Add script that checks dependency conflicts

[oyvindeide]

No description provided.

[oyvindeide]

Is this worth merging?

[jondequinor]

I think that it's not, since it's not considering the actual, built distribution. I think the easier and more correct approach would be to have a pip check integrated into the komodo build process. What do you think?

[jondequinor]

In either case, added #219

[oyvindeide]

I think that it's not, since it's not considering the actual, built distribution. I think the easier and more correct approach would be to have a pip check integrated into the komodo build process. What do you think?

I see your point, and having it at the end of the build process would make sense, but they are not exclusive. I see the use case of this more when bumping packages from pypi and needing to check dependencies. It will shorten the feedback loop significantly as opposed to having it as a part of the build process. It is of course not a fail safe, as some internal packages could have conflicting deps, but then we can at least find more of them earlier.

[jondequinor]

Rename the script to "pypi_conflicts" or something, and add it to a pipeline so that you don't have to run it manually.

[oyvindeide]

Rename the script to "pypi_conflicts" or something, and add it to a pipeline so that you don't have to run it manually.

The first part I agree on, the second also, but that would be up to the users of komodothough. This installs every package, and so is quite slow, running it on every (unchanged) release file would not make sense. The workflow would be on changes to a release file.

[oyvindeide]

Something like this looks promising:
https://github.com/tj-actions/changed-files

[sondreso]

The snyk job already does this 🙂

[sondreso]

It transpiles only changed releases: https://github.com/equinor/komodo-releases/blob/master/.github/workflows/snyk.yml#L20-L50

[oyvindeide]

Did not think about that - can create something based on that

[jondequinor]

Do I need to pass --try-pip to actually have anything checked? What happens if this is not provided?

[jondequinor]

Either way, I think invoking this program like so

komodo-check-conflicts bleeding.yml repository.yml

should

1. if it finds conflict, exit with a non-zero exit code and output these to stdout;
2. if no conflict, exit with 0 without any output.

The parser is called "Checks if pypi packages are compatible" and the command is called "komodo-check-conflicts", so introducing "output", "requirements", and "try-pip" as default false is a bit unexpected.

Maybe remove --try-pip, rename --output-file to --generate-requirements. The latter should also

1. have help text explaining that the program will "Output installed packages in pip requirements format.";
2. not require a file, but generate the requirements on stdout. If the user needs something in a file, the unix philosophy warrants:

komodo-check-conflicts --generate-requirements > requirements.txt

[oyvindeide]

Yes you do, will remove that option so it always checks.

[jondequinor]

not needed

[oysteoh]

Encourage to either

• Make a comment justifying the PR to exist
• Close it
• Fix and merge

[oyvindeide]

I will have a look at it in the next week or so, if I dont get anywhere I will close it.