chore: pin GitHub Actions workflows to full commit SHAs#246
chore: pin GitHub Actions workflows to full commit SHAs#246irfanuddinahmad wants to merge 5 commits into
Conversation
|
@irfanuddinahmad looks like the PR is failing tests, probably unrelated, can you fix the issue anyway in a separate PR and then we can rebase this and land it. |
enmerkar 0.7.1 calls `from pkg_resources import get_distribution` in its __init__.py at runtime. pkg_resources ships with setuptools, which is no longer bundled with Python 3.12. Adding setuptools as an explicit requirement ensures it is available in the tox virtualenv. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
enmerkar 0.7.1 imports pkg_resources at module load time but does not declare setuptools as a dependency. In some virtualenv configurations, pkg_resources is not importable even when setuptools is installed. This conftest.py creates a minimal importlib.metadata-backed shim so that pytest collection succeeds regardless of the virtualenv setup. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
feanil
left a comment
There was a problem hiding this comment.
Also, worth checking is where this library is being used, do we still need this fork?
|
Who uses it: Only Do we still need the fork? Yes, for now. The upstream ( As long as |
|
Thanks for the pull request, @irfanuddinahmad! This repository is currently unmaintained. 🔘 Find a technical reviewerTo get help with finding a technical reviewer, reach out to the community contributions project manager for this PR:
Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review. 🔘 Get product approvalIf you haven't already, check this list to see if your contribution needs to go through the product review process.
🔘 Provide contextTo help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:
🔘 Get a green buildIf one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green. DetailsWhere can I find more information?If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources: When can I expect my changes to be merged?Our goal is to get community contributions seen and reviewed as efficiently as possible. However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:
💡 As a result it may take up to several weeks or months to complete a review and merge your PR. |
…rces shim enmerkar 0.7.1 does `from pkg_resources import get_distribution` in its __init__.py, which fails in Python 3.12+ environments where setuptools is not installed. We only use `extract_django` from enmerkar/extract.py, and that module has no pkg_resources dependency. Vendor enmerkar/extract.py directly (as already done for markey) so we use importlib.metadata-compatible code throughout, then drop the enmerkar package dependency, the setuptools pin, and the conftest.py shim. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
@feanil @kdmccormick |
feanil
left a comment
There was a problem hiding this comment.
Generally makes sense, just one bit of organizing to be able to not expose ourselves to legal troubles.
There was a problem hiding this comment.
This makes sense, we eventually want to fully drop the django underscore tooling but this is a good intermediate step to reduce un-necessary dependencies by taking on some more probably fairly minimal maintenance burden in the near term.
When you're vendoring in code from other libraries, it's really important to read their License. In this case, we should copy the COPYING file next to this file in the vendor directory.
I think it's worth it to rename COPYING to LICENSE here for clarity and to put the vendored enmerkar code into a folder named for the library it's coming from. It's unlikely that we'll have multiple vendored items in this repo but it's good practice to have a separate vendor folder for each upstream item you're vendoring. It has the side benefit that we can keep the name of this file the same as the upstream file it's copying which also makes provenance easier.
Add upstream BSD-3-Clause LICENSE (from Zegocover/enmerkar COPYING) and move enmerkar_extract.py into vendor/enmerkar/ per code review feedback. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Pins all
uses:action refs to their full commit SHA with the version tag preserved as a comment. Part of org-wide SHA-pinning migration: openedx/.github#165