Testmon db env (#1655)

* Enable a lock file to ensure clean dep resolution of ci specific deps.

* 27;2;32~qq27;2;73~27;2;67~make

* Update with real ci-requirements.lock

* Update to strip out machinery to create the lock file

* Remove errant git ignore update.

Signed-off-by: Kashif Rasul <kashif.rasul@gmail.com>

Author: coreyjadams

.github/CACHE_CONTRACT.md

@@ -82,6 +82,60 @@ recorded.  Switching to a `-latest` mutable slot via `replace-cache`
 fixes the save bug, and the embedded verify step turns any future
 silent save failure into a hard job failure.
 
+#### Why a separate `ci-requirements.lock`
+
+The cache fix above only addresses *saving* the DB; the DB is still
+worthless to PRs if testmon's environment fingerprint at PR time
+differs from the fingerprint stored at nightly time.  Testmon
+computes that fingerprint from `importlib.metadata.distributions()`
+over the active venv -- i.e. *everything* in
+`.venv/lib/python3.12/site-packages`, not just the lockfile-pinned
+closure.
+
+`setup-uv-env` builds the venv in two layered steps:
+
+1. `uv sync --frozen --group dev --extra <EXTRAS_TAG>` -- deterministic
+   against `uv.lock`.
+2. `uv pip install -r .github/ci-requirements.txt` -- adds CI-only
+   test deps that have no home in pyproject extras (moto,
+   scikit-image, numpy-stl, shapely, multi-storage-client, tensorstore,
+   plus the PyG CUDA wheel swap).
+
+Step 2 is *not* covered by `uv.lock`.  Several of the direct pins in
+`ci-requirements.txt` are absent from `uv.lock` entirely, so their
+transitive closure (`responses`, `xmltodict`, `jsonpath-ng`,
+`lazy-loader`, `tifffile`, `pywavelets`, `imageio`,
+`antlr4-python3-runtime`, ...) gets re-resolved fresh against PyPI on
+every job.  A single transitive minor bump between the nightly that
+publishes the testmon DB and the PR that consumes it changes the
+sorted `name version` string testmon hashes, trips its
+"packages installed have been changed" guard, and re-runs the entire
+suite.
+
+[`.github/ci-requirements.lock`](ci-requirements.lock) is a fully
+pinned closure of `ci-requirements.txt` (direct + transitive), passed
+to the layered install via `--constraint`.  It is generated by
+[`.github/regen-ci-deps-lock.sh`](regen-ci-deps-lock.sh), and must be
+regenerated and committed whenever a `==` pin in
+`ci-requirements.txt` changes.
+
+Two ways to run the regen:
+
+1. **Standalone [`Regen CI-deps Lock`](workflows/regen-ci-deps-lock.yml)
+   workflow** (workflow_dispatch).  Runs the regen on a CPU runner
+   in ~5 min and uploads `.github/ci-requirements.lock` as an
+   artifact for the maintainer to download and commit.  Requires
+   the workflow file to be on the default branch (GitHub refuses
+   workflow_dispatch on files that exist only on feature branches --
+   both the UI dropdown and `gh workflow run --ref` enforce this).
+
+2. **Local docker.**  See the header of
+   [`.github/regen-ci-deps-lock.sh`](regen-ci-deps-lock.sh) for the
+   `docker run …` invocation.  Useful when iterating on the script
+   itself or when the standalone workflow is unavailable (e.g. a
+   feature branch where the workflow file has not yet landed on
+   the default branch).
+
 ### Coverage baseline cache (`.coverage*`)
 
 | Property | Value |

.github/actions/setup-uv-env/action.yml

@@ -172,7 +172,8 @@ runs:
     # uv.lock remains the single source of truth for the synced
     # environment; this step layers on top without invalidating that
     # guarantee.  Pin list and per-pin rationale live in
-    # .github/ci-requirements.txt.
+    # .github/ci-requirements.txt; the pinned transitive closure lives in
+    # .github/ci-requirements.lock (see .github/regen-ci-deps-lock.sh).
     - name: Install CI-only test dependencies
       shell: bash
       env:
@@ -190,11 +191,22 @@ runs:
         # currently latest on PyPI and breaking ABI compatibility with
         # the lockfile-pinned GPU stack (cudf / cuml / pylibcudf were
         # built against the synced pyarrow ABI, etc.).
+        #
+        # `--constraint .github/ci-requirements.lock` pins the transitive
+        # closure of the CI-only deps so testmon's `system_packages`
+        # fingerprint matches between the nightly that builds the testmon
+        # DB and the PR that consumes it.  Without this, unpinned
+        # transitives of moto / scikit-image / multi-storage-client /
+        # tensorstore / etc. resolve to whatever's latest on PyPI at job
+        # time and invalidate the entire testmon cache.  Regenerate the
+        # lock via .github/regen-ci-deps-lock.sh whenever a `==` pin in
+        # .github/ci-requirements.txt changes.
         uv pip install --python .venv/bin/python \
           --reinstall-package torch_scatter \
           --reinstall-package torch_sparse \
           --reinstall-package torch_cluster \
           --reinstall-package pyg_lib \
+          --constraint .github/ci-requirements.lock \
           -r .github/ci-requirements.txt
         echo "::endgroup::"
 

.github/ci-requirements.lock

@@ -0,0 +1,263 @@
+# This file was autogenerated by uv via the following command:
+#    uv pip compile --python .venv/bin/python --constraint /tmp/tmp.PZXhTSZc0F --output-file .github/ci-requirements.lock .github/ci-requirements.txt
+attrs==26.1.0
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   jsonschema
+    #   referencing
+boto3==1.43.11
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   moto
+    #   multi-storage-client
+botocore==1.43.11
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   boto3
+    #   moto
+    #   s3transfer
+bracex==2.6
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   wcmatch
+certifi==2026.2.25
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   requests
+cffi==2.0.0
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   cryptography
+    #   xattr
+charset-normalizer==3.4.7
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   requests
+cryptography==46.0.7
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   moto
+filelock==3.29.0
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   multi-storage-client
+idna==3.11
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   requests
+imageio==2.37.3
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   scikit-image
+jmespath==1.1.0
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   boto3
+    #   botocore
+    #   multi-storage-client
+jsonschema==4.26.0
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   multi-storage-client
+jsonschema-specifications==2025.9.1
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   jsonschema
+lark==1.3.1
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   multi-storage-client
+lazy-loader==0.5
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   scikit-image
+markupsafe==3.0.3
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   werkzeug
+ml-dtypes==0.5.4
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   tensorstore
+moto==5.2.1
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   -r .github/ci-requirements.txt
+multi-storage-client==0.48.0
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   -r .github/ci-requirements.txt
+networkx==3.6.1
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   scikit-image
+numpy==2.2.6
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   -r .github/ci-requirements.txt
+    #   imageio
+    #   ml-dtypes
+    #   numpy-stl
+    #   scikit-image
+    #   scipy
+    #   shapely
+    #   tensorstore
+    #   tifffile
+numpy-stl==3.2.0
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   -r .github/ci-requirements.txt
+opentelemetry-api==1.42.0
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   multi-storage-client
+packaging==25.0
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   lazy-loader
+    #   scikit-image
+pillow==12.2.0
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   imageio
+    #   scikit-image
+prettytable==3.17.0
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   multi-storage-client
+psutil==7.2.2
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   multi-storage-client
+py-partiql-parser==0.6.3
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   moto
+pyarrow==24.0.0
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   -r .github/ci-requirements.txt
+pycparser==3.0
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   cffi
+pyg-lib==0.6.0+pt211cu128
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   -r .github/ci-requirements.txt
+python-dateutil==2.9.0.post0
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   botocore
+    #   multi-storage-client
+python-utils==3.9.1
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   numpy-stl
+pyyaml==6.0.3
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   moto
+    #   multi-storage-client
+    #   responses
+referencing==0.37.0
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   jsonschema
+    #   jsonschema-specifications
+requests==2.33.1
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   moto
+    #   responses
+responses==0.26.0
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   moto
+rpds-py==0.30.0
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   jsonschema
+    #   referencing
+s3transfer==0.17.0
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   boto3
+scikit-image==0.26.0
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   -r .github/ci-requirements.txt
+scipy==1.17.1
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   scikit-image
+    #   torch-cluster
+    #   torch-sparse
+shapely==2.1.2
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   -r .github/ci-requirements.txt
+six==1.17.0
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   python-dateutil
+tensorstore==0.1.83
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   -r .github/ci-requirements.txt
+tifffile==2026.5.15
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   scikit-image
+torch-cluster==1.6.3+pt211cu128
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   -r .github/ci-requirements.txt
+torch-scatter==2.1.2+pt211cu128
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   -r .github/ci-requirements.txt
+torch-sparse==0.6.18+pt211cu128
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   -r .github/ci-requirements.txt
+tqdm==4.67.3
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   multi-storage-client
+typing-extensions==4.15.0
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   opentelemetry-api
+    #   python-utils
+    #   referencing
+tzdata==2025.3
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   multi-storage-client
+urllib3==2.6.3
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   botocore
+    #   requests
+    #   responses
+wcmatch==10.1
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   multi-storage-client
+wcwidth==0.6.0
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   prettytable
+werkzeug==3.1.8
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   moto
+xattr==1.3.0
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   multi-storage-client
+xmltodict==1.0.4
+    # via
+    #   -c /tmp/tmp.PZXhTSZc0F
+    #   moto

.github/ci-requirements.txt

@@ -9,10 +9,22 @@
 #   upstream release between the nightly that builds the testmon DB and
 #   the PR that consumes it would invalidate the entire cache.  Bumping a
 #   pin is a deliberate change: the next nightly repopulates the DB
-#   against the new fingerprint and PRs start hitting again.  Pinning
-#   here only stabilises *direct* deps; transitive churn (e.g. boto3 ->
-#   urllib3) can still trigger invalidations, in which case the next
-#   escalation is a constraints.txt passed via `uv pip install -c ...`.
+#   against the new fingerprint and PRs start hitting again.
+#
+# Why a companion `.github/ci-requirements.lock`:
+#   `==`-pinning the direct deps stabilises only the lines listed here.
+#   Several of them (moto, scikit-image, numpy-stl, shapely,
+#   multi-storage-client, tensorstore) are NOT in uv.lock, so their
+#   transitive closure (responses, xmltodict, jsonpath-ng, lazy-loader,
+#   tifffile, pywavelets, imageio, antlr4-python3-runtime, ...) gets
+#   resolved fresh against PyPI on every job and drifts between the
+#   nightly that builds the testmon DB and the PR that consumes it.  The
+#   companion `.github/ci-requirements.lock` (passed via `-c` in
+#   setup-uv-env) pins that closure so the fingerprint matches.
+#   Regenerate it whenever any `==` pin below changes; the three regen
+#   paths (nightly artifact, standalone workflow, local docker) are
+#   documented in .github/CACHE_CONTRACT.md under
+#   "Why a separate ci-requirements.lock".
 #
 # Coupling notes (bump in lockstep):
 #   * Dockerfile lines 240-243 still use `>=` lower bounds for the