fix: poetry upstream resolution, health-check detection, and dead release links#102
Conversation
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #102 +/- ##
==========================================
+ Coverage 69.82% 71.33% +1.50%
==========================================
Files 22 22
Lines 3347 3359 +12
==========================================
+ Hits 2337 2396 +59
+ Misses 1010 963 -47
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Code Review
This pull request introduces support for explicit upstream source declarations in the tool catalog (allowing tools like Poetry to resolve to PyPI), preserves raw tags from GitHub and GitLab to ensure release URLs resolve correctly, and updates the Python package manager health check script to detect Poetry and Conda. The review feedback highlights several improvement opportunities: sanitizing URLs before terminal output to prevent escape sequence injection, handling string values robustly when parsing source_args, and adding defensive type checks on parsed JSON responses from external APIs to prevent potential runtime errors.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
There was a problem hiding this comment.
Pull request overview
This PR improves upstream version correctness and user-facing output around Python tooling and release links by (1) allowing catalog entries to explicitly define their upstream source, (2) preserving raw VCS tags for release URL construction, and (3) expanding the Python package manager health check to recognize additional tools.
Changes:
- Add
source_kind/source_argssupport in the catalog and setpoetryto resolve upstream versions via PyPI. - Update GitHub/GitLab collectors to return raw tags (for correct release URLs) while still extracting normalized version numbers.
- Extend
check_python_package_managers.shdetection to includepoetryandconda, and hyperlink latest versions incmd_updateprogress output; add targeted tests.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| tests/test_upstream_links.py | Adds regression tests for explicit source_kind, raw-tag URLs, and health-check detection. |
| scripts/check_python_package_managers.sh | Detects poetry/conda, counts them, and adjusts messaging/“optimal” verdict logic. |
| cli_audit/collectors.py | Preserves raw release tags from GitHub/GitLab while extracting normalized version numbers. |
| cli_audit/catalog.py | Allows catalog JSON to explicitly declare upstream source routing (source_kind/source_args). |
| catalog/poetry.json | Declares poetry upstream as PyPI via source_kind: pypi. |
| audit.py | Hyperlinks the “latest” value in cmd_update progress output using OSC8 when enabled. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…e tags Three related upstream/version-correctness fixes: - poetry showed 'latest: n/a' because _derive_source() returned 'skip' (homepage python-poetry.org matches neither python.org nor pypi.org, and install_method package_manager carries no pip/uv_tool hint). Support an explicit source_kind in the catalog and set poetry.json to pypi. - The Python package-manager health check only knew pip/pipx, so uv + poetry reported 'optimal'. Detect poetry and conda too. - GitHub/GitLab release URLs were built from the normalized version (.../releases/tag/1.7.12) but the real tag is v1.7.12 -> dead links. The collectors now return the raw tag for the URL while still normalizing the version number for display/compare. make update also hyperlinks the version. Signed-off-by: Sebastian Mendel <github@sebastianmendel.de>
b8b80a0 to
1e9867e
Compare
|
| script = (ROOT / "scripts" / "check_python_package_managers.sh").read_text() | ||
| assert "has_poetry" in script | ||
| assert "command -v poetry" in script | ||
| # "optimal" must require the absence of poetry | ||
| assert "! $has_poetry" in script |



Three related upstream/version-correctness fixes, all surfaced from a real
make update/make upgraderun.1. poetry showed
latest: n/a_derive_source()returnedskipfor poetry: its homepagepython-poetry.orgmatches neither
python.orgnorpypi.org, andinstall_method: package_managercarries no
pip/uv_toolhint. Now the catalog can declare an explicitsource_kind, andpoetry.jsonsetspypi→ resolveslatestfrom PyPI.2. Health check ignored poetry
check_python_package_managers.shonly knewpip/pipx, so uv + poetryreported "Only uv – optimal". It now detects
poetryandcondatoo, countsthem, and drops the "optimal" verdict when they're present (with a note that
poetry is a project-level manager, removable if unused).
3. Dead release links (missing
v)GitHub/GitLab release URLs were built from the normalized version
(
…/releases/tag/1.7.12), but the real tag isv1.7.12→ 404. Thecollectors now return the raw tag for the URL while still normalizing the
version number for display/compare. Confirmed live: actionlint's URL is now
…/releases/tag/v1.7.12→ HTTP 200.make updatealso hyperlinks thelatest version (was unlinked; respects
CLI_AUDIT_LINKS=0).Verification
pytest: 642 passed, 1 skipped (+8 new tests: explicit source_kind,raw-tag URLs for gh/gitlab, collector raw-tag returns, health-check detection).
E9,F63,F7,F82): clean. Smoke: pass.2.4.1from PyPI; actionlint link → 200.Note: the committed
upstream_versions.jsonbaseline still holds the oldv-less URLs; those refresh on the nextmake update-baseline(kept out ofthis PR to avoid mixing in unrelated version bumps).
make upgradere-collectslive, so it's fixed immediately by the code change.
No version bump / CHANGELOG (feature branch).