Introduce dependency pinning#10127
Conversation
silv-io
added
area: dependencies
silv-io
changed the title
silv-io
force-pushed
the
dependency-pinning
branch
from
f41fa6a to
7e9d0ef
Compare
S3 Image Test Results (AMD64 / ARM64) 2 files 2 suites 3m 19s ⏱️ Results for commit 57e2443. ♻️ This comment has been updated with latest results. |
LocalStack Community integration with Pro 2 files 2 suites 1h 21m 51s ⏱️ Results for commit 57e2443. ♻️ This comment has been updated with latest results. |
alexrashed
force-pushed
the
dependency-pinning
branch
from
4a79dd9 to
9961693
Compare
silv-io
force-pushed
the
dependency-pinning
branch
from
9961693 to
ea5c89d
Compare
silv-io
force-pushed
the
dependency-pinning
branch
from
150dab1 to
15c285d
Compare
alexrashed
left a comment
alexrashed
left a comment
There was a problem hiding this comment.
This PR will solve so many issues in our build pipelines! 💯 🦸🏽 😄
It already looks great, I only have a few questions and nitpicks (some confusion about naming and some somwhat unrelated changes).
We also need to make sure that the pipeline cache keys are adjusted accordingly.
Afterwards we should be good to go! 🚀
silv-io
force-pushed
the
dependency-pinning
branch
from
e4f38fd to
2b22f1b
Compare
silv-io
force-pushed
the
dependency-pinning
branch
from
4428e54 to
8bb9fa8
Compare
dfangl
left a comment
dfangl
left a comment
There was a problem hiding this comment.
Looks good from my side! Great work!
alexrashed
left a comment
alexrashed
left a comment
There was a problem hiding this comment.
Aweseome! Thanks for addressing all the comments, and the great PR in general! And thanks to @dfangl for another pair of eyes! 🚀
4 participants
Motivation
We continuously run into issues with the pipeline that are caused by an updated dependency. Dependencies currently can just update on the fly in an uncontrolled manner and we don't know when a dependency receives an upgrade.
This can obscure other issues with the pipeline or otherwise reduce the development velocity.
Changes
This PR and its companion in the Ext repository introduce dependency pinning in LocalStack Ext and Core.
To this end, new make targets are added which allow for the creation of lock files with the naming scheme
requirements-<extra>.txt. These make targets can either be executed in CI or locally by devs:In the case of CI, this PR introduces a new workflow
upgrade-python-dependencieswhich periodically (Mondays at 5AM - same as the ASF updates) and in a controlled manner update all the dependencies in the lock file to latest allowable versions defined in setup.cfgIn the case of devs, this PR introduces a new pre-commit hook, referenced from the https://github.com/localstack/pre-commit-hooks repository, which checks whether a change in
setup.cfgwould make the lock files incompatible with thesetup.cfg. If that is the case, the hook would fail and the dev will be prompted to run the make target for upgrading all dependency lock files. As an extra precaution, the run of this pre-commit hook was additionally added to the CI pipeline in the linting step.Testing
To test out how the pinning works you can execute the
upgrade-pinned-dependenciesmake target.You can add any package you wish to the
setup.cfgand stage it and try to commit it to check if the pre-commit hook works.You can also manually run the pre-commit hook with the staged changes in the
setup.cfg:pre-commit run check-pinned-deps-for-needed-upgrade --files $(git diff --name-only --cached)TODO
What's left to do: