docs(roadmap): ground dependabot-core upstream assumptions (uv versioning-strategy)#34
Merged
Merged
Conversation
…ning-strategy) Re-checked the two dependabot-core issues this ROADMAP waits on: - #12162 (uv versioning-strategy support) is now CLOSED/completed (~2026-02) — the "not supported yet" assumption is stale and the queued lockfile-only fix to end the ruff/ty floor churn is unblocked (verify uv accepts lockfile-only before the fleet edit, since #12162 tracked the umbrella feature). - #14004 (uv workspace mis-targeting) is still OPEN — kourai's uv deferral stands. Also corrected the SHA-pinning item's "only techne enforces it" framing: every sister enforces pin-pinning via inline pin-check.yml regex (coverage is fleet-wide); only the shared check_action_pins.sh script is techne-only, so the remaining work is DRY consolidation, not a coverage gap.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Sweep stop #5 — grounding techne's own ROADMAP, focused on the two upstream
dependabot-coreissues it's been waiting on.#12162 (uv
versioning-strategy) — now unblocked ✓The item said "
versioning-strategy: lockfile-onlyisn't supported for uv yet (#12162, open)." #12162 is now closed (completed, ~2026-02) — uv versioning-strategy support landed. So the queued fix to stop the fleet's ruff/ty floor churn is live: addversioning-strategy: lockfile-onlyto the uv dependabot entries. One caveat carried into the ROADMAP: #12162 tracked the umbrella feature (its requester wantedincrease), so verify uv acceptslockfile-onlyspecifically before the fleet-wide edit.#14004 (uv workspace mis-targeting) — still open
Re-checked: still open, so kourai's
uv-dependabot deferral correctly stands. Re-validated, not changed.Bonus accuracy fix
The SHA-pinning item said "propagate the
check_action_pins.shguard … only techne enforces it today" — which misreads as "the fleet isn't pin-protected." Verified: every sister already enforces pin-pinning via an inline regex in its ownpin-check.yml; only the shared script is techne-only. Reworded so it's clearly a DRY-consolidation step, not a coverage gap.Docs-only;
research(2026-05)provenance inline. Note: the actual fleet-widelockfile-onlydependabot edit is not done here — flagged as the now-unblocked follow-up (and it wants thelockfile-only-value verification first).