-
Notifications
You must be signed in to change notification settings - Fork 89
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update lockfile #2002
Update lockfile #2002
Conversation
oop so ya by updating the lockfile we see a bug that someone installing from pip would experience but we were missing bc old lockfile |
oh boy i'm just seeing how much history there is i missed on this. Previously i raised this:
tagging @sierra-moxon and @pkalita-lbl as the two other ppl i see engaging here consistently. This is what i said previously:
And i see @vemonet said basically the same thing:
but i disagree with the argument that we should not version the
So i think there is some justified lack of clarity about "whats the point of the lockfile anyway" Yes the purpose is to allow for someone to (fingers crossed) perfectly reproduce a python environment. But since lockfiles aren't a python standard, but a poetry novelty, we don't have the same kind of use for them that yarn/npm do where each package can exist in its own perfect reality - instead python packages are all installed in the same soupy environment. The poetry docs do not help with clarity here, and i think actually make it worse:
They seem to forget that not only is it possible to install the package with pip, it is almost always how packages using poetry are installed. So the tradeoff is not between committing the lockfile or not, and it's not between reproducibility and not - the important thing is we need to know when the lockfile is useful.
so the point the poetry docs re "not knowing if a bug is caused by a package update or new code" is misleading by a mile imo - if there is a bug that's difficult to explain, one can install the package from the lockfile afterwards and run the tests again and if that fixes it, diagnose the source of the problem in one step. so tl;dr -
as a side note, re: linkml/linkml-runtime#288 |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #2002 +/- ##
=======================================
Coverage 80.69% 80.69%
=======================================
Files 104 104
Lines 11622 11622
Branches 2910 2910
=======================================
Hits 9378 9378
Misses 1701 1701
Partials 543 543 ☔ View full report in Codecov by Sentry. |
Thanks for writing up your thoughts on this. I think we're totally in alignment on the scope of the problem. And I just wanted to clarify that I fully appreciate that the Let me also just elaborate on the scenarios I'm thinking about that I'd prefer to avoid:
What I think would make more sense for this project would be either:
Either way we're limiting the number of people who potentially have to go down the dependency-upgrade-test-failure rabbit hole and also allowing them to do it when it works with their schedule (hopefully). I believe (although the meeting notes aren't exactly backing me up) that we talked about this on a developers call and roughly agreed to keeping the CI process the same but updating the With all that being said since this PR just updates the |
I am ready! And I think the "PR with lockfile updates" makes sense! Maybe it automerges if tests pass, but otherwise doesnt? We also probably want to turn on branch protections to main requiring that a PR be up to date (I think you can currently merge if there are no conflicts, but forcing a merge/rebase might prevent weird problems from like accidentally backtracking) Happy to PR that, ive seen it done a few times. Maybe it runs once a week or so? And always from the same branch so if an old PR is still open it can just get updated instead of stacking up. |
It might also be good to make a habit of putting the developer call discussions into the docs - if not as like a "when we make decisions we make sure theyre reflected in the developer docs" kinda thing, then copying whatever notes yall take into a changelog style section in the docs. Good to keep everyone on the same page by making stuff public and referenceable :) |
If that's automatable that would be great.
I hadn't though about that, but on first glance yeah that might be a good idea
I was thinking bi-weekly but obviously it wouldn't be set in stone or hard to change later so I don't have a strong preference. The same branch thing is a good idea, too.
I'll bring it up on the next developer call 😂 |
How about this github action (see example weekly workflow): https://github.com/Apakottur/action-poetry-package-update I haven't tried it, but it might be as easy as adding this workflow. |
that one looks like it's gonna update the deps in |
Noticed during #2001 that we're still on linkml-runtime 1.7.0 but 1.7.4 has been released. still not sure what da deal is with relocking but here's one.
(imo ideally this should be a gh action cron task that relocks, runs tests, and commits if they pass. if we're using the lockfile during testing, we should not let it get too far out of date bc all users install with pip aka not with a lockfile, so we get progressively out of step with what everyone else sees and miss bugs we shouldn't <3)