[BUG] Build workflows are not using locked/pinned dependencies #1230
Description
Bug Report
This project's build workflows sometimes break when new versions of Python package dependencies are released.
python_build_requirements.txt pins some dependencies, but it uses the latest mypy and recent ni-python-styleguide, and it doesn't necessarily lock all indirect dependencies:
contextlib2==21.6.0
Mako==1.2.2
MarkupSafe==2.0.1
schema==0.7.4
black==23.3.0
mypy>=0.910
ni-python-styleguide~=0.1
pycodestyle==2.7.0
importlib-metadata==4.12.0
examples/pyproject.toml has a poetry.lock file checked into Git, which is good, but source/codegen/validate_examples.py runs "poetry lock", which defeats the purpose of having a lock file (which is to control when dependencies are updated).
Repro or Code Sample
Expected Behavior
Build workflows use known, working dependency version.
Current Behavior
The build workflows failed for this PR because the new version of mypy-protobuf (version 3.7.0) dropped support for protobuf v4, but the examples project still uses grpcio-tools 1.49.1, which requires protobuf >=4.0,<5.0.
Possible Solution
- Replace python_build_requirements.txt with a pyproject.toml + poetry.lock
- Remove "poetry lock" from all build workflows and build scripts
- Use Renovate Bot to keep the lock file up to date - Enable and Configure Dependabot vesion updates #1109
Context
Updated Python dependencies broke a PR that was unrelated to Python
Your Environment
N/A