow added the updated lock file in the diff.

Thanks @NV-Karthik for adding the workflow!

[vprusso]

Oh that's awesome, nice catch @purva-thakre and great job on that, @NV-Karthik !

I think we can likely close this one out if you agree @purva-thakre

[purva-thakre]

Reopening this as it looks like the workflow passes only for those who have write access to the repo. The token fails for those who do not have this access. See the failures in #1224

@vprusso In the meantime, should I temporarily revert the merge commit? I do not think I will be able to get to resolving the issue before unitary hack....

[vprusso]

Reopening this as it looks like the workflow passes only for those who have write access to the repo. The token fails for those who do not have this access. See the failures in #1224

@vprusso In the meantime, should I temporarily revert the merge commit? I do not think I will be able to get to resolving the issue before unitary hack....

Ah, that's too bad. Yes, perhaps reverting makes sense prior to unitaryHack, but thank you for putting forth a try here, @purva-thakre !

[purva-thakre]

Yes, perhaps reverting makes sense prior to unitaryHack

Done in b5d0869af459dd9d71d65181ca554cc18cf9e8d8