Skip to content

Add git-versioning starting_version for Dependabot#807

Merged
TheJulianJES merged 2 commits into
zigpy:devfrom
TheJulianJES:tjj/fix-dependabot-cycle
Jul 1, 2026
Merged

Add git-versioning starting_version for Dependabot#807
TheJulianJES merged 2 commits into
zigpy:devfrom
TheJulianJES:tjj/fix-dependabot-cycle

Conversation

@TheJulianJES

@TheJulianJES TheJulianJES commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Problem

Dependabot fails to resolve dependencies on this repo with:

× No solution found when resolving dependencies for split (markers:
  python_full_version >= '3.15'):
╰─▶ ... we can conclude that zha:ci depends on itself at an incompatible
    version (zha>=2.0.0). And because your project requires zha[testing] and
    zha:ci, we can conclude that your project's requirements are unsatisfiable.

This is fallout from the recent refactor. zha-quirks now depends on zha, and zha pulls zha-quirks back in via the testing group (for device snapshots), forming a self-referential cycle:

zha[testing] -> zha-quirks -> zha>=2.0.0

uv satisfies zha-quirks's zha requirement with the editable root project. That's fine as long as the root's own version satisfies zha>=2.0.0. Our version is dynamic (setuptools-git-versioning, from git tags):

  • Locally / in CI, the latest tag 2.0.0 is reachable → the project resolves as 2.0.0 → the cycle closes → uv lock/uv sync succeed.
  • Dependabot re-resolves from scratch in an environment with no reachable tags → setuptools-git-versioning falls back to 0.0.10.0.1 < 2.0.0 → the cycle is unsatisfiable.

The python_full_version >= '3.15' marker is incidental: requires-python = ">=3.12" has no upper bound, so uv forks the resolution across the Python range and that fork is just where the failure surfaced.

Fix

Set setuptools-git-versioning's starting_version to the current major, so a tagless checkout still computes a version that satisfies zha>=2.0.0:

[tool.setuptools-git-versioning]
enabled = true
starting_version = "2.0.0"

This attacks the root cause (the fallback version) rather than the cycle itself, and needs bumping on each major release.

Why not a uv override-dependencies on zha?

That was the first candidate, but it doesn't work with the pinned uv (uv>=0.11.16): override-dependencies = ["zha"] references the project's own name, so uv requires a [tool.uv.sources] entry for it. The only valid source (workspace = true) collapses the lock from 214 → 46 packages, dropping the homeassistant extra and zha-quirks itself — i.e. exactly the deps the snapshot tests need.

Verification

  • Reproduced the exact Dependabot error locally via git clone --no-tags + uv lock on the base branch.
  • With the fix, the same tagless clone computes version 2.0.0 and uv lock resolves cleanly.
  • The committed uv.lock is byte-identical — locally/CI the git tag still drives the version, so nothing changes there. Only pyproject.toml is touched.

zha-quirks depends on zha, which forms a self-referential cycle via the
testing dependency group (zha -> zha-quirks -> zha>=2.0.0). With the
dynamic git-tag version this resolves fine locally and in CI, but a
from-scratch resolve without reachable tags (e.g. Dependabot) computes
the fallback 0.0.1, fails zha-quirks's zha>=2.0.0 constraint, and renders
the lock unsatisfiable.

Set setuptools-git-versioning's starting_version to 2.0.0 so a tagless
checkout still satisfies the cycle. The committed lock is unchanged.
@TheJulianJES TheJulianJES changed the title Add setuptools-git-versioning starting_version for Dependabot Add git-versioning starting_version for Dependabot Jul 1, 2026
@codecov

codecov Bot commented Jul 1, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.29%. Comparing base (063f18f) to head (be60c1f).
⚠️ Report is 2 commits behind head on dev.

Additional details and impacted files
@@            Coverage Diff             @@
##              dev     #807      +/-   ##
==========================================
- Coverage   97.29%   97.29%   -0.01%     
==========================================
  Files          55       55              
  Lines       10934    10933       -1     
==========================================
- Hits        10638    10637       -1     
  Misses        296      296              

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@TheJulianJES

Copy link
Copy Markdown
Contributor Author

In the future, we may look at breaking out the device snapshots from ZHA somewhat, introducing an alternative to Dependabot, or keeping a fixed ZHA version in pyproject.toml that's automatically bumped.

For now, this should be fine. We only need to bump it when zha-quirks depends on a newer ZHA version (and thus ZHA depends on that newer ZAH version itself).

Technically, I guess we could also set a really high number here, but the current 2.0.0 keeps it more in-line with what we're on.

@TheJulianJES TheJulianJES marked this pull request as ready for review July 1, 2026 16:32
Copilot AI review requested due to automatic review settings July 1, 2026 16:32

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the project’s dynamic versioning configuration to ensure dependency resolution succeeds in tagless environments (notably Dependabot), avoiding an unsatisfiable self-referential dependency cycle when zha-quirks requires zha>=2.0.0.

Changes:

  • Configure setuptools-git-versioning with a starting_version = "2.0.0" fallback for checkouts with no reachable git tags.
  • Document why the fallback is needed (Dependabot/tagless clones) and note that it should be bumped on each major release.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@TheJulianJES TheJulianJES merged commit 8d3074a into zigpy:dev Jul 1, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants