fix(agentic-ci): improve dependency PR quality#787
Conversation
Code Review: PR #787 — fix(agentic-ci): improve dependency PR qualitySummaryThis PR reworks the agentic-CI dependencies suite to make its dependency audit deterministic and its fix PRs safer:
Change is well-scoped and matches the stated validation (991 passed, ruff clean, FindingsCorrectness — script looks sound
Nit (low) — shadowing of the imported
Determinism caveat (informational, not a defect)
Workflow gate — logic is correct
Docs/recipe consistency
Test coverage
Structural ImpactStructural Impact (graphify, 2.3s)Risk: LOW (localized change)
VerdictApprove (non-blocking nits). The new script is correct, hermetically testable, and the severity model is a genuine improvement over the prior grep-based transitive check. The workflow lockfile gate closes a real failure mode (deps that pass the old lockfile but don't resolve standalone). None of the findings block merge:
All changes are confined to |
|
Thanks for putting this together, @andreatgretel! SummaryThis PR replaces the dependency suite's grep-based discovery with a structured AST/import-metadata inventory, distinguishes guaranteed declaration gaps from uncovered ones, batches compatible fixes, and requires dependency PRs to carry a clean regenerated lockfile. The implementation matches the stated intent, but two edge cases in the new classification and batching behavior are worth fixing before merge. FindingsWarnings — Worth addressing
What Looks Good
VerdictNeeds changes — preserve requirement markers/extras in closure classification, and make batched PR validation/state updates operate once per shared PR rather than once per finding. This review was generated by an AI assistant. |
|
Addressed the review feedback:
|
|
Circling back on this one, @andreatgretel — took another pass now that it's in shape. Overall it's holding up well: the AST inventory reads cleanly, ruff is happy, the three new tests pass, and the workflow YAML parses. A couple of things are still worth a look before merge, but nothing that changes the shape of the PR. Still worth addressing
Minor / optional
Still looking good
VerdictNeeds changes — no correctness issues, but the This review was generated by an AI assistant. |
|
Addressed the follow-up feedback:
|
nabinchha
left a comment
There was a problem hiding this comment.
Re-reviewed after c70f2006 (fix: address dependency audit review) — thanks for the thorough turnaround, @andreatgretel. Both earlier concerns are resolved and the extra refactoring is a genuine improvement.
What got addressed
uv.lockvs the 50-LOC cap — the scope gate now excludes the lockfile fromLOC_DELTAviagit diff --shortstat ... -- ':(exclude)uv.lock'(dependencies suite only), and_fix-policy.mddocuments thatuv.lockstill counts toward the 3-file cap and the allowlist but not the LOC total. That's exactly the split I was hoping for — the two gates are no longer mutually unsatisfiable.- Environment-relative marker evaluation — now called out explicitly with a comment, and marker handling was upgraded to propagate selected extras through the closure (
requirement_dependencies+ theselected_extrasthreading), sopydantic[email]correctly guaranteesemail-validator. Nice — that's better than the one-liner I suggested. distributionshadowing — renamed todistribution_namethroughoutaudit_repository.- Test coverage — the previously-untested branches now have cases: selected-extra guarantee, inactive project marker, ambiguous module →
unresolved_modules, and theMODULE_DISTRIBUTION_OVERRIDESpath. TYPE_CHECKING/guarded imports — the intentional over-report is now documented inline onimported_modules.
Bonus: extracting the inline gate Python into scripts/manage_agentic_ci_attempts.py (with groups/abandon subcommands + tests) and grouping attempts by (pr_number, branch) so a batched PR is validated once is a real readability and correctness win over the duplicated heredocs.
Verified locally: ruff check + ruff format --check clean on all four changed Python files, the workflow YAML parses, and the audit/attempts test files pass (9 passed).
Minor / optional
scripts/audit_package_dependencies.py:58—dependencies[name]as a bare statement relies on thedefaultdictside effect to seed an empty-extras entry for a{{ version }}template dep. It works, butdependencies.setdefault(name, set())would make the intent obvious to the next reader (and won't trip anyone reaching for a "useless expression" cleanup).
Verdict
Ship it (with nits) — everything from the prior review is handled, the new helper is well-tested, and only the one cosmetic setdefault nit remains, entirely take-it-or-leave-it.
This review was generated by an AI assistant.
Summary
uv.lockValidation
.venv/bin/ruff check --fix ..venv/bin/ruff format ..venv/bin/pytest packages/data-designer/tests(991 passed, 1 skipped).venv/bin/python scripts/update_license_headers.py --checkuv lock --checkgit diff --check