diff --git a/.github/workflows/deps-locked.yml b/.github/workflows/deps-locked.yml index 3c0eaee..9ffc563 100644 --- a/.github/workflows/deps-locked.yml +++ b/.github/workflows/deps-locked.yml @@ -62,6 +62,19 @@ jobs: - name: Verify lockfile is in sync with pyproject.toml run: | + # Seed the temp output file from the committed lock so that uv pip + # compile treats existing pins as the resolution baseline (uv's + # documented behaviour: "if the file already exists, the existing + # versions will be preferred … unless --upgrade is specified"). + # This means a satisfying already-pinned version (e.g. pytest==9.0.3 + # satisfying >=9.0.3) is KEPT even when a newer release (9.1.0) is + # available upstream — preventing false-positive failures on every + # new upstream release that has nothing to do with this repo. + # + # The diff still detects the real failure mode: pyproject adds or + # changes a dependency without the lock being regenerated, which + # causes the recompiled output to diverge from the committed lock. + cp requirements-dev.lock /tmp/requirements-dev.regenerated.lock uv pip compile --universal --generate-hashes --python-version 3.11 \ --extra dev pyproject.toml -o /tmp/requirements-dev.regenerated.lock # Compare only the dependency body. The autogenerated header comment