Pin pyproject dependencies

jemrobinson commented 1 month ago

:white_check_mark: Checklist

[x] You have given your pull request a meaningful title (e.g. Enable foobar integration rather than 515 foobar).
[x] You are targeting the appropriate branch. If you're not certain which one this is, it should be develop.
[x] Your branch is up-to-date with the target branch (it probably was when you started, but it may have changed since then).

:vertical_traffic_light: Depends on

n/a

:arrow_heading_up: Summary

Pin Python package dependencies in pyproject.toml
Drop custom pre-installation of pinned versions
Drop custom updating scripts in favour of dependabot
Use recommended structure for environment requirements: group them into optional feature groups which means they can (if desired) be installed with e.g. pip install ".[test]"

Justification:

"Should I pin my dependencies?" discussion here and here
- summary: yes, if you're writing an application that isn't expecting other packages to depend on it

Potential issues:

~This only pins direct dependencies, not the things that those packages depend on~
- I think this is OK, as this shouldn't affect the functions we're calling. If it does, then we probably have a (hidden) direct dependency and should probably add that to pyproject.toml
- Solved by using hatch-pip-compile which is a built-in version of what we were previously doing manually
Dependabot might try to update the pinned requirements files
- Not sure whether this is a problem or not

:closed_umbrella: Related issues

Part of #2084

:microscope: Tests

Tested on a fork of this repository - dependabot is updating pyproject.toml as expected.

github-actions[bot] commented 1 month ago

Coverage report

This PR does not seem to contain any modification to coverable code.

jemrobinson commented 1 month ago

In principle pinning direct dependencies should be OK. If any of the functions from our directly-called libraries change their behaviour because of the specific version of their dependencies then we actually depend on that library too and we should be explicit about that.

I disagree that having minimal dependencies listed in pyproject.toml is helpful. We actually have no idea whether the set of constraints in this file were correct, because we never used them in development - we were always installing from requirements.txt.

jemrobinson commented 1 month ago

@JimMadge : Transitive dependencies now pinned using hatch-pip-compile

alan-turing-institute / data-safe-haven