[RFC]: Pin all dependencies #28071
Description
Motivation.
Our builds should be as deterministic as possible. Building an image from the same commit should yield the same result. Otherwise we are in the wild west and things can break arbitrarily when things change underneath us, turning our main branch red.
Proposed Change.
- We pin all dependencies to precise versions
- Have a way of annotating them as "hard pinned" or not
- We have an automated job that:
- Compares all deps with latest available versions
- If there are any with new minor versions, opens a new PR updating the requirements.txt files with them. "hard pinned" dependencies are excluded.
- The PR text can also include notification of any new major versions
- This job runs automatically at some regular interval (suggest 1-2 times per week), but can also be run manually
Feedback Period.
No response
CC List.
No response
Any Other Things.
No response
Before submitting a new issue...
- Make sure you already searched for relevant issues, and asked the chatbot living at the bottom right corner of the documentation page, which can answer lots of frequently asked questions.