Fix red CI: re-lock uv.lock to 0.8.6 + drop broken npm Dependabot stanza#13
Merged
Conversation
The Release v0.8.6 commit (625a415) bumped the version in pyproject.toml, plugin.json, marketplace.json, and src/bully/__init__.py but never re-ran `uv lock`, so the committed uv.lock still pinned the editable bully package at 0.8.5. Since 721a16d switched CI to `uv sync --locked --all-extras`, that version mismatch hard-fails the first CI step ("The lockfile at `uv.lock` needs to be updated, but `--locked` was provided"), turning main red since v0.8.6. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The npm stanza was added on the assumption it would be a harmless no-op until a
package.json lands, but Dependabot hard-errors on a missing manifest
("dependency_file_not_found: /package.json not found") and reports the whole
update job as failed on every weekly run. There is no root package.json, so
remove the stanza; the comment now records the why for whoever adds node tooling.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Prevents the v0.8.6 CI breakage from recurring. The release workflow bumped the version in five files but never re-ran `uv lock`, leaving the editable bully package stale in uv.lock and failing CI's `uv sync --locked`. Add an explicit `uv lock` step in §3, include uv.lock in the §6 release commit and §5 verify diff, and add a common-mistakes row. Also correct the version-field path from the pre-restructure `pipeline/pipeline.py` to `src/bully/__init__.py` (where BULLY_VERSION now lives) in the table, both grep commands, and the §3 step. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why CI is red
mainhas been failing CI since v0.8.6. The first CI step,uv sync --locked --all-extras, hard-fails:The Release v0.8.6 commit (
625a415) bumped the version inpyproject.toml,plugin.json,marketplace.json, andsrc/bully/__init__.py— but never re-ranuv lock, so the committeduv.lockstill pinned the editablebullypackage at0.8.5. Since721a16dswitched CI touv sync --locked, that one-line mismatch turns the whole pipeline red. Every branch cut frommain(including the open Dependabot PRs) inherits the failure.Separately, the weekly npm Dependabot job errors on every run with
dependency_file_not_found: /package.json not found— there is no rootpackage.json, and Dependabot hard-errors instead of no-op'ing on a missing manifest.What this PR changes
uv.lockto0.8.6— the actual CI fix. One-line lock diff;uv lock --checkconfirms in-sync.npmecosystem from.github/dependabot.yml— stops the recurring failed Dependabot job; comment records the why for whoever adds node tooling.release-bullyskill (recurrence prevention) — add auv lockstep + includeuv.lockin the release commit, and correct the stalepipeline/pipeline.py→src/bully/__init__.pyversion-field path.Verification
All six CI steps pass locally on this branch:
uv sync --locked --all-extras✓ruff check✓ ·ruff format --check✓ (99 files) ·shellcheck✓pytest -q→ 442 passed, 1 skipped ✓bully dogfood✓ (exit 0)Follow-up (after merge)
The 3 open Dependabot PRs (#10 checkout v6, #11 shellcheck-py, #12 ruff-pre-commit) are red only because of the stale lock they inherited — none has an independent problem (the pre-commit bumps don't even touch
ci.yml). Once this merges,@dependabot rebaseeach to pick up the fixed lock; they should go green.🤖 Generated with Claude Code