|
| 1 | +# Dependency Constraints in InstructLab CI |
| 2 | + |
| 3 | +This document describes how Python dependencies should be managed in |
| 4 | +InstructLab CI. |
| 5 | + |
| 6 | +## Goals |
| 7 | + |
| 8 | +1. Ensure that the CI environment is consistent and reproducible. |
| 9 | +2. Ensure that new upstream releases do not break the CI environment. |
| 10 | +3. Ensure that we adopt new upstream releases in the CI environment in a timely |
| 11 | + manner. |
| 12 | + |
| 13 | +## Approach |
| 14 | + |
| 15 | +### Pin all versions with constraints files |
| 16 | + |
| 17 | +Each repository should contain a [pip |
| 18 | +constraints](https://pip.pypa.io/en/stable/user_guide/#constraints-files) file |
| 19 | +that lists the pinned versions of all dependencies used in the CI environment. |
| 20 | + |
| 21 | +In case a repository supports multiple platforms (`linux` vs `darwin`) or |
| 22 | +accelerators (`cuda`, `cpu`, `hpu`), multiple constraints files may be |
| 23 | +generated. |
| 24 | + |
| 25 | +The constraints files should be used in all CI jobs that install Python |
| 26 | +dependencies (using `pip` or otherwise), including linters, unit tests, |
| 27 | +integration tests, and functional tests. |
| 28 | + |
| 29 | +### Update constraints files regularly |
| 30 | + |
| 31 | +Each repository should define a new `tox` target called `constraints` that will |
| 32 | +re-generate all the constraints files in the project. |
| 33 | + |
| 34 | +Updates to these files should be generated automatically by the CI system and |
| 35 | +should not be modified manually (subject to rare exceptions). A periodic |
| 36 | +CI job should be added to ensure this happens on a regular basis (at least once |
| 37 | +a week). |
| 38 | + |
| 39 | +The job should run `tox -e constraints` and post the result as a PR for review. |
| 40 | +The PR will be validated by all the relevant CI jobs. Project core team is |
| 41 | +expected to review these PRs in a timely manner. The team should make sure that |
| 42 | +all the relevant CI jobs are passing before merging the PR. |
| 43 | + |
| 44 | +### Uncap all dependencies |
| 45 | + |
| 46 | +At this point, no new upstream releases should affect the CI environment. |
| 47 | +Projects should then uncap all their dependencies in requirements files, as per |
| 48 | +[dependency management policy](./dependency-management.md). |
| 49 | + |
| 50 | +Note: In rare situations, a cap may be justified. For example, when we know for |
| 51 | +sure that a new release of the upstream dependency will break the project, and |
| 52 | +when we don't have capacity to deliver a fix in a timely manner. These |
| 53 | +situations should be rare and a mitigation plan should be in place to uncap the |
| 54 | +dependency. |
0 commit comments