mirror of
https://github.com/deepset-ai/haystack.git
synced 2026-05-10 06:12:20 +00:00
build: add uv exclude-newer, pip uploaded-prior-to and Dependabot cooldown as supply chain guardrails (#11170)
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Julian Risch
GitHub
@@ -4,3 +4,12 @@ updates:
|
||||
directory: '/'
|
||||
schedule:
|
||||
interval: 'daily'
|
||||
cooldown:
|
||||
default-days: 1
|
||||
|
||||
- package-ecosystem: 'pip'
|
||||
directory: '/'
|
||||
schedule:
|
||||
interval: 'daily'
|
||||
cooldown:
|
||||
default-days: 1
|
||||
|
||||
@@ -65,7 +65,9 @@ jobs:
|
||||
|
||||
- name: Install Hatch
|
||||
if: steps.changed.outputs.needs_check == 'true'
|
||||
run: pip install hatch
|
||||
run: |
|
||||
python -m pip install --upgrade pip
|
||||
pip install hatch --uploaded-prior-to=P1D
|
||||
|
||||
- name: Generate API references
|
||||
if: steps.changed.outputs.needs_check == 'true'
|
||||
|
||||
@@ -38,7 +38,9 @@ jobs:
|
||||
python-version: '3.11'
|
||||
|
||||
- name: Install Hatch
|
||||
run: pip install hatch==${{ env.HATCH_VERSION }}
|
||||
run: |
|
||||
python -m pip install --upgrade pip
|
||||
pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
|
||||
|
||||
- name: Generate API reference for Docusaurus
|
||||
run: hatch run docs
|
||||
@@ -46,7 +48,7 @@ jobs:
|
||||
- name: Install base dependencies
|
||||
run: |
|
||||
python -m pip install --upgrade pip
|
||||
pip install requests toml
|
||||
pip install requests toml --uploaded-prior-to=P1D
|
||||
|
||||
- name: Run snippet tests (verbose)
|
||||
shell: bash
|
||||
|
||||
@@ -38,7 +38,9 @@ jobs:
|
||||
- name: Install script dependencies
|
||||
# sniffio is needed because of https://github.com/deepset-ai/deepset-cloud-sdk/issues/286
|
||||
# we pin pyrate-limiter due to https://github.com/deepset-ai/deepset-cloud-sdk/issues/295
|
||||
run: pip install deepset-cloud-sdk sniffio requests "pyrate-limiter<4"
|
||||
run: |
|
||||
python -m pip install --upgrade pip
|
||||
pip install deepset-cloud-sdk sniffio requests "pyrate-limiter<4" --uploaded-prior-to=P1D
|
||||
|
||||
- name: Update new docs to Search pipeline and remove outdated docs
|
||||
env:
|
||||
|
||||
@@ -30,7 +30,9 @@ jobs:
|
||||
python-version: "${{ env.PYTHON_VERSION }}"
|
||||
|
||||
- name: Install Hatch
|
||||
run: pip install hatch==${{ env.HATCH_VERSION }}
|
||||
run: |
|
||||
python -m pip install --upgrade pip
|
||||
pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
|
||||
|
||||
- name: Generate API reference for Docusaurus
|
||||
run: hatch run docs
|
||||
|
||||
@@ -34,7 +34,9 @@ jobs:
|
||||
python-version: "${{ env.PYTHON_VERSION }}"
|
||||
|
||||
- name: Install Hatch
|
||||
run: pip install hatch==${{ env.HATCH_VERSION }}
|
||||
run: |
|
||||
python -m pip install --upgrade pip
|
||||
pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
|
||||
|
||||
- name: Run tests
|
||||
run: hatch run e2e:test
|
||||
|
||||
@@ -27,7 +27,7 @@ jobs:
|
||||
- name: Install reno
|
||||
run: |
|
||||
python -m pip install --upgrade pip
|
||||
pip install "reno<5"
|
||||
pip install "reno<5" --uploaded-prior-to=P1D
|
||||
|
||||
# Remove next version rc0 tag in the CI environment to prevent reno from assigning notes to future releases.
|
||||
# This ensures release notes are correctly aggregated for the current version.
|
||||
|
||||
@@ -29,7 +29,8 @@ jobs:
|
||||
|
||||
- name: Get direct dependencies
|
||||
run: |
|
||||
pip install toml
|
||||
python -m pip install --upgrade pip
|
||||
pip install toml --uploaded-prior-to=P1D
|
||||
python .github/utils/pyproject_to_requirements.py pyproject.toml > ${{ env.REQUIREMENTS_FILE }}
|
||||
|
||||
- name: Check Licenses
|
||||
|
||||
@@ -36,7 +36,9 @@ jobs:
|
||||
echo "Building haystack-ai version: ${NIGHTLY_VERSION}"
|
||||
|
||||
- name: Install Hatch
|
||||
run: pip install hatch==${{ env.HATCH_VERSION }}
|
||||
run: |
|
||||
python -m pip install --upgrade pip
|
||||
pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
|
||||
|
||||
- name: Build Haystack
|
||||
run: hatch build
|
||||
|
||||
@@ -22,7 +22,9 @@ jobs:
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
|
||||
- name: Install Hatch
|
||||
run: pip install hatch==${{ env.HATCH_VERSION }}
|
||||
run: |
|
||||
python -m pip install --upgrade pip
|
||||
pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
|
||||
|
||||
- name: Build Haystack
|
||||
run: hatch build
|
||||
|
||||
@@ -175,7 +175,9 @@ jobs:
|
||||
python-version: "3.13"
|
||||
|
||||
- name: Install tomlkit
|
||||
run: pip install tomlkit
|
||||
run: |
|
||||
python -m pip install --upgrade pip
|
||||
pip install tomlkit --uploaded-prior-to=P1D
|
||||
|
||||
- name: Update haystack-ai in uv.lock
|
||||
run: python haystack/.github/utils/update_haystack_dc_custom_nodes.py "${{ env.VERSION }}" deepset-cloud-custom-nodes/uv.lock
|
||||
|
||||
@@ -51,7 +51,8 @@ jobs:
|
||||
- name: Verify release notes formatting
|
||||
if: steps.changed-files.outputs.any_changed == 'true' && !contains( github.event.pull_request.labels.*.name, 'ignore-for-release-notes')
|
||||
run: |
|
||||
pip install "reno<5"
|
||||
python -m pip install --upgrade pip
|
||||
pip install "reno<5" --uploaded-prior-to=P1D
|
||||
reno lint . # it is not possible to pass a list of files to reno lint
|
||||
|
||||
- name: Check reStructuredText code formatting
|
||||
|
||||
@@ -139,7 +139,8 @@ jobs:
|
||||
id: hatch
|
||||
shell: bash
|
||||
run: |
|
||||
pip install hatch==${{ env.HATCH_VERSION }}
|
||||
python -m pip install --upgrade pip
|
||||
pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
|
||||
|
||||
- name: Run Tika
|
||||
if: matrix.os == 'ubuntu-latest'
|
||||
|
||||
@@ -77,7 +77,9 @@ jobs:
|
||||
python-version: "${{ env.PYTHON_VERSION }}"
|
||||
|
||||
- name: Install Hatch
|
||||
run: pip install hatch==${{ env.HATCH_VERSION }}
|
||||
run: |
|
||||
python -m pip install --upgrade pip
|
||||
pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
|
||||
|
||||
- name: Ruff - check format and linting
|
||||
run: hatch run fmt-check
|
||||
@@ -96,7 +98,9 @@ jobs:
|
||||
python-version: "${{ env.PYTHON_VERSION }}"
|
||||
|
||||
- name: Install Hatch
|
||||
run: pip install hatch==${{ env.HATCH_VERSION }}
|
||||
run: |
|
||||
python -m pip install --upgrade pip
|
||||
pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
|
||||
|
||||
- name: Check imports
|
||||
run: hatch run python .github/utils/check_imports.py
|
||||
@@ -127,7 +131,8 @@ jobs:
|
||||
id: hatch
|
||||
shell: bash
|
||||
run: |
|
||||
pip install hatch==${{ env.HATCH_VERSION }}
|
||||
python -m pip install --upgrade pip
|
||||
pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
|
||||
echo "env=$(hatch env find test)" >> "$GITHUB_OUTPUT"
|
||||
|
||||
- name: Run
|
||||
@@ -189,7 +194,8 @@ jobs:
|
||||
id: hatch
|
||||
if: steps.files.outputs.any_changed == 'true'
|
||||
run: |
|
||||
pip install hatch==${{ env.HATCH_VERSION }}
|
||||
python -m pip install --upgrade pip
|
||||
pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
|
||||
echo "env=$(hatch env find test)" >> "$GITHUB_OUTPUT"
|
||||
|
||||
- name: Mypy
|
||||
@@ -214,7 +220,8 @@ jobs:
|
||||
id: hatch
|
||||
shell: bash
|
||||
run: |
|
||||
pip install hatch==${{ env.HATCH_VERSION }}
|
||||
python -m pip install --upgrade pip
|
||||
pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
|
||||
echo "env=$(hatch env find test)" >> "$GITHUB_OUTPUT"
|
||||
|
||||
|
||||
@@ -240,7 +247,8 @@ jobs:
|
||||
id: hatch
|
||||
shell: bash
|
||||
run: |
|
||||
pip install hatch==${{ env.HATCH_VERSION }}
|
||||
python -m pip install --upgrade pip
|
||||
pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
|
||||
echo "env=$(hatch env find test)" >> "$GITHUB_OUTPUT"
|
||||
|
||||
- uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
|
||||
@@ -272,7 +280,8 @@ jobs:
|
||||
id: hatch
|
||||
shell: bash
|
||||
run: |
|
||||
pip install hatch==${{ env.HATCH_VERSION }}
|
||||
python -m pip install --upgrade pip
|
||||
pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1D
|
||||
echo "env=$(hatch env find test)" >> "$GITHUB_OUTPUT"
|
||||
|
||||
- name: Run
|
||||
|
||||
@@ -363,6 +363,14 @@ ignore = [
|
||||
"test/tools/test_parameters_schema_utils.py" = ["UP007"]
|
||||
"test/utils/test_type_serialization.py" = ["UP006", "UP007", "UP035", "UP045"]
|
||||
|
||||
[tool.uv]
|
||||
# Exclude package versions published within the last 24 hours to protect against supply chain
|
||||
# attacks via compromised dependencies. uv resolves this relative to the current clock at
|
||||
# install/lock time, so no manual date updates are needed.
|
||||
# First-party packages are exempted so freshly published releases are always resolvable.
|
||||
exclude-newer = "24 hours"
|
||||
exclude-newer-package = { haystack-experimental = "0 days", haystack-pydoc-tools = "0 days" }
|
||||
|
||||
[tool.coverage.run]
|
||||
omit = ["haystack/testing/*"]
|
||||
relative_files = true
|
||||
|
||||
Reference in New Issue
Block a user