Make Python dev dependencies reproducible with pip-tools hashed lock file#1
Merged
CoreyLeath-code merged 2 commits intoApr 2, 2026
Conversation
…reproducible dev deps Agent-Logs-Url: https://github.com/Trojan3877/Scalable-Event-Driven-Ride-Sharing-Platform/sessions/eda55a2c-9a53-4628-8112-20c531404097 Co-authored-by: Trojan3877 <182694928+Trojan3877@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Add reproducible Python dev dependencies with lock file
Make Python dev dependencies reproducible with pip-tools hashed lock file
Apr 2, 2026
CoreyLeath-code
approved these changes
Apr 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
requirements-dev.txthad no pinned versions or hashes, making dev installs non-reproducible across machines and CI runs. This adds a pip-tools–managed lock file with SHA-256 hashes and wires it into the Makefile and CI.Changes
requirements-dev.lock— generated viapip-compile --generate-hashes requirements-dev.txt; pins all transitive deps with SHA-256 hashes for verified installsMakefile— two new targets:.github/workflows/ci.yml— replaces the empty file; installspip-tools, syncs fromrequirements-dev.lock, then runsflake8,black --check,mypy, andpytest --cov; scoped topermissions: contents: readdocs/dev-dependencies.md— documents the two-file model, how to compile/sync, and how to do bulk or single-package minor/patch upgradesOriginal prompt
Create a pull request in
Trojan3877/Scalable-Event-Driven-Ride-Sharing-Platformto make Python dev dependencies reproducible.Requirements:
requirements-dev.txtas the source input file.requirements-dev.lockcompiled fromrequirements-dev.txt.pip-compile --generate-hashesor equivalent) so installs can be verified.docs/page describing how to:Makefiletargets if a Makefile already exists; otherwise add a small script) such as:make lock-devto compilerequirements-dev.lockfromrequirements-dev.txtmake sync-devto install/sync from the lock fileNotes:
Makefilealready exists in the repo; prefer adding targets there.requirements-dev.txtlisting: flake8, black, mypy, pytest, pytest-cov, types-requests, mkdocs, mkdocstrings.The following is the prior conversation context from the user's chat exploration (may be truncated):
User: Update my repositories
Assistant: GitHub Copilot Chat Assistant here.
“Update my repositories” can mean a few different things on GitHub. Which of these do you want?
Also, tell me where to do this:
owner/reponames)?If you give me 1–2 example repo links (or
owner/reponames) and pick one of the options above, I can walk you through the exact steps—or query GitHub for the current state and suggest concrete changes.User: Repos under Trojan3877
Assistant: I can help, but I need one more detail: what kind of “update” do you want to perform on the repos under
Trojan3877?Examples:
Also, I tried to fetch all repos owned by
Trojan3877, but the GitHub data tool available to me doesn’t support the “list user repositories” endpoint, so I can’t automatically enumerate them from your username.Pick one of these ways forward:
Trojan3877/repo1,Trojan3877/repo2, …).Reply with:
User: 1
Assistant: Which dependency/code updates do you want (and for which repos)?
Trojan3877to apply this to (pasteTrojan3877/<repo>names). I can start with just one.If you want a standard default, confirm this:
Send the first repo name (e.g.,
Trojan3877/my-repo) and the package manager you use there.User: 1 2 and 3
Assistant: I still need the repo list (the actual
Trojan3877/<repo>names) and the ecosystem per repo to do (1), (2), and (3). I can’t auto-enumerate your repos from your username with the GitHub tools available here.Reply in one of these formats:
Option A (recommended)
Paste something like:
Trojan3877/repoA— Node (npm)Trojan3877/repoB— Python (poetry)Trojan3877/repoC— Go modulesOption B (start with one repo)
Trojan3877/<repo>— (Node/Python/Go/etc.), and say which package managerAlso confirm the update policy:
This pull request was created from Copilot chat.