Problem description
Python dependencies are installed inline in shared actions (pip install --quiet pyyaml pystache etc.) without a central requirements.txt. This has two consequences:
- Dependabot cannot monitor Python packages for security updates (the existing
dependabot.yml covers GitHub Actions only, not pip)
- Version pinning is inconsistent —
run-validation/action.yml pins exact versions (pyyaml==6.0.3, jsonschema==4.26.0) while other actions use unpinned installs
A breaking major version bump could fail silently in the unpinned actions.
Possible evolution
Add a requirements.txt with compatible-release constraints (e.g., pyyaml~=6.0, pystache~=0.6, jsonschema~=4.26, yamllint~=1.38) covering all Python packages used by release automation and validation framework shared actions. Update shared actions to install from this file. Add a pip ecosystem entry to the existing .github/dependabot.yml.
Alternative solution
Pin exact versions inline in each shared action (as run-validation already does). This prevents surprise breakage but still doesn't enable Dependabot monitoring and requires updating versions in multiple places.
Additional context
Current Python packages across shared actions: pyyaml, pystache, jsonschema, yamllint. The reusable workflow also installs requests inline. Dependabot's pip ecosystem requires a requirements.txt on the default branch to function — this becomes effective after the validation-framework branch merges to main.
Problem description
Python dependencies are installed inline in shared actions (
pip install --quiet pyyaml pystacheetc.) without a centralrequirements.txt. This has two consequences:dependabot.ymlcovers GitHub Actions only, not pip)run-validation/action.ymlpins exact versions (pyyaml==6.0.3,jsonschema==4.26.0) while other actions use unpinned installsA breaking major version bump could fail silently in the unpinned actions.
Possible evolution
Add a
requirements.txtwith compatible-release constraints (e.g.,pyyaml~=6.0,pystache~=0.6,jsonschema~=4.26,yamllint~=1.38) covering all Python packages used by release automation and validation framework shared actions. Update shared actions to install from this file. Add apipecosystem entry to the existing.github/dependabot.yml.Alternative solution
Pin exact versions inline in each shared action (as
run-validationalready does). This prevents surprise breakage but still doesn't enable Dependabot monitoring and requires updating versions in multiple places.Additional context
Current Python packages across shared actions:
pyyaml,pystache,jsonschema,yamllint. The reusable workflow also installsrequestsinline. Dependabot's pip ecosystem requires arequirements.txton the default branch to function — this becomes effective after thevalidation-frameworkbranch merges tomain.