Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable pinned dependency versions to enable dependabot updates (KANBAN-576) #53

Merged
merged 34 commits into from
May 30, 2024

Conversation

mluypaert
Copy link
Member

@mluypaert mluypaert commented May 28, 2024

PR intended for dependency management testing, with the goal to enable dependabot updates.
This PR only implements dependency management for the pipeline/seq_retrieval component as a test pilot.

@mluypaert mluypaert added the no-deps-lock-updates AGR - Assign to PRs that should not get automatic dependency lock file updates label May 29, 2024
@mluypaert mluypaert removed the no-deps-lock-updates AGR - Assign to PRs that should not get automatic dependency lock file updates label May 29, 2024
@mluypaert mluypaert force-pushed the enable-failure-reporting-KANBAN-570 branch 2 times, most recently from 0c381a6 to 2003ce6 Compare May 29, 2024 20:20
@mluypaert mluypaert force-pushed the enable-failure-reporting-KANBAN-570 branch from 3001a44 to 40d9bd1 Compare May 29, 2024 20:40
@mluypaert mluypaert added no-deps-lock-updates AGR - Assign to PRs that should not get automatic dependency lock file updates and removed no-deps-lock-updates AGR - Assign to PRs that should not get automatic dependency lock file updates labels May 29, 2024
@mluypaert mluypaert added no-deps-lock-updates AGR - Assign to PRs that should not get automatic dependency lock file updates and removed no-deps-lock-updates AGR - Assign to PRs that should not get automatic dependency lock file updates labels May 30, 2024
@mluypaert mluypaert changed the title Poetry dependency mgmt testing Enable pinned dependency versions to enable dependabot updates May 30, 2024
@mluypaert
Copy link
Member Author

Note for future reference:

  • While poetry was considered as python dependency management tool (as it is already used in other python repositories accross the alliance), the current poetry version (1.*) turns out not to be PEP-621 compliant, which means it is not full compatible with dependabot (dependabot could update the poetry.lock file but not the depencies defined in non-PEP-621-compliant pyproject.toml configs that poetry uses, which means more manual interventions would be required to make dependabot-made updates work and persist).
  • Poetry 2.* is promised to be PEP-621 compliant, but is unrelease at date with no promise on release date.
  • As a consequence, the decision was made to use pip-compile (part of pip-tools) instead as dependency manager, as it is PEP-621 compliant and uses files and formats for version-locking which should be compatible with dependabot. Additionally, this also enables using standard tools like pip for package installation, as it locks all version in standard requirements.txt file formats.

Reference pages and tracking tickets:

@mluypaert mluypaert changed the title Enable pinned dependency versions to enable dependabot updates Enable pinned dependency versions to enable dependabot updates (KANBAN-576) May 30, 2024
@mluypaert mluypaert merged commit 9db7ca4 into main May 30, 2024
29 checks passed
@mluypaert mluypaert deleted the enable-failure-reporting-KANBAN-570 branch May 30, 2024 10:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant