chore: update-project.sh ⇄ phaze parity (floor-sync, cap-flag, full action SHA-pinning)#338
Merged
Merged
Conversation
Bring scripts/update-project.sh in line with phaze's enhanced version (phaze PR #71, now merged), adapted to discogsography's uv workspace. - sync_dependency_floors(): after `uv lock --upgrade`, raise the `>=` floors in every pyproject.toml (root + all 11 workspace members) to match the single root uv.lock. Covers [project.dependencies], [project.optional-dependencies].* and [dependency-groups].*; rewrites only the floor token, preserving caps (,<X), extras (pkg[redis]), markers (; sys_platform ...) and inline comments. Re-locks afterward. Implemented as an inline `uv run python` heredoc (tomllib + packaging). - flag_capped_dependencies(): warn when a ,<X-capped dep has a release at/beyond the cap, parsed across all pyproject.toml files; skips the workspace's own packages. - update_docker_images(): surface every Docker dependency (FROM base images, uv image, compose service images) and note who owns each. - update_uv_version(): also scan .github/actions/ (setup-uv lives in the composite action here, not the workflows) and pin as `@<sha> # vX.Y.Z`. Both new functions honor --dry-run. Validated: shellcheck clean, shfmt clean, --dry-run exits 0 and exercises every section, pre-commit passes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Pin every floating action ref in .github/workflows/ and .github/actions/
to a 40-char commit SHA with a ` # vX.Y.Z` comment (two spaces before
'#', standardized across all entries). Floating @vN/@stable/@<tool> tags
were resolved to their commit SHAs.
- 18 distinct actions pinned: checkout, cache, setup-node, setup-python,
upload-artifact, docker/{login,metadata,setup-buildx,build-push},
codecov, claude-code-action, codeql/upload-sarif, osv-scanner,
taiki-e/install-action, trufflehog, trivy, rust-toolchain.
- Existing 8 one-space pins normalized to two spaces; fixed the
create-pull-request comment `# v.8.1.1` -> `# v8.1.1`.
- dtolnay/rust-toolchain pinned to the stable-branch SHA with an explicit
`toolchain: stable`, and taiki-e/install-action@cargo-llvm-cov pinned to
the v2 SHA with `tool: cargo-llvm-cov`, to preserve behavior after
losing the channel/tool shorthand.
Validated: actionlint, yamllint (--strict), check-github-workflows and
check-github-actions all pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Contributor
E2E Coverage (webkit)
|
Contributor
E2E Coverage (chromium)
|
Contributor
E2E Coverage (firefox)
|
Contributor
E2E Coverage (webkit - iPhone 15)
|
Contributor
E2E Coverage (webkit - iPad Pro 11)
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Brings
scripts/update-project.shin line with phaze's enhanced updater(phaze #71, now merged), adapted to
discogsography's shape: a uv workspace (root
pyproject.toml+ 11 member packages,single root
uv.lock), a Rust extractor, and a Node frontend. All existingRust/Node/multi-service/security-sweep behavior is preserved.
New capabilities
1.
sync_dependency_floors()— runs right after the lock+sync step.uv lock --upgraderefreshes
uv.lockwithin the existing>=floors but never raises the floors themselves(the job Dependabot otherwise opens PRs for). This raises the floors in
pyproject.tomltomatch what's actually locked.
pyproject.toml(root + all 11 members) andresolves each against the single root
uv.lock.[project.dependencies], every[project.optional-dependencies].*sub-array, andevery
[dependency-groups].*array.>=floor token — caps (,<X), extras (pkg[redis]), env markers(
; sys_platform ...) and trailing inline comments are preserved.uv run pythonheredoc (tomllib+packaging), not a tracked.py(
scripts/is type/lint-checked). Re-runsuv lockafterward so recorded requirementmetadata matches. Honors
--dry-run; prints oneBUMPED <file>: <pkg> <old> -> <new>line per change (file-qualified for monorepo clarity).
2.
flag_capped_dependencies()— warns when a,<X-capped dependency has a release at orbeyond the cap (uv can't cross a cap; raising it is a human decision). Cross-references
uv pip list --outdated, parses caps from allpyproject.tomlfiles, compares withpackaging.version, and skips the workspace's own packages. Honors--dry-run.(discogsography currently has no capped deps, so this reports none — it's future-proofing.)
Parity audit (items 3–6)
uses:in.github/workflows/and.github/actions/is nowowner/repo@<40-char-sha> # vX.Y.Z. 18 floating actionsresolved to SHAs; the 8 pre-existing pins normalized to the two-space comment style;
create-pull-requestcomment fixed (# v.8.1.1→# v8.1.1).dtolnay/rust-toolchain@stableandtaiki-e/install-action@cargo-llvm-covare pinnedwith explicit
toolchain: stable/tool: cargo-llvm-covto preserve behavior afterlosing the channel/tool shorthand.
update_uv_version()now also scans.github/actions/(setup-uv lives in the composite action here, not the workflows) and pins it the same way.
apt-get installalready carries a# hadolint ignore=DL3008pragma; confirmed
hadolintis clean for all 11 Dockerfiles.hadolintruns in.pre-commit-config.yaml, every hookrev:has a
# frozen: vX.Y.Zcomment, andshfmtcoversscripts/update-project.sh.update_docker_images()— new function surfaces the full Docker dependency surface(all
FROMbase images incl. node/rust/debian, the uv image, and compose service imageslike postgres/neo4j/rabbitmq/redis), noting Dependabot-managed vs distro-managed (apt).
Comment-spacing convention
The task spec mandated two spaces before
#. This repo's.yamllintonly requiresmin-spaces-from-content: 1(so one space passes here — the "or yamllint fails" rule isphaze's), and the 8 existing pins used one space. Per maintainer direction, all entries —
new and existing — are standardized to two spaces, and the script writes setup-uv pins
the same way. Heads-up: Dependabot writes one space, so it may re-introduce drift on future
action bumps.
Validation
shellcheck --severity=warning— cleanshfmt(repo args) — clean./scripts/update-project.sh --dry-run— exits 0, exercises every section, writes nothingpre-commit run --all-files— 29/29 hooks passno-op when locked == floor (dry-run reports 91 proposed floor bumps across the workspace)
--outdateddata (flags correctly) and against the realworkspace (reports none)
🤖 Generated with Claude Code