Closed annastuchlik closed 1 month ago
We propose that each project commits its poetry.lock
file to the repository, as recommended in https://python-poetry.org/docs/basic-usage/#committing-your-poetrylock-file-to-version-control
Repeatable builds: Ensures consistent dependency versions across development and production.
Minimized risk of breakage: Locks dependencies to prevent issues from unexpected updates, as seen in https://github.com/scylladb/sphinx-scylladb-theme/pull/1157
Distribution flexibility vs. security: Committing the lock file limits automatic theme updates, favoring stability but reducing flexibility.
Proposed solution: Enable Dependabot on each project to automate dependency updates, targetting our Sphinx packages (sphinx-scylladb, sphinx-scylladb-multiversion).
poetry.lock
from make clean
.poetry.lock
form gitignore.pyproject.toml
to install always latest minorDuring the upgrade to 1.8, I noticed that we needed to remove the poetry update
command from the make setup
command to ensure that the dependencies defined in poetry.lock
are used in production builds. I’ve applied this change to most of the upgrade PRs, except for the repositories that have already merged, for which I’ll send a fix:
This issue is opened to start a discussion per the developer's request in issue https://github.com/scylladb/scylladb/issues/12033.
While checking in lock files is a good practice, the proposed solution may impact, for example, running local previews. We may opt to leave the current solution, but it's worth discussing what options we have.