From 1b65bb14137269093d4062bc84da86eaeadf7260 Mon Sep 17 00:00:00 2001
From: vaibhav-patel <vaibhav290797@gmail.com>
Date: Sat, 20 Jun 2026 15:40:08 +0530
Subject: [PATCH 1/2] Python: enforce dependency-bounds validator in CI

Add a blocking "Dependency Bounds Validation" job to the Python code
quality workflow so `validate-dependency-bounds-test` runs on pull
requests and in the merge queue, not just on the weekly maintenance
schedule (where it is non-blocking and only opens an issue on failure).

The validator smoke-tests both ends of every package's allowed
dependency range (lowest-direct and highest) and runs each package's
pyright pass in an isolated environment, catching floor-too-low,
missing-optional-dependency, and isolated-env typing regressions that
the full-workspace test and typing jobs miss. Wiring it into required CI
catches these at PR time instead of at release time.

The job mirrors the dependency maintenance workflow's environment
(Python 3.13, full git history for the workspace graph) so PR results
line up with the nightly sweep, runs without continue-on-error so it can
gate merges, and uploads the JSON report as an artifact for triage.

Fixes #6582.
---
 .github/workflows/python-code-quality.yml | 41 +++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/.github/workflows/python-code-quality.yml b/.github/workflows/python-code-quality.yml
index 7473a1d381..6b5c85509f 100644
--- a/.github/workflows/python-code-quality.yml
+++ b/.github/workflows/python-code-quality.yml
@@ -141,3 +141,44 @@ jobs:
           UV_CACHE_DIR: /tmp/.uv-cache
       - name: Run tests/samples type checkers (mypy, pyrefly, ty)
         run: uv run python scripts/workspace_poe_tasks.py ci-test-typing
+
+  dependency-bounds:
+    name: Dependency Bounds Validation
+    if: "!cancelled()"
+    runs-on: ubuntu-latest
+    # Match the Python dependency maintenance workflow so PR results line up with the
+    # nightly/dispatch sweep. Reevaluate if package installability starts differing
+    # across supported Python versions.
+    timeout-minutes: 60
+    defaults:
+      run:
+        working-directory: ./python
+    env:
+      UV_PYTHON: "3.13"
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          # The upper-bound resolver builds the internal workspace graph, so fetch full
+          # history to mirror the dependency maintenance workflow.
+          fetch-depth: 0
+      - name: Set up python and install the project
+        id: python-setup
+        uses: ./.github/actions/python-setup
+        with:
+          python-version: ${{ env.UV_PYTHON }}
+          os: ${{ runner.os }}
+        env:
+          UV_CACHE_DIR: /tmp/.uv-cache
+      # Smoke both ends of every package's allowed dependency range (lowest-direct and
+      # highest) and run each package's pyright pass in an isolated environment. This
+      # catches floor-too-low, missing-optional-dependency, and isolated-env typing
+      # regressions that the full-workspace test and typing jobs do not.
+      - name: Validate dependency bounds (lower + upper)
+        run: uv run poe validate-dependency-bounds-test --package "*"
+      - name: Upload dependency bounds report
+        if: always()
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        with:
+          name: dependency-bounds-test-results
+          path: python/scripts/dependencies/dependency-bounds-test-results.json
+          if-no-files-found: warn

From 6c45fdc2f3031d933b15886c44bc557187c78812 Mon Sep 17 00:00:00 2001
From: vaibhav-patel <vaibhav290797@gmail.com>
Date: Mon, 22 Jun 2026 14:00:49 +0530
Subject: [PATCH 2/2] Match UV_EXCLUDE_NEWER cutoff with the dependency
 maintenance workflow

---
 .github/workflows/python-code-quality.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/python-code-quality.yml b/.github/workflows/python-code-quality.yml
index 6b5c85509f..942a95c564 100644
--- a/.github/workflows/python-code-quality.yml
+++ b/.github/workflows/python-code-quality.yml
@@ -169,6 +169,14 @@ jobs:
           os: ${{ runner.os }}
         env:
           UV_CACHE_DIR: /tmp/.uv-cache
+      # Pin the dependency release cutoff to the same 7-day window the dependency
+      # maintenance workflow uses, so this PR check resolves the same upstream
+      # releases as the weekly sweep instead of pulling in newer ones and diverging.
+      - name: Set dependency release cutoff
+        run: |
+          cutoff="$(date -u -d '7 days ago' '+%Y-%m-%dT%H:%M:%SZ')"
+          echo "UV_EXCLUDE_NEWER=${cutoff}" >> "$GITHUB_ENV"
+          echo "Using dependency release cutoff: ${cutoff}"
       # Smoke both ends of every package's allowed dependency range (lowest-direct and
       # highest) and run each package's pyright pass in an isolated environment. This
       # catches floor-too-low, missing-optional-dependency, and isolated-env typing