build: sync lockfiles and reuse in CI

2025-09-09 15:58:48 +00:00 · 2025-08-16 15:00:50 -04:00
parent 5335091c8e
commit 0b6cc61f58
7 changed files with 40 additions and 23 deletions
--- a/.github/workflows/briefcase.yml
+++ b/.github/workflows/briefcase.yml
@@ -16,9 +16,7 @@ jobs:
      - uses: astral-sh/setup-uv@v3
      - name: Install dependencies
        run: |
-          uv pip compile src/runtime_requirements.txt --universal --generate-hashes --emit-index-url -o runtime.lock
+          uv pip sync --frozen runtime.lock
          git diff --exit-code runtime.lock
          uv pip sync runtime.lock
          uv tool install briefcase
      - name: Build with Briefcase
        run: briefcase build
--- a/.github/workflows/python-ci.yml
+++ b/.github/workflows/python-ci.yml
@@ -23,17 +23,28 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITLEAKS_CONFIG: .gitleaks.toml
  lock-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"
      - uses: astral-sh/setup-uv@v3
      - name: Verify requirements.lock
        run: |
          uv pip compile src/requirements.txt --python-version 3.11 --generate-hashes --emit-index-url -o requirements.lock
          git diff --exit-code requirements.lock
      - name: Verify runtime.lock
        run: |
          uv pip compile src/runtime_requirements.txt --python-version 3.11 --generate-hashes --emit-index-url -o runtime.lock
          git diff --exit-code runtime.lock
  build:
    needs: lock-check
    strategy:
      matrix:
        os: [ubuntu-latest, windows-latest, macos-latest]
        python-version: ["3.11"]
        exclude:
          - os: windows-latest
            python-version: "3.11"
        include:
          - os: windows-latest
            python-version: "3.10"
    runs-on: ${{ matrix.os }}
    env:
      HYPOTHESIS_SEED: 123456
@@ -41,7 +52,7 @@ jobs:
      - uses: actions/checkout@v3
      - uses: actions/setup-python@v4
        with:
-          python-version: ${{ matrix.python-version }}
+          python-version: "3.11"
      - uses: astral-sh/setup-uv@v3
      - name: Install build tools (Linux/macOS)
        if: runner.os != 'Windows'
@@ -77,11 +88,8 @@ jobs:
          key: ${{ runner.os }}-uv-${{ hashFiles('requirements.lock') }}
          restore-keys: |
            ${{ runner.os }}-uv-
-      - name: Verify lockfile and install dependencies
+      - name: Install dependencies
-        run: |
+        run: uv pip sync --frozen requirements.lock
          uv pip compile src/requirements.txt --universal --generate-hashes --emit-index-url -o requirements.lock
          git diff --exit-code requirements.lock
          uv pip sync requirements.lock
      - name: Run dependency scan
        run: scripts/dependency_scan.sh --ignore-vuln GHSA-wj6h-64fc-37mp
      - name: Determine stress args
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -11,16 +11,15 @@ jobs:
    strategy:
      matrix:
        os: [ubuntu-latest, macos-latest, windows-latest]
        python-version: ["3.10", "3.11", "3.12"]
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
-          python-version: ${{ matrix.python-version }}
+          python-version: "3.11"
      - uses: astral-sh/setup-uv@v3
      - name: Install dependencies
-        run: uv pip sync requirements.lock
+        run: uv pip sync --frozen requirements.lock
      - name: Check formatting
        run: uvx black --check .
      - name: Run security audit
@@ -33,6 +32,6 @@ jobs:
      - name: Upload coverage report
        uses: actions/upload-artifact@v4
        with:
-          name: coverage-${{ matrix.os }}-py${{ matrix.python-version }}
+          name: coverage-${{ matrix.os }}
          path: coverage.xml
--- a/requirements.lock
+++ b/requirements.lock
@@ -1,5 +1,5 @@
 # This file was autogenerated by uv via the following command:
-#    uv pip compile --python-version 3.12 --generate-hashes --emit-index-url -o requirements.lock src/requirements.txt
+#    uv pip compile --python 3.11 src/requirements.txt --python-version 3.11 --generate-hashes --emit-index-url -o requirements.lock
 --index-url https://pypi.org/simple
 aiohappyeyeballs==2.6.1 \
@@ -140,6 +140,10 @@ argon2-cffi-bindings==25.1.0 \
    --hash=sha256:da0c79c23a63723aa5d782250fbf51b768abca630285262fb5144ba5ae01e520 \
    --hash=sha256:e2fd3bfbff3c5d74fef31a722f729bf93500910db650c925c2d6ef879a7e51cb
    # via argon2-cffi
 async-timeout==5.0.1 \
    --hash=sha256:39e3809566ff85354557ec2398b55e096c8364bacac9405a7a1fa429e77fe76c \
    --hash=sha256:d9321a7a3d5a6a5e187e824d2fa0793ce379a202935782d555d6e9d2735677d3
    # via -r src/requirements.txt
 attrs==25.3.0 \
    --hash=sha256:427318ce031701fea540783410126f03899a97ffc6f61596ad581ac2e40e3bc3 \
    --hash=sha256:75d7cefc7fb576747b2c81b4442d4d4a1ce0900973527c011d1030fd3bf4af1b
@@ -1678,7 +1682,9 @@ tomli==2.2.1 \
    --hash=sha256:e85e99945e688e32d5a35c1ff38ed0b3f41f43fad8df0bdf79f72b2ba7bc5272 \
    --hash=sha256:ece47d672db52ac607a3d9599a9d48dcb2f2f735c6c2d1f34130085bb12b112a \
    --hash=sha256:f4039b9cbc3048b2416cc57ab3bda989a6fcf9b36cf8937f01a6e731b64f80d7
-    # via -r src/requirements.txt
+    # via
    #   -r src/requirements.txt
    #   coverage
 travertino==0.5.2 \
    --hash=sha256:5afcc673e14e16c3c04c0e3fe387062633e6bc88e87bc0bbd214a04b4dfbbcd4 \
    --hash=sha256:fd69ac3b14f2847e4c972198588b8a86ca3b437aaa0c8ce7259bbe5dab17aff1
--- a/runtime.lock
+++ b/runtime.lock
@@ -1,5 +1,5 @@
 # This file was autogenerated by uv via the following command:
-#    uv pip compile --python-version 3.12 --generate-hashes --emit-index-url -o runtime.lock src/runtime_requirements.txt
+#    uv pip compile --python 3.11 src/runtime_requirements.txt --python-version 3.11 --generate-hashes --emit-index-url -o runtime.lock
 --index-url https://pypi.org/simple
 aiohappyeyeballs==2.6.1 \
@@ -140,6 +140,10 @@ argon2-cffi-bindings==25.1.0 \
    --hash=sha256:da0c79c23a63723aa5d782250fbf51b768abca630285262fb5144ba5ae01e520 \
    --hash=sha256:e2fd3bfbff3c5d74fef31a722f729bf93500910db650c925c2d6ef879a7e51cb
    # via argon2-cffi
 async-timeout==5.0.1 \
    --hash=sha256:39e3809566ff85354557ec2398b55e096c8364bacac9405a7a1fa429e77fe76c \
    --hash=sha256:d9321a7a3d5a6a5e187e824d2fa0793ce379a202935782d555d6e9d2735677d3
    # via -r src/runtime_requirements.txt
 attrs==25.3.0 \
    --hash=sha256:427318ce031701fea540783410126f03899a97ffc6f61596ad581ac2e40e3bc3 \
    --hash=sha256:75d7cefc7fb576747b2c81b4442d4d4a1ce0900973527c011d1030fd3bf4af1b
--- a/src/requirements.txt
+++ b/src/requirements.txt
@@ -6,6 +6,7 @@ bech32>=1.2,<2
 coincurve>=18.0.0,<22
 mnemonic>=0.21,<1
 aiohttp>=3.9,<4
 async-timeout>=4,<6; python_version < "3.12"
 bcrypt>=4,<5
 pytest>=7,<9
 pytest-cov>=4,<7
--- a/src/runtime_requirements.txt
+++ b/src/runtime_requirements.txt
@@ -8,6 +8,7 @@ bech32>=1.2,<2
 coincurve>=18.0.0,<22
 mnemonic>=0.21,<1
 aiohttp>=3.9,<4
 async-timeout>=4,<6; python_version < "3.12"
 bcrypt>=4,<5
 portalocker>=2.8,<4
 nostr-sdk>=0.43,<1