m12-pr14: requirements lockfile (TD-4 partial)#32
Open
BalaShankar9 wants to merge 1 commit into
Open
Conversation
Adds backend/requirements.lock (444 lines) generated via uv pip compile, pinned to Python 3.11 (CI/Railway runtime). Establishes the build- reproducibility floor without disturbing install paths. Surface: - backend/requirements.lock (new, generated) - Makefile: `make lock` (regenerate) and `make lock-check` (verify) - .github/workflows/ci.yml: required gate `lockfile-fresh` re-runs `uv pip compile` and fails if the committed lock differs from regenerated output (header lines stripped from comparison) - CONTRIBUTING.md: "Adding a Python dependency" section - context/TECH_DEBT.md: TD-4 status PARTIAL with remaining cutover work - context/TESTING_CONTEXT.md: gates table now lists lockfile-fresh - context/CHANGELOG_INTELLIGENCE.md: m12-pr14 row added - last_synced bumped on three touched context files Additive shape (intentional): - Dockerfiles, Railway, and the dep-audit pip install still consume backend/requirements.txt. Cutover deferred to a follow-up PR to keep blast radius contained. - Pre-existing email-validator==2.1.0 yanked-package warning is out-of-scope; flagged in TD-4 follow-ups. Local verification: make lock-check # exit 0, "lockfile is fresh" Stacked on PR #31 (m12-pr13-context-docs).
There was a problem hiding this comment.
Pull request overview
This PR partially addresses TD-4 by introducing a pinned Python dependency lockfile for the backend and enforcing its freshness via a new required CI job, while intentionally deferring the actual install cutover to the lockfile.
Changes:
- Added
backend/requirements.lockgenerated viauv pip compile(Python 3.11 target). - Added
make lock/make lock-checktargets and a newlockfile-freshjob in CI to fail on lockfile drift. - Updated contributor and
/contextdocumentation to reflect the new gate and TD-4 partial status.
Reviewed changes
Copilot reviewed 6 out of 7 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| Makefile | Adds targets to generate and verify backend/requirements.lock. |
| .github/workflows/ci.yml | Adds required lockfile-fresh CI job that recompiles and diffs the lockfile. |
| backend/requirements.lock | New generated lockfile produced by uv pip compile for Python 3.11. |
| CONTRIBUTING.md | Documents the workflow for adding/updating backend dependencies with the lockfile gate. |
| context/TESTING_CONTEXT.md | Updates required CI gates table to include lockfile-fresh. |
| context/TECH_DEBT.md | Marks TD-4 as PARTIAL and documents shipped vs remaining scope. |
| context/CHANGELOG_INTELLIGENCE.md | Adds m12-pr14 entry and updates m12-pr13 reference. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+85
to
+88
| @uv pip compile backend/requirements.txt --python-version 3.11 --output-file /tmp/requirements.lock.check --quiet | ||
| @grep -v '^#' backend/requirements.lock > /tmp/lock.committed | ||
| @grep -v '^#' /tmp/requirements.lock.check > /tmp/lock.regenerated | ||
| @diff -u /tmp/lock.committed /tmp/lock.regenerated \ |
Comment on lines
+81
to
+86
| lock: ## Regenerate backend/requirements.lock from backend/requirements.txt | ||
| uv pip compile backend/requirements.txt --python-version 3.11 --output-file backend/requirements.lock | ||
|
|
||
| lock-check: ## Verify backend/requirements.lock is up to date (CI gate) | ||
| @uv pip compile backend/requirements.txt --python-version 3.11 --output-file /tmp/requirements.lock.check --quiet | ||
| @grep -v '^#' backend/requirements.lock > /tmp/lock.committed |
| - name: Verify backend/requirements.lock is up to date | ||
| run: | | ||
| uv pip compile backend/requirements.txt \ | ||
| --python-version 3.11 \ |
Comment on lines
+190
to
+203
| run: | | ||
| uv pip compile backend/requirements.txt \ | ||
| --python-version 3.11 \ | ||
| --output-file /tmp/requirements.lock.check \ | ||
| --quiet | ||
| grep -v '^#' backend/requirements.lock > /tmp/lock.committed | ||
| grep -v '^#' /tmp/requirements.lock.check > /tmp/lock.regenerated | ||
| if ! diff -u /tmp/lock.committed /tmp/lock.regenerated; then | ||
| echo "" | ||
| echo "::error::backend/requirements.lock is stale." | ||
| echo "Run 'make lock' locally and commit the diff." | ||
| exit 1 | ||
| fi | ||
| echo "lockfile is fresh" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes TD-4 (partial). Adds
backend/requirements.lock(444 lines,Python 3.11 target) generated via
uv pip compile, plus a requiredlockfile-freshCI gate that re-runs the compile and fails on drift.Additive shape (intentional). Dockerfiles, Railway, and the
existing
dep-auditjob continue to install frombackend/requirements.txt. Cutover to install from the lockfile is adeferred follow-up PR to keep this change reviewable and revertible.
What changed
backend/requirements.lock(NEW, 444 lines, generated)Makefile:lockandlock-checktargets (real tabs, header-stripped diff).github/workflows/ci.yml: new required joblockfile-freshCONTRIBUTING.md: "Adding a Python dependency" sectioncontext/TECH_DEBT.md: TD-4 status -> PARTIAL with remaining cutover scopecontext/TESTING_CONTEXT.md: gates table listslockfile-freshcontext/CHANGELOG_INTELLIGENCE.md: m12-pr14 rowlast_syncedbumped on three touched context filesLocal verification
make lock-check # lockfile is freshStacked on
PR #31 (m12-pr13-context-docs). Base of this PR is
m12-pr13-context-docs; merging that first will collapse this diffto just the m12-pr14 surface.
Out of scope (follow-ups tracked in TD-4)
pip install -r backend/requirements.lock.email-validator==2.1.0yanked pin (uv warns).