renovate: fix requirements.txt handling#196
Conversation
Review Summary by Qodo(Agentic_describe updated until commit 989c6af)Fix Renovate pip requirements handling with pip-compile manager
WalkthroughsDescription• Replace pip_requirements with pip-compile manager for better dependency handling • Pin direct pip dependencies to specific versions in requirements.in • Update Makefile to use long-form uv flags for Renovate compatibility • Disable lockfile maintenance to reduce unnecessary transitive dependency updates Diagramflowchart LR
A["pip_requirements manager<br/>disabled"] -->|"replaced by"| B["pip-compile manager"]
B -->|"parses header and"| C["updates requirements.in"]
C -->|"reruns compile"| D["regenerates requirements.txt"]
E["Direct deps pinned<br/>to versions"] -->|"enables"| F["Renovate updates"]
F -->|"triggers"| D
G["lockFileMaintenance<br/>disabled"] -->|"prevents"| H["unnecessary transitive<br/>dependency PRs"]
File Changes1. devtool/renovate.py
|
Code Review by Qodo
Context used✅ Compliance rules (platform):
4 rules 1. RPM Renovate config missing
|
f5e0f10 to
87215fd
Compare
👍 fixed |
Renovate's pip_requirements manager is very stupid; it updates each package in a vacuum and doesn't respect dependency relationships. This results in completely bogus requirements.txt updates that have to be fixed by re-compiling the requirements file. Disable it, use the pip-compile manager instead. This one parses the header in the requirements.txt file, identifies the input file, updates packages in the input file and then reruns the compile command. Note that this will result in fewer updates for transitive dependencies. Specifically, transitive dependencies will only get updated if uv's dependency resolution determines it is necessary, or for security fixes (assuming MintMaker has that set up). That seems like reasonable behavior. Assisted-by: Claude Signed-off-by: Adam Cmiel <acmiel@redhat.com>
87215fd to
989c6af
Compare
|
Code review by qodo was updated up to the latest commit 989c6af |
Indeed, but we've always had that problem and I don't think it's solvable. Mintmaker doesn't allow |
Renovate's pip_requirements manager is very stupid; it updates each package in a vacuum and doesn't respect dependency relationships. This results in completely bogus requirements.txt updates that have to be fixed by re-compiling the requirements file.
Disable it, use the pip-compile manager instead. This one parses the header in the requirements.txt file, identifies the input file, updates packages in the input file and then reruns the compile command.
Note that this will result in fewer updates for transitive dependencies. Specifically, transitive dependencies will only get updated if uv's dependency resolution determines it is necessary, or for security fixes (assuming MintMaker has that set up). That seems like reasonable behavior.
Testing
Note that by defaults, Renovate also wants to refresh the lockfile: chmeliik#23
Disabled lockfile maintenance for pip-compile