Make dependabot ignore grpcio-tools#1160
Merged
Merged
Conversation
Signed-off-by: Albert Callarisa <albert@diagrid.io>
acroca
force-pushed
the
ignore-grpcio-tools-dependabot
branch
from
July 16, 2026 06:11
6dbb857 to
ce590a7
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Updates repository maintenance guidance and Dependabot configuration so grpcio-tools does not get bumped automatically, preserving the invariant that checked-in generated code under dapr/proto/ matches the pinned generator version and declared grpcio/protobuf floors.
Changes:
- Add a Dependabot ignore rule for
grpcio-toolsand document when/how to bump it safely. - Document the
grpcio-toolspin constraint inAGENTS.mdas a repo “Gotcha” for maintainers.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| AGENTS.md | Documents why grpcio-tools shouldn’t be bumped automatically and points to the enforcement test. |
| .github/dependabot.yml | Configures Dependabot to ignore grpcio-tools updates and adds maintainer bump instructions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
acroca
marked this pull request as ready for review
July 16, 2026 06:12
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1160 +/- ##
==========================================
+ Coverage 82.78% 82.85% +0.06%
==========================================
Files 123 123
Lines 10127 10127
==========================================
+ Hits 8384 8391 +7
+ Misses 1743 1736 -7 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
sicoyle
approved these changes
Jul 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Configures dependabot to ignore all
grpcio-toolsupdates, and documents the bumppolicy for maintainers (inline comment in
.github/dependabot.yml, plus a Gotchasbullet in
AGENTS.md).grpcio-toolsis not a normal dev dependency: its pin must stay the version thatgenerated the committed gencode under
dapr/proto/. The generated files embedminimum
grpcio/protobufversions stamped at generation time, which users'installs must satisfy at import — so regenerating with a newer grpcio-tools raises
the SDK's user-facing runtime floors. Holding the pin back costs nothing: old
gencode is fully supported on every newer runtime within the same major.
Dependabot's routine bump PRs are therefore noise at best, and at worst invite
merging a pin that no longer matches the committed gencode. This PR silences them.
Bumps remain possible, just deliberate. The new comment in
dependabot.ymlliststhe legitimate triggers (protos needing a newer protoc, a newly supported Python
version lacking wheels for the floor versions, a codegen security fix, or a
grpcio/protobuf major migration) and the recipe: update the pin, rerun the regen
scripts, and raise the floors in
[project.dependencies], all in one PR.tests/test_proto_gencode_floor.pyalready fails CI if these drift apart.