Skip to content

m12-pr14: requirements lockfile (TD-4 partial)#32

Open
BalaShankar9 wants to merge 1 commit into
m12-pr13-context-docsfrom
m12-pr14-requirements-lockfile
Open

m12-pr14: requirements lockfile (TD-4 partial)#32
BalaShankar9 wants to merge 1 commit into
m12-pr13-context-docsfrom
m12-pr14-requirements-lockfile

Conversation

@BalaShankar9

Copy link
Copy Markdown
Owner

Summary

Closes TD-4 (partial). Adds backend/requirements.lock (444 lines,
Python 3.11 target) generated via uv pip compile, plus a required
lockfile-fresh CI gate that re-runs the compile and fails on drift.

Additive shape (intentional). Dockerfiles, Railway, and the
existing dep-audit job continue to install from
backend/requirements.txt. Cutover to install from the lockfile is a
deferred follow-up PR to keep this change reviewable and revertible.

What changed

  • backend/requirements.lock (NEW, 444 lines, generated)
  • Makefile: lock and lock-check targets (real tabs, header-stripped diff)
  • .github/workflows/ci.yml: new required job lockfile-fresh
  • CONTRIBUTING.md: "Adding a Python dependency" section
  • context/TECH_DEBT.md: TD-4 status -> PARTIAL with remaining cutover scope
  • context/TESTING_CONTEXT.md: gates table lists lockfile-fresh
  • context/CHANGELOG_INTELLIGENCE.md: m12-pr14 row
  • last_synced bumped on three touched context files

Local verification

make lock-check
# lockfile is fresh

Stacked on

PR #31 (m12-pr13-context-docs). Base of this PR is
m12-pr13-context-docs; merging that first will collapse this diff
to just the m12-pr14 surface.

Out of scope (follow-ups tracked in TD-4)

  • Cutover Dockerfiles + Railway + CI install steps to
    pip install -r backend/requirements.lock.
  • Renovate (or Dependabot) lockfile-bump PRs weekly.
  • Replace pre-existing email-validator==2.1.0 yanked pin (uv warns).

Adds backend/requirements.lock (444 lines) generated via uv pip compile,
pinned to Python 3.11 (CI/Railway runtime). Establishes the build-
reproducibility floor without disturbing install paths.

Surface:
- backend/requirements.lock (new, generated)
- Makefile: `make lock` (regenerate) and `make lock-check` (verify)
- .github/workflows/ci.yml: required gate `lockfile-fresh` re-runs
  `uv pip compile` and fails if the committed lock differs from
  regenerated output (header lines stripped from comparison)
- CONTRIBUTING.md: "Adding a Python dependency" section
- context/TECH_DEBT.md: TD-4 status PARTIAL with remaining cutover work
- context/TESTING_CONTEXT.md: gates table now lists lockfile-fresh
- context/CHANGELOG_INTELLIGENCE.md: m12-pr14 row added
- last_synced bumped on three touched context files

Additive shape (intentional):
- Dockerfiles, Railway, and the dep-audit pip install still consume
  backend/requirements.txt. Cutover deferred to a follow-up PR to keep
  blast radius contained.
- Pre-existing email-validator==2.1.0 yanked-package warning is
  out-of-scope; flagged in TD-4 follow-ups.

Local verification:
  make lock-check         # exit 0, "lockfile is fresh"

Stacked on PR #31 (m12-pr13-context-docs).
Copilot AI review requested due to automatic review settings May 9, 2026 04:31

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR partially addresses TD-4 by introducing a pinned Python dependency lockfile for the backend and enforcing its freshness via a new required CI job, while intentionally deferring the actual install cutover to the lockfile.

Changes:

  • Added backend/requirements.lock generated via uv pip compile (Python 3.11 target).
  • Added make lock / make lock-check targets and a new lockfile-fresh job in CI to fail on lockfile drift.
  • Updated contributor and /context documentation to reflect the new gate and TD-4 partial status.

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
Makefile Adds targets to generate and verify backend/requirements.lock.
.github/workflows/ci.yml Adds required lockfile-fresh CI job that recompiles and diffs the lockfile.
backend/requirements.lock New generated lockfile produced by uv pip compile for Python 3.11.
CONTRIBUTING.md Documents the workflow for adding/updating backend dependencies with the lockfile gate.
context/TESTING_CONTEXT.md Updates required CI gates table to include lockfile-fresh.
context/TECH_DEBT.md Marks TD-4 as PARTIAL and documents shipped vs remaining scope.
context/CHANGELOG_INTELLIGENCE.md Adds m12-pr14 entry and updates m12-pr13 reference.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread Makefile
Comment on lines +85 to +88
@uv pip compile backend/requirements.txt --python-version 3.11 --output-file /tmp/requirements.lock.check --quiet
@grep -v '^#' backend/requirements.lock > /tmp/lock.committed
@grep -v '^#' /tmp/requirements.lock.check > /tmp/lock.regenerated
@diff -u /tmp/lock.committed /tmp/lock.regenerated \
Comment thread Makefile
Comment on lines +81 to +86
lock: ## Regenerate backend/requirements.lock from backend/requirements.txt
uv pip compile backend/requirements.txt --python-version 3.11 --output-file backend/requirements.lock

lock-check: ## Verify backend/requirements.lock is up to date (CI gate)
@uv pip compile backend/requirements.txt --python-version 3.11 --output-file /tmp/requirements.lock.check --quiet
@grep -v '^#' backend/requirements.lock > /tmp/lock.committed
Comment thread .github/workflows/ci.yml
- name: Verify backend/requirements.lock is up to date
run: |
uv pip compile backend/requirements.txt \
--python-version 3.11 \
Comment thread .github/workflows/ci.yml
Comment on lines +190 to +203
run: |
uv pip compile backend/requirements.txt \
--python-version 3.11 \
--output-file /tmp/requirements.lock.check \
--quiet
grep -v '^#' backend/requirements.lock > /tmp/lock.committed
grep -v '^#' /tmp/requirements.lock.check > /tmp/lock.regenerated
if ! diff -u /tmp/lock.committed /tmp/lock.regenerated; then
echo ""
echo "::error::backend/requirements.lock is stale."
echo "Run 'make lock' locally and commit the diff."
exit 1
fi
echo "lockfile is fresh"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants