Skip to content

Make pyproject.toml single source of truth for dependencies with version pinning #527

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 5 commits into
base: master
Choose a base branch
from
Draft

Make pyproject.toml single source of truth for dependencies with version pinning #527

wants to merge 5 commits into from

Conversation

Copy link

Copilot AI commented Oct 24, 2025
edited
Loading

Unpinned dependencies in requirements.txt caused production docker builds to fail unpredictably when upstream packages released breaking changes. Dependencies were scattered across setup.py, requirements.txt, requirements_dev.txt, environment.yml, and environment_dev.yml with no clear ownership.

Changes

Dependency consolidation

  • Migrated all dependencies to pyproject.toml following PEP 621 standards
  • Added version constraints for all packages (e.g., numpy>=1.24.0,<3.0) to prevent breaking upgrades
  • Organized into logical groups: core, performance, geo, io, analysis, dev, docs
  • Simplified setup.py to only handle Cython extensions; metadata now read from pyproject.toml

Automation

  • Created scripts/generate_requirements.py to generate requirements.txt and environment.yml from pyproject.toml
  • Added pre-commit hook to regenerate files when pyproject.toml changes
  • Added CI workflow to validate generated files stay in sync
  • Configured Dependabot for monthly dependency monitoring

Generated files (now auto-generated, do not edit manually)

  • requirements.txt, requirements_dev.txt
  • environment.yml, environment_dev.yml

Usage

Update dependencies:

# Edit pyproject.toml
vim pyproject.toml

# Regenerate all requirement files
python scripts/generate_requirements.py

# Commit both
git add pyproject.toml requirements*.txt environment*.yml

Install with optional features:

pip install .[all]          # All optional dependencies
pip install .[performance]  # Just dask, pyfftw
pip install -e .[dev]       # Development mode

See doc/source/developer_guide/dependency_management.rst for detailed documentation.

Original prompt

This section details on the original issue you should resolve

<issue_title>no versions specified in requirements.txt cause unpredictable failures due to dependency upgrades.</issue_title>
<issue_description>I had made some modifications to our operational pysteps, tested the new version and this worked fine in our staging environment. Our production team created a new docker image on the production environment, but here the new prod runs crashed quite dramatically due to an error in a very freshly upgraded dependency.

This can happen at unpredictable moments because the requirements.txt file does not pin specific versions.

I have pinned our docker dependencies to a version that I know works. However, @jbelien pointed out to me that it would make more sense to simply specify the versions in the mainline pysteps requirements.txt instead.

I propose therefore to pin the versions of dependencies for reproducability.

To avoid having to update this manually every time packages are updated, one can run dependabot.
</issue_description>

<agent_instructions>Make pyproject.toml the single source of truth for dependencies. Add documentation on how to generate the requirements yml and txt files for backwards compatibility.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

@ladc Additionally, dependencies are defined all over the place: - environment.yml (and the corresponding _dev file) - requirements.txt (and the corresponding _dev file) - setup.py - pyproject.toml

Which is the source of truth?</comment_new>

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 4 commits October 24, 2025 22:19
@ladc
Make pyproject.toml single source of truth for dependencies
239db66 
- Migrate all dependencies to pyproject.toml with version pinning
- Update setup.py to read from pyproject.toml
- Create script to generate requirements files
- Auto-generate requirements.txt, requirements_dev.txt, environment.yml, environment_dev.yml
- Add comprehensive dependency management documentation
- Update CONTRIBUTING.rst with new dependency workflow

Co-authored-by: ladc <1212574+ladc@users.noreply.github.com>
@ladc
Add automation for dependency management
b78b1b5 
- Add dependabot configuration for automated updates
- Add GitHub Actions workflow to validate requirements files
- Add pre-commit hook to regenerate requirements on pyproject.toml changes
- Update dependency management documentation

Co-authored-by: ladc <1212574+ladc@users.noreply.github.com>
@ladc
Fix code review issues
5dc9399 
- Fix indentation in .pre-commit-config.yaml
- Remove team reviewers from dependabot config (may not exist)

Co-authored-by: ladc <1212574+ladc@users.noreply.github.com>
@ladc
Add explicit permissions to validate_requirements workflow
bd40a86 
- Add contents: read permission to limit GITHUB_TOKEN scope
- Addresses security best practice for GitHub Actions

Co-authored-by: ladc <1212574+ladc@users.noreply.github.com>
Copilot AI changed the title [WIP] Pin dependency versions in requirements.txt for stability Make pyproject.toml single source of truth for dependencies with version pinning Oct 24, 2025
Copilot AI requested a review from ladc October 24, 2025 22:27
Copilot finished work on behalf of ladc October 24, 2025 22:27
@codecov
Copy link

codecov bot commented Oct 24, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.14%. Comparing base (fe3a98a) to head (bd40a86).

Additional details and impacted files 
@@           Coverage Diff           @@
##           master     #527   +/-   ##
=======================================
  Coverage   84.14%   84.14%           
=======================================
  Files         168      168           
  Lines       14507    14507           
=======================================
  Hits        12207    12207           
  Misses       2300     2300
Flag Coverage Δ
unit_tests 84.14% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ladc ladc Awaiting requested review from ladc

At least 1 approving review is required to merge this pull request.

Assignees

@ladc ladc

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

no versions specified in requirements.txt cause unpredictable failures due to dependency upgrades.

2 participants

@ladc