Skip to content

fix(deps): consolidate dependabot uv ecosystem to single workspace root#1756

Merged
EItanya merged 2 commits intokagent-dev:mainfrom
jsonmp-k8:fix/dependabot-python-lock-refresh
Apr 29, 2026
Merged

fix(deps): consolidate dependabot uv ecosystem to single workspace root#1756
EItanya merged 2 commits intokagent-dev:mainfrom
jsonmp-k8:fix/dependabot-python-lock-refresh

Conversation

@jsonmp-k8
Copy link
Copy Markdown
Contributor

@jsonmp-k8 jsonmp-k8 commented Apr 26, 2026
edited
Loading

Summary

  • replace the per-member directories: list under package-ecosystem: uv with a single /python entry so Dependabot uses the root [tool.uv.workspace] to discover members and refreshes python/uv.lock in the same PR
  • group OpenTelemetry and Google AI Python dependencies so lockstep families land in a single PR
  • add applies-to: version-updates to the Python groups so security updates remain ungrouped
  • ignore semver-major /ui npm bumps so known-breaking major frontend upgrades stop opening standalone PRs

Why

Dependabot was opening separate PRs for each workspace member's pyproject.toml without refreshing the root python/uv.lock. Those PRs then failed CI when Docker runs uv sync --locked.

In a uv workspace the lockfile lives only at the workspace root; members have only a pyproject.toml. Dependabot's native uv ecosystem already discovers workspace members through the root [tool.uv.workspace] section, so a single directory: /python entry covers every member and updates the root lockfile alongside any member manifest in the same PR — no separate workflow or write-back step needed.

This replaces the earlier approach in this PR which used a pull_request_target workflow to run uv lock and push back to Dependabot's branch. @EItanya flagged that handoff as undesirable; this approach removes it entirely (and removes the new workflow file) while keeping the orthogonal grouping and ignore improvements.

Verification

  • ruby -e 'require "yaml"; YAML.load_file(".github/dependabot.yml")' (parses cleanly)
  • Once merged, the next Dependabot run on a Monday should produce at most one Python PR per group with both the changed pyproject.toml and python/uv.lock updated together.

Copilot AI review requested due to automatic review settings April 26, 2026 03:08
@github-actions github-actions Bot added the bug Something isn't working label Apr 26, 2026
Copilot AI reviewed Apr 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Stabilizes Dependabot-driven Python (uv) dependency updates by ensuring the root workspace lockfile stays in sync with workspace manifest changes, reducing CI failures when uv sync --locked runs in downstream builds.

Changes:

  • Add a guarded pull_request_target workflow to regenerate and commit python/uv.lock for eligible Dependabot PRs.
  • Update Dependabot config to group related root-workspace uv dependency families (OpenTelemetry and Google AI) into single PRs.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/refresh-python-workspace-lock.yml New workflow that validates PR file shape, runs uv lock, and pushes refreshed python/uv.lock back to Dependabot branches.
.github/dependabot.yml Adds uv grouping rules for OpenTelemetry and Google AI dependencies; clarifies grouping behavior for minor/patch updates.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/refresh-python-workspace-lock.yml Outdated
@jsonmp-k8 jsonmp-k8 force-pushed the fix/dependabot-python-lock-refresh branch 2 times, most recently from 339d78a to 8b9e21a Compare April 26, 2026 03:40
@github-actions github-actions Bot added bug Something isn't working and removed bug Something isn't working labels Apr 26, 2026
@jsonmp-k8
Copy link
Copy Markdown
Contributor Author

jsonmp-k8 commented Apr 26, 2026

@EItanya Some improvements to dependabot to avoid stale PR's

EItanya
EItanya reviewed Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@EItanya EItanya left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't particularly love the github actions handoff here. This must be a common problem, how are others doing this?

@jsonmp-k8 jsonmp-k8 mentioned this pull request Apr 29, 2026
Closed
@jsonmp-k8
fix(deps): consolidate dependabot uv ecosystem to single workspace root
8a6a136 
The previous configuration listed every uv workspace member as its own
`directories:` entry. Dependabot would then open separate PRs for each
member's pyproject.toml without refreshing the root python/uv.lock,
causing CI to fail later when Docker runs `uv sync --locked`.

In a uv workspace, only the workspace root owns the lockfile; members
have a pyproject.toml only. Dependabot's native uv ecosystem already
discovers members through the root pyproject.toml's
[tool.uv.workspace] section, so a single `directory: /python` entry
covers all members and updates the root lockfile in the same PR.

Also adopt orthogonal Dependabot improvements:

- Group OpenTelemetry and Google AI dependency families so lockstep
  Python updates land in a single PR instead of fragmenting.
- Add `applies-to: version-updates` to the python groups so security
  updates remain ungrouped.
- Ignore semver-major /ui npm updates so known-breaking major
  frontend bumps stop opening standalone PRs; minor/patch still flow.

Signed-off-by: Jaison Paul <paul.jaison@gmail.com>
@jsonmp-k8 jsonmp-k8 force-pushed the fix/dependabot-python-lock-refresh branch from 8b9e21a to 8a6a136 Compare April 29, 2026 18:28
@jsonmp-k8 jsonmp-k8 changed the title fix: stabilize dependabot python updates fix(deps): consolidate dependabot uv ecosystem to single workspace root Apr 29, 2026
@github-actions github-actions Bot removed the bug Something isn't working label Apr 29, 2026
@jsonmp-k8
Copy link
Copy Markdown
Contributor Author

jsonmp-k8 commented Apr 29, 2026

@EItanya — reworked per your feedback. Dropped the GitHub Actions handoff entirely.

The root cause was the directories: list naming every uv workspace member. In a uv workspace the lockfile lives only at the root, so Dependabot opening PRs against members couldn't refresh python/uv.lock. Collapsing to a single directory: /python lets Dependabot's native uv ecosystem discover members through [tool.uv.workspace] and update the root lock in the same PR — which is how the native uv support is designed to work for workspaces.

PR is now a one-file diff (.github/dependabot.yml); the refresh-python-workspace-lock.yml workflow is gone.

@github-actions github-actions Bot added the bug Something isn't working label Apr 29, 2026
@jsonmp-k8
chore: retrigger ci
0f8cbd2 
Previous run hit a transient Alpine mirror failure
(`xz-5.8.3-r1: temporary error`) during `apk add` in the
`golang-adk-full` build step, unrelated to this PR's diff.

Signed-off-by: Jaison Paul <paul.jaison@gmail.com>
@EItanya EItanya merged commit c8f7346 into kagent-dev:main Apr 29, 2026
23 checks passed
@BrewTestBot BrewTestBot mentioned this pull request May 1, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@EItanya EItanya EItanya approved these changes

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jsonmp-k8 @EItanya