Move package versions out of the Dockerfile#287
Open
mcdonnnj wants to merge 4 commits into
Open
Conversation
mcdonnnj
added
the
improvement
github-actions
Bot
added
dependencies
Contributor
There was a problem hiding this comment.
Pull request overview
This PR externalizes the pinned versions for pip, pipenv, and setuptools from the Dockerfile into a dedicated pip constraints file so automated tooling (Dependabot) can propose updates more easily.
Changes:
- Added
src/requirements-actually-constraints.txtto centrally pinpip,pipenv, andsetuptools. - Updated the
Dockerfileto install those tools usingpip --constraint constraints.txtinstead of hardcoding versions asENVvalues. - Updated
.github/labeler.ymlso PRs touching the new constraints file get thedependencieslabel.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
src/requirements-actually-constraints.txt |
New constraints file holding the pinned tool versions for Docker builds. |
Dockerfile |
Uses the constraints file during pip install steps instead of Dockerfile ENV-pinned versions. |
.github/labeler.yml |
Labels changes to the new constraints file as dependency-related. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+12
to
+13
| # Copy in the pip constraints file that controls the versions installed below | ||
| COPY src/requirements-actually-constraints.txt ./constraints.txt |
There was a problem hiding this comment.
COPY src/requirements-actually-constraints.txt ./constraints.txt relies on the default working directory (/) for later --constraint constraints.txt references. To make this more robust against future WORKDIR changes, consider copying to (and referencing) an absolute path (e.g., /constraints.txt).
Member
Author
There was a problem hiding this comment.
I went with 82699cd as a solution to this feedback. We're still using relative paths, but the WORKDIR command is performed before any COPY commands in the stage.
jsf9k
approved these changes
Mar 25, 2026
dav3r
approved these changes
Mar 26, 2026
github-project-automation
Bot
moved this from In progress
to Reviewer approved
in Skeleton Maintenance
Move the version constraints for the pip, pipenv, and setuptools packages out of the Dockerfile. They are moves into a pip constraints file that _should_ receive automatic updates from dependabot so we can more easily keep these package versions up-to-date.
This will match a `requirements*.txt` file in any path in the repository. Since such files are almost always a dependency control file this rule makes sense. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
mcdonnnj
force-pushed
the
improvement/break_out_setup_versions
branch
from
79986ce to
d3f2ab7
Compare
Move the `WORKDIR` instruction to before any `COPY` instructions are performed in `compile-stage`. This sets an expectation for everything to take place in the specified directory during this stage of the build. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
mcdonnnj
force-pushed
the
improvement/break_out_setup_versions
branch
from
d3f2ab7 to
82699cd
Compare
jsf9k
approved these changes
Apr 7, 2026
Update the entry for `/` to ignore the `src/` sub-directory because we should handle dependencies in the `src/` sub-directory separately.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🗣 Description
This pull request moves versioning of the Python packages we install in the Dockerfile to set up a Python venv out of the Dockerfile. The package version constraints are moved into a separate pip constraints file that is copied in and used during package installation.
💭 Motivation and context
Currently we have to manually update the versions of
pip,pipenv, andsetuptoolsthat are installed in the venv setup. This change should allow us to get dependabot automatic updates for these packages now.Note
The constraints file uses the name it does to trick dependabot into offering updates to the packages it lists. This is necessary because dependabot does not work with pip constraints files at this time.
Note
Since I am not changing the versions of the packages used I do not see a reason to bump the version of the image.
🧪 Testing
I tested this locally and it built without issue. Waiting for the
pip-audithook fix to trickle down before automated tests will pass.✅ Pre-approval checklist