Skip to content

Make dependabot ignore grpcio-tools#1160

Merged
sicoyle merged 1 commit into
dapr:mainfrom
acroca:ignore-grpcio-tools-dependabot
Jul 16, 2026
Merged

Make dependabot ignore grpcio-tools#1160
sicoyle merged 1 commit into
dapr:mainfrom
acroca:ignore-grpcio-tools-dependabot

Conversation

@acroca

@acroca acroca commented Jul 16, 2026

Copy link
Copy Markdown
Member

Description

Configures dependabot to ignore all grpcio-tools updates, and documents the bump
policy for maintainers (inline comment in .github/dependabot.yml, plus a Gotchas
bullet in AGENTS.md).

grpcio-tools is not a normal dev dependency: its pin must stay the version that
generated the committed gencode under dapr/proto/. The generated files embed
minimum grpcio/protobuf versions stamped at generation time, which users'
installs must satisfy at import — so regenerating with a newer grpcio-tools raises
the SDK's user-facing runtime floors. Holding the pin back costs nothing: old
gencode is fully supported on every newer runtime within the same major.

Dependabot's routine bump PRs are therefore noise at best, and at worst invite
merging a pin that no longer matches the committed gencode. This PR silences them.

Bumps remain possible, just deliberate. The new comment in dependabot.yml lists
the legitimate triggers (protos needing a newer protoc, a newly supported Python
version lacking wheels for the floor versions, a codegen security fix, or a
grpcio/protobuf major migration) and the recipe: update the pin, rerun the regen
scripts, and raise the floors in [project.dependencies], all in one PR.
tests/test_proto_gencode_floor.py already fails CI if these drift apart.

@acroca
acroca requested a review from Copilot July 16, 2026 06:11
Signed-off-by: Albert Callarisa <albert@diagrid.io>
@acroca
acroca force-pushed the ignore-grpcio-tools-dependabot branch from 6dbb857 to ce590a7 Compare July 16, 2026 06:11

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates repository maintenance guidance and Dependabot configuration so grpcio-tools does not get bumped automatically, preserving the invariant that checked-in generated code under dapr/proto/ matches the pinned generator version and declared grpcio/protobuf floors.

Changes:

  • Add a Dependabot ignore rule for grpcio-tools and document when/how to bump it safely.
  • Document the grpcio-tools pin constraint in AGENTS.md as a repo “Gotcha” for maintainers.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
AGENTS.md Documents why grpcio-tools shouldn’t be bumped automatically and points to the enforcement test.
.github/dependabot.yml Configures Dependabot to ignore grpcio-tools updates and adds maintainer bump instructions.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@acroca
acroca marked this pull request as ready for review July 16, 2026 06:12
@acroca
acroca requested review from a team as code owners July 16, 2026 06:12
@codecov

codecov Bot commented Jul 16, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.85%. Comparing base (0b07a2d) to head (ce590a7).

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #1160      +/-   ##
==========================================
+ Coverage   82.78%   82.85%   +0.06%     
==========================================
  Files         123      123              
  Lines       10127    10127              
==========================================
+ Hits         8384     8391       +7     
+ Misses       1743     1736       -7     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@sicoyle
sicoyle added this pull request to the merge queue Jul 16, 2026
Merged via the queue into dapr:main with commit a9445f9 Jul 16, 2026
19 checks passed
@acroca
acroca deleted the ignore-grpcio-tools-dependabot branch July 16, 2026 13:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants