Skip to content

Make Python dev dependencies reproducible with pip-tools hashed lock file#1

Merged
CoreyLeath-code merged 2 commits into
mainfrom
copilot/make-python-dev-dependencies-reproducible
Apr 2, 2026
Merged

Make Python dev dependencies reproducible with pip-tools hashed lock file#1
CoreyLeath-code merged 2 commits into
mainfrom
copilot/make-python-dev-dependencies-reproducible

Conversation

Copilot AI commented Apr 2, 2026

Copy link
Copy Markdown
Contributor

requirements-dev.txt had no pinned versions or hashes, making dev installs non-reproducible across machines and CI runs. This adds a pip-tools–managed lock file with SHA-256 hashes and wires it into the Makefile and CI.

Changes

  • requirements-dev.lock — generated via pip-compile --generate-hashes requirements-dev.txt; pins all transitive deps with SHA-256 hashes for verified installs
  • Makefile — two new targets:
    make lock-dev   # recompile requirements-dev.lock from requirements-dev.txt
    make sync-dev   # pip-sync from the lock file
  • .github/workflows/ci.yml — replaces the empty file; installs pip-tools, syncs from requirements-dev.lock, then runs flake8, black --check, mypy, and pytest --cov; scoped to permissions: contents: read
  • docs/dev-dependencies.md — documents the two-file model, how to compile/sync, and how to do bulk or single-package minor/patch upgrades
Original prompt

Create a pull request in Trojan3877/Scalable-Event-Driven-Ride-Sharing-Platform to make Python dev dependencies reproducible.

Requirements:

  • Keep requirements-dev.txt as the source input file.
  • Add a generated lock file named requirements-dev.lock compiled from requirements-dev.txt.
  • Generate hashes in the lock file (use pip-tools pip-compile --generate-hashes or equivalent) so installs can be verified.
  • Add lightweight developer documentation in README or a new docs/ page describing how to:
    • compile the lock file
    • sync/install from the lock file
    • update dependencies (minor/patch updates by default)
  • Add a simple automation entrypoint (prefer Makefile targets if a Makefile already exists; otherwise add a small script) such as:
    • make lock-dev to compile requirements-dev.lock from requirements-dev.txt
    • make sync-dev to install/sync from the lock file
  • Ensure changes are minimal and do not introduce a full project restructure (no migration to Poetry/uv unless already present).
  • If CI exists for Python, update it to install from the lock file where appropriate.

Notes:

  • A Makefile already exists in the repo; prefer adding targets there.
  • The repo currently has requirements-dev.txt listing: flake8, black, mypy, pytest, pytest-cov, types-requests, mkdocs, mkdocstrings.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: Update my repositories

Assistant: GitHub Copilot Chat Assistant here.

“Update my repositories” can mean a few different things on GitHub. Which of these do you want?

  1. Update repository settings (default branch, branch protection rules, topics, description, visibility, collaborators)
  2. Update code/dependencies across repos (e.g., bump Node/Python deps, renovate-style updates)
  3. Sync forks with upstream (bring your fork up to date)
  4. Bulk maintenance (archive old repos, add LICENSE/SECURITY.md/CODEOWNERS, update README badges, etc.)

Also, tell me where to do this:

  • Which repos (all repos you own, or a list of owner/repo names)?
  • Do you mean repos under Trojan3877 only, or also org repos you have access to?

If you give me 1–2 example repo links (or owner/repo names) and pick one of the options above, I can walk you through the exact steps—or query GitHub for the current state and suggest concrete changes.

User: Repos under Trojan3877

Assistant: I can help, but I need one more detail: what kind of “update” do you want to perform on the repos under Trojan3877?

Examples:

  1. Update dependencies/code (e.g., bump npm/pip/go modules, run formatting, fix CI)
  2. Update repository settings (topics, description, default branch, branch protections)
  3. Sync forks with upstream
  4. Bulk maintenance files (LICENSE, SECURITY.md, CODEOWNERS, README standardization)

Also, I tried to fetch all repos owned by Trojan3877, but the GitHub data tool available to me doesn’t support the “list user repositories” endpoint, so I can’t automatically enumerate them from your username.

Pick one of these ways forward:

  • Option A (fastest): paste the repo names you want updated (e.g., Trojan3877/repo1, Trojan3877/repo2, …).
  • Option B: paste your GitHub profile URL and I’ll tell you what to copy/collect (still you’ll need to provide the repo list here).
  • Option C: tell me one repo to start with, and what update you want, and we’ll do it repo-by-repo.

Reply with:

  • the update type (1–4 above), and
  • the repo list (or at least the first repo to start with).

User: 1

Assistant: Which dependency/code updates do you want (and for which repos)?

  1. Languages/ecosystems involved: Node (npm/yarn/pnpm), Python (pip/poetry), Java (Maven/Gradle), .NET (NuGet), Go, Rust, etc.
  2. Scope: security-only updates, all minor/patch updates, or including majors?
  3. Repo list under Trojan3877 to apply this to (paste Trojan3877/<repo> names). I can start with just one.

If you want a standard default, confirm this:

  • Update to latest patch/minor versions (no majors)
  • Keep existing lockfiles
  • Open one PR per repo with updated deps + CI passing

Send the first repo name (e.g., Trojan3877/my-repo) and the package manager you use there.

User: 1 2 and 3

Assistant: I still need the repo list (the actual Trojan3877/<repo> names) and the ecosystem per repo to do (1), (2), and (3). I can’t auto-enumerate your repos from your username with the GitHub tools available here.

Reply in one of these formats:

Option A (recommended)

Paste something like:

  • Trojan3877/repoA — Node (npm)
  • Trojan3877/repoB — Python (poetry)
  • Trojan3877/repoC — Go modules

Option B (start with one repo)

  • Trojan3877/<repo> — (Node/Python/Go/etc.), and say which package manager

Also confirm the update policy:

  • Minor/patch only (no major version bumps) — yes/no?
  • Security-only updates — yes...

This pull request was created from Copilot chat.

Copilot AI changed the title [WIP] Add reproducible Python dev dependencies with lock file Make Python dev dependencies reproducible with pip-tools hashed lock file Apr 2, 2026
Copilot AI requested a review from CoreyLeath-code April 2, 2026 10:55
@CoreyLeath-code CoreyLeath-code marked this pull request as ready for review April 2, 2026 15:12
@CoreyLeath-code CoreyLeath-code merged commit 604cb14 into main Apr 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants