Skip to content

Commit 3c79d96

Browse files
d-v-bdependabot[bot]claude
authored
harden dependency environment (#4066)
* chore(deps): bump the actions group across 1 directory with 8 updates (#176) Bumps the actions group with 8 updates in the / directory: | Package | From | To | | --- | --- | --- | | [prefix-dev/setup-pixi](https://github.com/prefix-dev/setup-pixi) | `0.9.5` | `0.9.6` | | [codecov/codecov-action](https://github.com/codecov/codecov-action) | `6.0.0` | `6.0.1` | | [github/issue-metrics](https://github.com/github/issue-metrics) | `4.2.2` | `4.2.7` | | [j178/prek-action](https://github.com/j178/prek-action) | `2.0.3` | `2.0.4` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `7.0.0` | `7.0.1` | | [actions/download-artifact](https://github.com/actions/download-artifact) | `7.0.0` | `8.0.1` | | [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) | `1.13.0` | `1.14.0` | | [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) | `0.5.3` | `0.5.6` | Updates `prefix-dev/setup-pixi` from 0.9.5 to 0.9.6 - [Release notes](https://github.com/prefix-dev/setup-pixi/releases) - [Commits](prefix-dev/setup-pixi@1b2de7f...5185adf) Updates `codecov/codecov-action` from 6.0.0 to 6.0.1 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@57e3a13...e79a696) Updates `github/issue-metrics` from 4.2.2 to 4.2.7 - [Release notes](https://github.com/github/issue-metrics/releases) - [Commits](github-community-projects/issue-metrics@c9e9838...1e38d5e) Updates `j178/prek-action` from 2.0.3 to 2.0.4 - [Release notes](https://github.com/j178/prek-action/releases) - [Commits](j178/prek-action@6ad8027...bdca6f1) Updates `actions/upload-artifact` from 7.0.0 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v7...043fb46) Updates `actions/download-artifact` from 7.0.0 to 8.0.1 - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@v7...3e5f45b) Updates `pypa/gh-action-pypi-publish` from 1.13.0 to 1.14.0 - [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases) - [Commits](pypa/gh-action-pypi-publish@v1.13.0...cef2210) Updates `zizmorcore/zizmor-action` from 0.5.3 to 0.5.6 - [Release notes](https://github.com/zizmorcore/zizmor-action/releases) - [Commits](zizmorcore/zizmor-action@b1d7e1f...5f14fd0) --- updated-dependencies: - dependency-name: prefix-dev/setup-pixi dependency-version: 0.9.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: codecov/codecov-action dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: github/issue-metrics dependency-version: 4.2.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: j178/prek-action dependency-version: 2.0.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: actions/download-artifact dependency-version: 8.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: pypa/gh-action-pypi-publish dependency-version: 1.14.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: zizmorcore/zizmor-action dependency-version: 0.5.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): pin dev tooling for reproducible CI The hatch test envs and bare `uv run` resolve [dependency-groups] fresh from PyPI and ignore uv.lock, so an unrelated upstream tooling release can break CI without any change on our side (e.g. the pytest 9.1.0 `duplicate parametrization` regression, pytest-dev/pytest#14591). Pin dev *tooling* (pytest & plugins, coverage, hypothesis, mypy, ruff, mkdocs*, towncrier, moto, ...) to exact versions. Leave runtime/ integration deps (fsspec, obstore, s3fs, botocore, numcodecs, universal-pathlib) floating so the `optional` test matrix keeps exercising their latest releases; the `min_deps`/`upstream` envs cover the floor and bleeding edge. Also: - Add a focused `release` dependency group as the single source of truth for the towncrier pin; `docs` includes it. prepare_release.yml now runs `uv run --only-group release towncrier build` instead of an unpinned `pip install towncrier`. - Add a `uv` dependabot ecosystem so the pins and uv.lock get weekly update PRs instead of silently rotting. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 0bb8ceb commit 3c79d96

4 files changed

Lines changed: 127 additions & 101 deletions

File tree

.github/dependabot.yml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,19 @@ updates:
1212
- "*"
1313
cooldown:
1414
default-days: 7
15+
# Keep the pinned dev tooling in pyproject.toml's [dependency-groups] and the
16+
# uv.lock current. Without this the exact pins (e.g. pytest) would never be
17+
# bumped automatically and would silently rot.
18+
- package-ecosystem: "uv"
19+
directory: "/"
20+
schedule:
21+
interval: "weekly"
22+
groups:
23+
python-dependencies:
24+
patterns:
25+
- "*"
26+
cooldown:
27+
default-days: 7
1528
- package-ecosystem: "github-actions"
1629
directory: "/"
1730
target-branch: "support/v2"

.github/workflows/prepare_release.yml

Lines changed: 4 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -42,15 +42,12 @@ jobs:
4242
fetch-depth: 0
4343
persist-credentials: false
4444

45-
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
46-
with:
47-
python-version: '3.12'
48-
49-
- name: Install towncrier
50-
run: pip install towncrier
45+
- uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
5146

5247
- name: Build changelog
53-
run: towncrier build --version "$VERSION" --yes
48+
# Use the pinned towncrier from the `release` dependency group (single
49+
# source of truth) rather than an unpinned standalone install.
50+
run: uv run --only-group release towncrier build --version "$VERSION" --yes
5451
env:
5552
VERSION: ${{ inputs.version }}
5653

pyproject.toml

Lines changed: 40 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -83,56 +83,68 @@ Discussions = "https://github.com/zarr-developers/zarr-python/discussions"
8383
documentation = "https://zarr.readthedocs.io/"
8484
homepage = "https://github.com/zarr-developers/zarr-python"
8585

86+
# Dev *tooling* is pinned to exact versions for reproducible CI: the hatch envs
87+
# (see `tool.hatch.envs.*`) and bare `uv run` resolve these groups fresh from
88+
# PyPI and do NOT consult uv.lock, so an unrelated tooling release can break CI
89+
# without any change on our side (e.g. the pytest 9.1.0 `duplicate
90+
# parametrization` regression). Runtime/integration deps (fsspec, obstore, s3fs,
91+
# botocore, numcodecs, universal-pathlib) are intentionally left floating so the
92+
# `optional` test matrix keeps exercising their latest releases; their floor and
93+
# bleeding edge are covered by the `min_deps` and `upstream` hatch envs. Bump the
94+
# pins deliberately, e.g. via dependabot or `uv lock --upgrade`.
8695
[dependency-groups]
8796
test = [
88-
"coverage>=7.10",
89-
"pytest",
90-
"pytest-asyncio",
91-
"pytest-cov",
92-
"pytest-accept",
93-
"numpydoc",
94-
"hypothesis",
95-
"pytest-xdist",
96-
"pytest-benchmark",
97-
"pytest-codspeed",
98-
"tomlkit",
99-
"uv",
97+
"coverage==7.14.0",
98+
"pytest==9.0.3",
99+
"pytest-asyncio==1.3.0",
100+
"pytest-cov==7.1.0",
101+
"pytest-accept==0.2.3",
102+
"numpydoc==1.10.0",
103+
"hypothesis==6.152.7",
104+
"pytest-xdist==3.8.0",
105+
"pytest-benchmark==5.2.3",
106+
"pytest-codspeed==5.0.1",
107+
"tomlkit==0.15.0",
108+
"uv==0.11.15",
100109
]
101110
remote-tests = [
102111
{include-group = "test"},
103112
"fsspec>=2023.10.0",
104113
"obstore>=0.5.1",
105114
"botocore",
106115
"s3fs>=2023.10.0",
107-
"moto[s3,server]",
108-
"requests",
116+
"moto[s3,server]==5.2.1",
117+
"requests==2.34.1",
118+
]
119+
release = [
120+
"towncrier==25.8.0",
109121
]
110122
docs = [
111123
# Doc building
112-
"mkdocs-material[imaging]>=9.6.14",
113-
"mkdocs>=1.6.1,<2",
114-
"mkdocstrings>=0.29.1",
115-
"mkdocstrings-python>=1.16.10",
116-
"mike>=2.1.3",
117-
"mkdocs-jupyter>=0.25.1",
118-
"mkdocs-redirects>=1.2.0",
119-
"markdown-exec[ansi]",
120-
"griffe-inherited-docstrings",
121-
"ruff",
124+
"mkdocs-material[imaging]==9.7.6",
125+
"mkdocs==1.6.1",
126+
"mkdocstrings==1.0.4",
127+
"mkdocstrings-python==2.0.3",
128+
"mike==2.2.0",
129+
"mkdocs-jupyter==0.26.3",
130+
"mkdocs-redirects==1.2.3",
131+
"markdown-exec[ansi]==1.12.1",
132+
"griffe-inherited-docstrings==1.1.3",
133+
"ruff==0.15.12",
122134
# Changelog generation
123-
"towncrier",
135+
{include-group = "release"},
124136
# Optional dependencies to run examples
125137
"numcodecs[msgpack]",
126138
"s3fs>=2023.10.0",
127-
"astroid<4",
128-
"pytest",
139+
"astroid==3.3.11",
140+
"pytest==9.0.3",
129141
]
130142
dev = [
131143
{include-group = "test"},
132144
{include-group = "remote-tests"},
133145
{include-group = "docs"},
134146
"universal-pathlib",
135-
"mypy",
147+
"mypy==2.1.0",
136148
]
137149

138150
[tool.coverage.report]

uv.lock

Lines changed: 70 additions & 66 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)