Closed jku closed 4 months ago
Lukas if you can take a look that's appreciated: I'm trying to avoid this: https://github.com/theupdateframework/tuf-on-ci/pull/328 -- that PR should only update the minimum versions in pyproject.toml but it gobbles up the pinned constraints too (which I'd rather handle with pip-compile in update-pinned-deps.yml)
The issue seems to be that dependabot finds "*.txt" files anywhere under the specified directory and updates them -- so the constraints need to live outside of any dependabot managed directories
The only thing I don't like is the name action-constraints.txt. Because they are also used by tox locally. What about something like test-constraints.txt, or pinned-runtime-constraints.txt, ...
It could be pinned-repo-runtime-constraints.txt
... but even then the real reason for pinning is that I believe the actions should not upgrade dependencies silently, so action-constraints kind of makes sense to me at least. The same constraints are used in tests only because the constraints happen to be available -- the reason for the constraints is still that I want to keep the actions stable.
Dependabot still bundles dependencies I don't want bundled: