Skip to content

[Build] Use pip constraints to pin dependency versions #30197

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
njhill wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

[Build] Use pip constraints to pin dependency versions #30197

njhill wants to merge 2 commits into from
+7,627 −5

Conversation

@njhill
Copy link
Member

@njhill njhill commented Dec 7, 2025
edited by github-actions bot
Loading

Used claude code for this.

I think an alternative option could be to use .in files like we already do for the test dependencies.

Resolves #28071.

@mergify mergify bot added ci/build nvidia rocm Related to AMD ROCm labels Dec 7, 2025
@njhill njhill mentioned this pull request Dec 7, 2025
Open
1 task
gemini-code-assist[bot]
gemini-code-assist bot reviewed Dec 7, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a robust mechanism for pinning dependency versions using pip constraints, which is a significant step towards ensuring reproducible builds. The implementation across the various Dockerfiles is well-executed, and the addition of the compile_constraints.sh script and the detailed README.md is commendable. I have identified one critical issue in the constraint generation script for ROCm builds that could lead to incorrect dependencies being installed. The fix is straightforward and detailed in the review comment.

@njhill njhill mentioned this pull request Dec 7, 2025
Open
@njhill
[Build] Use pip constraints to pin dependency versions
bbb974e 
Signed-off-by: Nick Hill <[email protected]>

Co-authored-by: Claude Code
Signed-off-by: Nick Hill <[email protected]>
@njhill @gemini-code-assist
Update requirements/compile_constraints.sh
f4924e2 
For ROCm Docker builds

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Signed-off-by: Nick Hill <[email protected]>
markmc
markmc reviewed Dec 8, 2025
View reviewed changes
requirements/constraints/README.md
./compile_constraints.sh
```

This will resolve all dependencies to their latest compatible versions available on PyPI.
Copy link
Member

@markmc markmc Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given that we're trying to insulate ourselves from package versions that break us, we are expecting this updated package set to break with some regularity ... and yet we do want to update to the latest version of dependencies as quickly as possible

In #28071 you're suggesting (I guess) running compile_constraints.sh in an updated job that will submit a PR.

When that fails, someone will narrow down which package broke us, and submit a separate PR with a version block in requirements/*.txt e.g. requests!=2.16.1,>= 2.26.0 ?

Copy link
Member Author

@njhill njhill Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@markmc yes exactly, or adjust code accordingly. But as also discussed in that issue, perhaps dependabot can be used to automate opening the PRs rather than a job that runs the script.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@markmc markmc markmc left review comments

@gshtras gshtras Awaiting requested review from gshtras gshtras will be requested when the pull request is marked ready for review gshtras is a code owner

@tjtanaa tjtanaa Awaiting requested review from tjtanaa tjtanaa will be requested when the pull request is marked ready for review tjtanaa is a code owner

@jikunshang jikunshang Awaiting requested review from jikunshang jikunshang will be requested when the pull request is marked ready for review jikunshang is a code owner

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

ci/build nvidia rocm Related to AMD ROCm

Projects

NVIDIA
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[RFC]: Pin all dependencies

2 participants

@njhill @markmc