X

[tisnik]

Description

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement
• Benchmarks improvement

Tools used to create PR

Identify any AI code assistants used in this PR (for transparency and review context)

• Assisted-by: (e.g., Claude, CodeRabbit, Ollama, etc., N/A if not used)
• Generated by: (e.g., tool name and version; N/A if not used)

Related Tickets & Documents

• Related Issue #
• Closes #

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

• Please provide detailed steps to perform tests related to this code change.
• How were the fix/results from this change verified? Please provide relevant screenshots or results.

Summary by CodeRabbit

• Chores
  • Updated Python dependencies with version bumps across multiple packages (fastapi, uvicorn, regex, and others).
  • Added Google Cloud-related packages and docstring parser to the build pipeline.
  • Removed unused packages including OpenTelemetry components and accelerate.
  • Updated integrity hashes for dependency verification.

[coderabbitai]

Walkthrough

This pull request updates Python package dependencies across multiple configuration files. Changes include updating package versions in Tekton pipeline configurations, adding a cryptography dependency pin in pyproject.toml, significantly expanding build requirements with new packages and inline dependency documentation, and comprehensively updating source and wheel hash files to reflect new package versions and additions.

Changes

Cohort / File(s)	Summary
Tekton Pipeline Configurations .tekton/lightspeed-stack-pull-request.yaml, .tekton/lightspeed-stack-push.yaml	Updates Python binary package lists in prefetch-input configuration, removing packages like accelerate and grpc-related entries while adding Google Cloud packages (google-cloud-core, google-crc32c, google-resumable-media, grpc-google-iam-v1) and docstring-parser.
Direct Dependencies pyproject.toml	Adds exact version pin for cryptography==46.0.3 to project dependencies.
Build Requirements requirements-build.txt	Substantially expands build dependencies from 6 to 133 net additions, introducing new packages (certifi, cffi, cryptography, jaraco-\*, keyring, markdown-it-py, requests, rich, twine, urllib3, etc.) with extensive inline provenance comments documenting transitive dependencies, while updating dunamai from 1.25.0 to 1.26.0.
Hash Verification Files requirements.hashes.source.txt, requirements.hashes.wheel.txt	Comprehensively updates dependency hashes reflecting version bumps (a2a-sdk 0.3.22→0.3.24, fastapi 0.128.1→0.135.1, regex 2026.1.15→2026.2.28, etc.), removes packages (accelerate, OpenTelemetry suite, autoevals, hf-xet), and adds Google Cloud packages with corresponding SHA256 hashes for integrity verification.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The pull request title 'X' is vague and non-descriptive, providing no meaningful information about the substantial changes made across multiple configuration and dependency files.	Replace the title with a clear, descriptive summary of the main change, such as 'Update Python dependencies and build configuration' or a more specific description of the primary objective.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@requirements-build.txt`:
- Around line 62-63: requirements-build.txt contains conflicting duplicate pins
for the same packages; remove the older/duplicate pins so each package is pinned
only once (e.g., consolidate hatchling to a single version and setuptools to a
single version). Edit requirements-build.txt and delete the duplicate entries
for "hatchling" and "setuptools", leaving only the intended version for each
(pick the most recent/stable version you want to enforce), and ensure there are
no other duplicate pins elsewhere in the file.
- Around line 21-23: requirements-build.txt currently pins cryptography==46.0.5
which diverges from the project's locked version; update the cryptography pin in
requirements-build.txt to cryptography==46.0.3 to match pyproject.toml and
requirements.hashes.wheel.txt so all artifacts use the same version.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 72660aac-5f03-458d-8776-1173c2c9f41d

📥 Commits

Reviewing files that changed from the base of the PR and between e00ec21 and c5e989d.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (6)

• .tekton/lightspeed-stack-pull-request.yaml
• .tekton/lightspeed-stack-push.yaml
• pyproject.toml
• requirements-build.txt
• requirements.hashes.source.txt
• requirements.hashes.wheel.txt

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

rg -n 'cryptography' pyproject.toml requirements-build.txt

Repository: lightspeed-core/lightspeed-stack

Length of output: 313

---

🏁 Script executed:

fd -t f 'requirements.*wheel' .

Repository: lightspeed-core/lightspeed-stack

Length of output: 107

---

🏁 Script executed:

rg -n 'cryptography' requirements.hashes.wheel.txt | head -20

Repository: lightspeed-core/lightspeed-stack

Length of output: 101

---

Align cryptography pin with project/runtime lock inputs to avoid dependency drift.

requirements-build.txt line 21 pins cryptography==46.0.5, but pyproject.toml (line 72) and requirements.hashes.wheel.txt (line 38) both pin cryptography==46.0.3. Keep a single version across these artifacts.

Proposed alignment

-cryptography==46.0.5
+cryptography==46.0.3

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	cryptography==46.0.5
	# via secretstorage
	cython==3.1.1
	cryptography==46.0.3
	# via secretstorage
	cython==3.1.1

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@requirements-build.txt` around lines 21 - 23, requirements-build.txt
currently pins cryptography==46.0.5 which diverges from the project's locked
version; update the cryptography pin in requirements-build.txt to
cryptography==46.0.3 to match pyproject.toml and requirements.hashes.wheel.txt
so all artifacts use the same version.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cd /repo && python - <<'PY'
import re
from collections import defaultdict

fname = "requirements-build.txt"
versions = defaultdict(list)

with open(fname, "r", encoding="utf-8") as f:
    for i, line in enumerate(f, 1):
        m = re.match(r'^([A-Za-z0-9_.-]+)==([^\s;]+)', line.strip())
        if m:
            pkg, ver = m.group(1).lower(), m.group(2)
            versions[pkg].append((ver, i))

for pkg in sorted(versions):
    uniq = sorted({v for v, _ in versions[pkg]})
    if len(uniq) > 1:
        print(f"{pkg}: versions={uniq}, lines={[ln for _, ln in versions[pkg]]}")
PY

Repository: lightspeed-core/lightspeed-stack

Length of output: 131

---

🏁 Script executed:

cd /repo && sed -n '55,65p; 210,220p' requirements-build.txt | cat -n

Repository: lightspeed-core/lightspeed-stack

Length of output: 131

---

🏁 Script executed:

find . -name "requirements-build.txt" -type f

Repository: lightspeed-core/lightspeed-stack

Length of output: 100

---

🏁 Script executed:

python - <<'PY'
import re
from collections import defaultdict

fname = "./requirements-build.txt"
versions = defaultdict(list)

with open(fname, "r", encoding="utf-8") as f:
    for i, line in enumerate(f, 1):
        m = re.match(r'^([A-Za-z0-9_.-]+)==([^\s;]+)', line.strip())
        if m:
            pkg, ver = m.group(1).lower(), m.group(2)
            versions[pkg].append((ver, i))

for pkg in sorted(versions):
    uniq = sorted({v for v, _ in versions[pkg]})
    if len(uniq) > 1:
        print(f"{pkg}: versions={uniq}, lines={[ln for _, ln in versions[pkg]]}")
PY

Repository: lightspeed-core/lightspeed-stack

Length of output: 192

---

🏁 Script executed:

sed -n '55,65p; 210,220p' ./requirements-build.txt | cat -n

Repository: lightspeed-core/lightspeed-stack

Length of output: 684

---

Remove conflicting duplicate pins that will break package resolution.

requirements-build.txt contains multiple versions of the same packages:

• hatchling==1.26.3 (line 57) and hatchling==1.29.0 (line 62)
• setuptools==81.0.0 (line 214) and setuptools==82.0.0 (line 216)

Conflicting pins in the same requirements file break resolver semantics and cause unpredictable install behavior.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@requirements-build.txt` around lines 62 - 63, requirements-build.txt contains
conflicting duplicate pins for the same packages; remove the older/duplicate
pins so each package is pinned only once (e.g., consolidate hatchling to a
single version and setuptools to a single version). Edit requirements-build.txt
and delete the duplicate entries for "hatchling" and "setuptools", leaving only
the intended version for each (pick the most recent/stable version you want to
enforce), and ensure there are no other duplicate pins elsewhere in the file.