Skip to content

Cleanup dependency management #217

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 14, 2025
Merged

Cleanup dependency management #217

merged 4 commits into from
Oct 14, 2025

Conversation

@jku
Copy link
Member

@jku jku commented Oct 14, 2025
edited
Loading

We are badly behind in Python dependency updates, need to do something about this.

  • Add dependabot config to handle Python: I think this works mostly like we want:
    • requirements/*.txt will get updates at least seemingly generated by the right tools
    • versions in requirements/*.in will also get updated
    • major versions get their own PRs, everything else is bundled
  • Remove the requirements-building in Makefile: it was not working and dependabot should now handle it
  • Fix the references to the virtual env in the Makefile: .venv is the environment uv venv uses.

This does nothing to fix #216 (but it does remove one use of uv from Makefile so fixing should be a little easier)

Fixes #175. The resulting dependency updates should fix #213

jku added 2 commits October 14, 2025 11:26
@jku
Makefile: Cleanup
c290cbf 
* Remove the requirements compiling: it's not working right now and we
  want dependandabot to handle this
* Make sure we don't play with two separate venvs ("./.venv/" and "./env")

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku
dependabot: Update Python deps
fdf8c1f 
Assumption is that it manages to find the requirements/*.in files and
produces requirements files.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 14, 2025
View reviewed changes
@jku
depeendabot: Add 7 day cooldown
9233087 
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku jku requested a review from woodruffw October 14, 2025 08:55
jku
jku commented Oct 14, 2025
View reviewed changes
@jku
Makefile: Only install packages inside the venv
2af9d05 
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@woodruffw woodruffw merged commit daf3cb0 into sigstore:main Oct 14, 2025
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@woodruffw woodruffw woodruffw approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

dev dependency on uv is not great Upgrade to sigstore-python 4.x python dependency updates should be automated

2 participants

@jku @woodruffw