From 29f6b9917f38b7eec7e7b72162df59c4ed06c550 Mon Sep 17 00:00:00 2001 From: Ernest Provo Date: Sat, 13 Jun 2026 15:24:27 -0400 Subject: [PATCH] ci: make deps-locked check resilient to upstream releases (pin-drift only on pyproject change) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The "Verify lockfile is in sync" step previously ran uv pip compile with no output-file baseline, which floats every dependency to the latest satisfying release and then diffs against the committed lock. Any upstream publish of a new satisfying release (e.g. pytest 9.1.0 satisfying >=9.0.3 while the lock pins 9.0.3) produces a non-empty diff and fails the job with zero repo change — making the check permanently flaky on every open PR. Fix: seed the temp output file from the committed lock before running uv pip compile (cp requirements-dev.lock /tmp/requirements-dev.regenerated.lock, then -o /tmp/requirements-dev.regenerated.lock). Per uv 0.6.16 docs: "if the output file already exists, the existing versions will be preferred … unless --upgrade is specified." This preserves pytest==9.0.3 (and all other pins) when they already satisfy the pyproject constraint, so the diff is empty and the check passes. The real failure mode — pyproject adds/changes a dep without the lock being regenerated — still produces a non-empty diff and fails. Step 1 (pip install --require-hashes) and Step 3 (import check) are unchanged. The committed requirements-dev.lock is unchanged; no deps were bumped. --- .github/workflows/deps-locked.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/deps-locked.yml b/.github/workflows/deps-locked.yml index 3c0eaee..9ffc563 100644 --- a/.github/workflows/deps-locked.yml +++ b/.github/workflows/deps-locked.yml @@ -62,6 +62,19 @@ jobs: - name: Verify lockfile is in sync with pyproject.toml run: | + # Seed the temp output file from the committed lock so that uv pip + # compile treats existing pins as the resolution baseline (uv's + # documented behaviour: "if the file already exists, the existing + # versions will be preferred … unless --upgrade is specified"). + # This means a satisfying already-pinned version (e.g. pytest==9.0.3 + # satisfying >=9.0.3) is KEPT even when a newer release (9.1.0) is + # available upstream — preventing false-positive failures on every + # new upstream release that has nothing to do with this repo. + # + # The diff still detects the real failure mode: pyproject adds or + # changes a dependency without the lock being regenerated, which + # causes the recompiled output to diverge from the committed lock. + cp requirements-dev.lock /tmp/requirements-dev.regenerated.lock uv pip compile --universal --generate-hashes --python-version 3.11 \ --extra dev pyproject.toml -o /tmp/requirements-dev.regenerated.lock # Compare only the dependency body. The autogenerated header comment