fix: move pre-commit/pytest dev tools out of prod deps (unblock deploy)#705
Merged
Conversation
pre-commit was in the main [project.dependencies] list, so it shipped to production and dragged in its whole toolchain (virtualenv, identify, nodeenv, cfgv, distlib, platformdirs). virtualenv 21.x added an unpinned transitive `python-discovery>=1.4`, which the deploy buildpack rejected under pip --require-hashes: ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not: python-discovery>=1.4 (from virtualenv==21.4.2) pre-commit is a dev-only tool and never imported by the app. Move it to the [dependency-groups] dev list and regenerate uv.lock + requirements with --no-dev (matching the CD export). This drops pre-commit and its entire chain from the production requirement set, removing the unpinned python-discovery transitive. Verified: every non-dev package in uv.lock is still pinned+hashed in requirements.txt; the linux cp313 wheels the buildpack installs are present. Lock revision bumped 2->3 by uv; CD uses setup-uv latest. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2e96323ac2
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
pytest and pytest-cov are test-only tools but were listed in main [project.dependencies], shipping pytest, pytest-cov, and coverage to production. Move them to [dependency-groups] dev (pytest was already duplicated there) and regenerate the lock + --no-dev requirements. Removes the pytest/coverage chain from the production requirement set. Verified no non-dev package was dropped from requirements.txt. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
jirhiker
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the Python dependency configuration to ensure pre-commit (and its toolchain) is treated as a development-only dependency, preventing it from being included in the production dependency export used for deployment builds that enforce pip --require-hashes.
Changes:
- Move
pre-commitfrom[project.dependencies]to[dependency-groups].devinpyproject.toml. - Regenerate
uv.lockafter the dependency-group change (lock revision bump). - Regenerate the production
requirements.txtviauv export --no-dev, removingpre-commitand its transitive dependency chain from production requirements.
Reviewed changes
Copilot reviewed 1 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
pyproject.toml |
Moves pre-commit into the dev dependency group so it won’t be included in production exports. |
uv.lock |
Updates the lockfile to reflect the dependency-group change (removes pre-commit from main deps, adds it to dev). |
requirements.txt |
Regenerated production requirements without dev-group dependencies, removing the pre-commit toolchain from prod. |
Comments suppressed due to low confidence (1)
pyproject.toml:144
- With
pre-commitnow moved into the dev dependency group, it would be consistent to also ensure other developer/test tooling is not included in[project.dependencies](which is whatuv export --no-devuses). As-is, the exported production requirements still include test-only packages likecoverage(viapytest-cov), implying those tools may still be declared as runtime deps.
Recommend moving pytest/pytest-cov (and any other test-only packages) from [project.dependencies] into [dependency-groups].dev, then re-lock/re-export so production deploys only runtime deps.
"behave>=1.3.3",
"black>=26.5.1",
"faker>=25.0.0",
"flake8>=7.3.0",
"pre-commit>=4.6.0",
"pyhamcrest>=2.0.3",
"pytest>=9.0.3",
"pytest-cov>=6.2.1",
"python-dotenv>=1.1.1",
"requests>=2.34.2",
]
Moving pre-commit/pytest to the dev group only affects `uv export --no-dev` (the buildpack requirements.txt). The deploy jobs also invoke uv without disabling the dev group, which still syncs the dev toolchain (pre-commit -> virtualenv -> python-discovery) into the deploy environment: - CD_production / CD_staging / CD_testing: `uv run alembic ...` and `uv run python -m cli.cli ...` - docker/app/Dockerfile: production branch `uv sync --locked` Add --no-dev to all of these so dev dependencies are excluded consistently across every deploy path. The Dockerfile dev branch keeps --all-groups intentionally for local/dev images. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This was referenced Jun 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Deploy buildpack fails again — next unpinned transitive after the joserfc fix (#704):
Root cause:
pre-commitwas listed in main[project.dependencies], so it (and its whole toolchain — virtualenv, identify, nodeenv, cfgv, distlib, platformdirs) shipped to production.virtualenv 21.xintroduced the unpinned transitivepython-discovery>=1.4, which pip--require-hashesrejects.How
pre-commitfrom[project.dependencies]→[dependency-groups] dev. It's a dev-only tool, never imported by app code.uv lock+uv export --no-devregenerate the lock and requirements.Verification
uv.lockis still pinned + hashed inrequirements.txt; only dev-group deps are absent.cp313x86_64 wheels the buildpack installs are present (checked yarl).uv lock --checkpasses.Notes
requirements.txtchurn: besides removing the pre-commit chain, localuv 0.9.7emits only the py3.13-relevant wheel hashes (lockrequires-python >=3.13) vs the old broader set. Functionally complete for the deploy target; CD regenerates with the sameuv export --no-devanyway.uv.lockrevisionbumped 2 → 3 by uv; CD usessetup-uvlatest (forward-compatible).