chore: add workflow to check package dependencies

.github/scripts/pkg-deps/pkg-deps

@@ -0,0 +1,62 @@
+#!/bin/bash
+
+set -e
+
+export LC_COLLATE=C
+
+if [[ -z "$branch" ]]; then
+  echo "error: no branch specified" >&2
+  exit 1
+fi
+
+version=$(echo "$branch" | grep -Eo '[0-9.]+')
+docker run -i -d --rm --name ubuntu ubuntu:"$version" >&2
+
+cleanup() {
+  docker rm -f ubuntu >&2
+}
+trap cleanup EXIT
+
+docker exec ubuntu apt-get update >&2
+
+msg_file="${msg_file:-$(mktemp)}"
+echo "Writing dependencies diff to $msg_file" >&2
+if [[ -n "$GITHUB_OUTPUT" ]]; then
+  echo "msg_file=$msg_file" >> $GITHUB_OUTPUT
+fi
+
+echo -e "Diff of dependencies:\n" > "$msg_file"
+for f in $@; do
+  echo "Processing $f.." >&2
+  pkg=$(yq '.package' "$f")
+
+  fupstream="$(mktemp)"
+  docker exec ubuntu apt depends \
+    --no-recommends --no-suggests --no-conflicts \
+    --no-breaks --no-replaces --no-enhances \
+    "$pkg" 2>/dev/null | \
+  sed -nr 's/.*Depends:\s(\S*).*/\1/p' | \
+  sed 's/<//; s/>//; s/:any//' | \
+  sort | uniq > "$fupstream"
+
+  flocal="$(mktemp)"
+  yq '.slices.[].essential[]' "$f" | \
+  sed "s/_.*//; /^$pkg$/d" | sort | uniq > "$flocal"
+
+  fdiff="$(mktemp)"
+  if ! diff -u "$fupstream" "$flocal" > "$fdiff"; then
+    echo "<details>" >> "$msg_file"
+    echo -e "<summary>$f</summary>\n" >> "$msg_file"
+    echo "\`\`\`diff" >> "$msg_file"
+    cat "$fdiff" | tail -n +3 >> "$msg_file"
+    echo "\`\`\`" >> "$msg_file"
+    echo -e "\n</details>" >> "$msg_file"
+  fi
+done
+
+if ! grep "<summary>" "$msg_file"; then
+  echo -e "\tNone found." >> "$msg_file"
+fi
+
+echo -e "\n---" >> "$msg_file"
+cat "$msg_file"

.github/workflows/pkg-deps.yaml

@@ -0,0 +1,52 @@
+name: Package dependencies
+
+on:
+  workflow_call:
+
+jobs:
+  check-dependency:
+    name: Check dependency
+    runs-on: ubuntu-latest
+    if: |
+      github.event_name == 'pull_request' &&
+      startswith(github.base_ref, 'ubuntu-')
+    env:
+      branch: ${{ github.base_ref }}
+      main-branch-path: files-from-main
+    permissions:
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Check changed paths
+        id: changed-paths
+        uses: dorny/paths-filter@v3
+        with:
+          # ref: https://github.com/marketplace/actions/paths-changes-filter
+          filters: |
+            slices:
+              - added|modified: 'slices/**/*.yaml'
+          # Space delimited list usable as command-line argument list in
+          # Linux shell. If needed, it uses single or double quotes to
+          # wrap filename with unsafe characters.
+          list-files: shell
+
+      - name: Checkout main branch
+        uses: actions/checkout@v4
+        with:
+          ref: main
+          path: ${{ env.main-branch-path }}
+
+      - name: Check dependencies
+        id: check-deps
+        env:
+          script-dir: "${{ env.main-branch-path }}/.github/scripts/pkg-deps"
+        run: |
+          set -ex
+          ./${{ env.script-dir }}/pkg-deps \
+            ${{ steps.changed-paths.outputs.slices_files }}
+
+      - name: Post messages to PR
+        uses: mshick/add-pr-comment@v2
+        with:
+          message-path: ${{ steps.check-deps.outputs.msg_file }}