Extend PyPI-proxy lock check to *.py.lock#5830
Open
janniklasrose wants to merge 1 commit into
Open
Conversation
Broaden the check-uv-lock backstop (added in #5800 for *uv.lock) to also cover *.py.lock, and rename it to check-lockfiles. It fails if an internal *.databricks.com PyPI proxy URL leaks into a committed lock's source.registry, so `task checks` (and CI, via check.yml) surfaces the violation without relying on a local git hook. internal/genkit/tagging.py.lock already carried proxy URLs, so normalize them back to pypi.org to keep the check (and main) green. The proxy is a transparent pypi.org mirror, so only source.registry changes. Unlike pydabs-codegen for *uv.lock, generate-clijson does not yet revert this churn, so regenerating tagging.py.lock will trip the check until a follow-up adds the rewrite. Noted in the task comment. Co-authored-by: Isaac
Contributor
Approval status: pending
|
Collaborator
Integration test reportCommit: 0bf2d66
24 interesting tests: 15 SKIP, 5 flaky, 4 RECOVERED
Top 5 slowest tests (at least 2 minutes):
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
Similar to #5800 (which added
check-uv-lockfor*uv.lock), extend the backstop to*.py.lockand rename it tocheck-lockfiles. It fails if an internal*.databricks.comPyPI proxy URL leaks into a committed lock'ssource.registry, sotask checks(and CI viacheck.yml) surfaces the violation — no local git hook required.internal/genkit/tagging.py.lockalready carriedpypi-proxy.cloud.databricks.comURLs, so this normalizes them back topypi.org. The proxy is a transparent pypi.org mirror (identical artifact URLs and hashes), so onlysource.registrylines change.Why
#5800 only handled the
uv.lockcase;*.py.lock(currently justtagging.py.lock) was left uncovered and had been carrying proxy URLs since it was introduced.Note: unlike the
pydabs-codegentask for*uv.lock, thegenerate-clijsontask does not yet revert this churn, so regeneratingtagging.py.lockwill trip the check until a follow-up adds the rewrite. This is called out in the task comment.Tests
task check-lockfilespasses with the fix and fails (exit 1) when the proxy URL is present.task checksruns green.This PR was written by Isaac, an AI coding agent.