Pin Python requirements, dependency cooldowns

sethmlarson · sethmlarson · commit 784d83027a31 · 2026-04-23T17:24:34.000-05:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -3,31 +3,17 @@ updates:
 - package-ecosystem: pip
   directory: "/"
   schedule:
-    interval: daily
+    interval: weekly
+  cooldown:
+    default-days: 7
   open-pull-requests-limit: 10
-  ignore:
-  - dependency-name: docutils
-    versions:
-    - "0.16"
-    - "0.17"
-  - dependency-name: responses
-    versions:
-    - 0.12.1
-    - 0.13.0
-    - 0.13.1
-    - 0.13.2
-  - dependency-name: "boto3"
-  - dependency-name: "boto3-stubs"
-  - dependency-name: "botocore"
-  - dependency-name: "botocore-stubs"
-  - dependency-name: lxml
-    versions:
-    - 4.6.2
 - package-ecosystem: github-actions
   directory: "/"
   groups:
     github-actions:
       patterns:
         - "*"  # Group all Actions updates into a single larger pull request
   schedule:
-    interval: daily
+    interval: weekly
+  cooldown:
+    default-days: 7
diff --git a/Dockerfile b/Dockerfile
@@ -32,7 +32,10 @@ RUN case $(uname -m) in \
 RUN mkdir /code
 WORKDIR /code
 
-RUN pip --no-cache-dir --disable-pip-version-check install --upgrade pip setuptools wheel
+COPY requirements-bootstrap.txt /code/
+
+RUN pip --no-cache-dir --disable-pip-version-check \
+      install -r requirements-bootstrap.txt
 
 COPY pyproject.toml /code/
 
diff --git a/Dockerfile.cabotage b/Dockerfile.cabotage
@@ -33,15 +33,17 @@ RUN case $(uname -m) in \
 RUN mkdir /code
 WORKDIR /code
 
-RUN pip --no-cache-dir --disable-pip-version-check install --upgrade pip setuptools wheel
+COPY requirements-bootstrap.txt /code/
 
-COPY pyproject.toml /code/
+RUN pip --no-cache-dir --disable-pip-version-check \
+      install -r requirements-bootstrap.txt
+
+COPY requirements-prod.txt /code/
 
 RUN --mount=type=cache,target=/root/.cache/pip \
     set -x \
     && pip --disable-pip-version-check \
-        install \
-        '.[prod]'
+        install -r requirements-prod.txt
 
 COPY . /code/
 
diff --git a/requirements-bootstrap.in b/requirements-bootstrap.in
@@ -0,0 +1,5 @@
+--only-binary :all:
+
+pip
+setuptools
+wheel
diff --git a/requirements-bootstrap.txt b/requirements-bootstrap.txt
@@ -0,0 +1,22 @@
+#
+# This file is autogenerated by pip-compile with Python 3.12
+# by the following command:
+#
+#    pip-compile --allow-unsafe --generate-hashes --output-file=requirements-bootstrap.txt requirements-bootstrap.in
+#
+--only-binary :all:
+
+packaging==26.1 \
+    --hash=sha256:5d9c0669c6285e491e0ced2eee587eaf67b670d94a19e94e3984a481aba6802f
+    # via wheel
+wheel==0.47.0 \
+    --hash=sha256:212281cab4dff978f6cedd499cd893e1f620791ca6ff7107cf270781e587eced
+    # via -r requirements-bootstrap.in
+
+# The following packages are considered to be unsafe in a requirements file:
+pip==26.0.1 \
+    --hash=sha256:bdb1b08f4274833d62c1aa29e20907365a2ceb950410df15fc9521bad440122b
+    # via -r requirements-bootstrap.in
+setuptools==82.0.1 \
+    --hash=sha256:a59e362652f08dcd477c78bb6e7bd9d80a7995bc73ce773050228a348ce2e5bb
+    # via -r requirements-bootstrap.in
diff --git a/requirements-prod.in b/requirements-prod.in
@@ -0,0 +1,10 @@
+--only-binary :all:
+--no-binary django-apptemplates
+--no-binary django-translation-aliases
+--no-binary django-haystack
+--no-binary django-tastypie
+--no-binary sgmllib3k
+--no-binary docopt
+--no-binary odfpy
+
+.[prod]
diff --git a/requirements-prod.txt b/requirements-prod.txt
diff --git a/uv.lock b/uv.lock

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +--only-binary :all:
++
 +pip
 +setuptools
 +wheel