Add Forge Python dependency constraints

.github/workflows/ci.yml

@@ -25,7 +25,7 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       - name: Install dependencies
-        run: pip install -e ".[dev]"
+        run: pip install -c constraints.txt -e ".[dev]"
 
       - name: Lint
         run: ruff check forge_cli/ tests/
@@ -46,8 +46,8 @@ jobs:
       - name: Install dependencies
         run: |
           python -m pip install --upgrade "pip>=26.1"
-          python -m pip install -e ".[dev]"
+          python -m pip install -c constraints.txt -e ".[dev]"
           python -m pip install pip-audit
 
       - name: Run pip-audit
-        run: python -m pip_audit --progress-spinner off
+        run: python -m pip_audit --progress-spinner off -r constraints.txt

constraints.txt

@@ -0,0 +1,17 @@
+# Python 3.11 CI dependency constraints.
+# Regenerate from a clean environment with:
+#   python -m pip install -e ".[dev]"
+#   python -m pip freeze --exclude-editable
+annotated-doc==0.0.4
+iniconfig==2.3.0
+markdown-it-py==4.2.0
+mdurl==0.1.2
+packaging==26.2
+pluggy==1.6.0
+Pygments==2.20.0
+pytest==9.0.3
+PyYAML==6.0.3
+rich==15.0.0
+ruff==0.15.16
+shellingham==1.5.4
+typer==0.26.7

tests/test_ci_workflow.py

@@ -6,6 +6,7 @@
 
 ROOT = Path(__file__).resolve().parents[1]
 CI_WORKFLOW = ROOT / ".github" / "workflows" / "ci.yml"
+PYTHON_CONSTRAINTS = ROOT / "constraints.txt"
 TAGGED_ACTION_REF = re.compile(r"uses:\s+[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+@v\d+")
 
 
@@ -17,7 +18,29 @@ def test_ci_workflow_has_dependency_security_gate() -> None:
     assert "dependency-security:" in workflow
     assert 'python -m pip install --upgrade "pip>=26.1"' in workflow
     assert "python -m pip install pip-audit" in workflow
-    assert "python -m pip_audit --progress-spinner off" in workflow
+    assert "python -m pip_audit --progress-spinner off -r constraints.txt" in workflow
+
+
+def test_ci_installs_project_dependencies_with_python_constraints() -> None:
+    workflow = CI_WORKFLOW.read_text()
+
+    assert 'pip install -c constraints.txt -e ".[dev]"' in workflow
+    assert 'python -m pip install -c constraints.txt -e ".[dev]"' in workflow
+
+
+def test_python_constraints_pin_ci_dependency_set() -> None:
+    assert PYTHON_CONSTRAINTS.exists()
+    content = PYTHON_CONSTRAINTS.read_text()
+
+    for package in ("typer", "rich", "pyyaml", "pytest", "ruff"):
+        assert f"{package}==" in content.lower()
+
+    unconstrained_lines = [
+        line
+        for line in content.splitlines()
+        if line.strip() and not line.startswith("#") and "==" not in line
+    ]
+    assert unconstrained_lines == []
 
 
 def test_github_actions_are_pinned_to_commit_shas() -> None: