[v2] Generate dependency lockfiles #8757
Conversation
Generate lockfiles from requirements files and replace requirements*.txt references to requirements*-lock.txt
There was a problem hiding this comment.
A couple quick comments about the mock changes but those otherwise look good. A quick note that splitting these kinds of changes into two PRs may be helpful in the future. That lets us keep review overhead lower and minimizes rollback impact. Ideally if one piece is broken we don't need to write a rollback by hand, and don't rollback unnecessary changes if we use git revert.
| @@ -370,11 +370,11 @@ The latest changes to the CLI are in the ``v2`` branch on github. This is | |||
| to make sure you ``git checkout v2``. | |||
|
|
|||
| If you just want to install a snapshot of the latest development version of | |||
| the CLI, you can use the ``requirements.txt`` file included in this repo. | |||
| the CLI, you can use the ``requirements-dev-lock.txt`` file included in this repo. | |||
There was a problem hiding this comment.
I left a similar comment for Jonathan's PR, but I don't know if we need to guide users to use the lock files. If we have a range we say we support, we shouldn't create failures because they have other tools needing something within that range.
| @@ -11,13 +11,14 @@ | |||
| # ANY KIND, either express or implied. See the License for the specific | |||
| # language governing permissions and limitations under the License. | |||
| import datetime | |||
| import mock | |||
|
|
|||
| from tests import mock | |||
There was a problem hiding this comment.
We're importing mock twice in this module. It looks like this is the CLI so we should probably keep line 21.
| @@ -0,0 +1,5 @@ | |||
| -r requirements-base.txt | |||
| tox==4.4.12 | |||
| build==0.7.0 | |||
There was a problem hiding this comment.
Just curious why build is here and not in either -base or -build?
There was a problem hiding this comment.
Based on historic commits and comments...
requirements-buildis specifically for dependencies required for building installersbuildwas added in 2021 whilerequirements-basewas added in 2022 and seems it was missed
I would agree that it makes sense to move build to requirements-base
| @@ -0,0 +1,14 @@ | |||
| # | |||
There was a problem hiding this comment.
If we install every lockfile at once do we have anything ensuring we don't have conflicts there? i.e. if we update one lockfile but forget to do the others, will we know before we merge?
There was a problem hiding this comment.
Hm that's a good point. At a minimum we should rework regenerate-lock-files or make use of it to generate all of these at once.
This also raises another concern where we make a dependency in pyproject.toml more restrictive but forget to regenerate requirements-docs-lock.txt (which takes pyproject.toml as input).
To provide a stable build environment, this PR does the following:
requirements.txt->requirements-dev.txtto align with AWS CLI v1 and boto projectsrequirements.txttorequirements-dev.txtfor backwards compatibilityrequirements-build-win.txtfile as an extra source forpip-compileso lockfiles include Windows dependenciesmocktounittest.mockimport to remove the dependency and simplify dependency resolutionrequirements*.txtfiles and replace their references in install scripts withrequirements*-lock.txt