feat: add PyPI resource and pyproject autodiscovery plugins#8155
Merged
Conversation
34c38d7 to
0918799
Compare
Member
Should we leverage a library such as https://github.com/aquasecurity/go-pep440-version |
Member
|
That being said we are starting to have a lot of devependencies |
f0a216c to
df8765b
Compare
Contributor
Author
Contributor
There was a problem hiding this comment.
Pull request overview
Adds Python ecosystem support to Updatecli by introducing a new pypi resource (PyPI JSON API-backed version discovery/conditions/changelogs) and a new pyproject autodiscovery crawler (pyproject.toml dependency discovery with uv/uv.lock support), plus CI/config updates to support running uv-based e2e coverage.
Changes:
- Add
pypiresource plugin (source/condition/changelog) and register it in the resource factory. - Add
pyprojectautodiscovery crawler (uv lock detection, PEP 508 parsing, only/ignore rules, manifest template generation) and register it with aliaspython/uv. - Add uv installation to CI and add an Updatecli policy to keep the workflow uv version pinned/up to date; add e2e autodiscovery configs.
Reviewed changes
Copilot reviewed 29 out of 33 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| updatecli/updatecli.d/uv.yaml | Updatecli policy to bump setup-uv version in GitHub workflows |
| pkg/plugins/resources/pypi/main.go | Implements PyPI JSON API fetch + version filtering/normalization + report config |
| pkg/plugins/resources/pypi/source.go | pypi source implementation |
| pkg/plugins/resources/pypi/source_test.go | Source unit tests (filtering, yanked handling, auth cases) |
| pkg/plugins/resources/pypi/condition.go | pypi condition implementation (version existence) |
| pkg/plugins/resources/pypi/condition_test.go | Condition unit tests |
| pkg/plugins/resources/pypi/changelog.go | Changelog extraction (GitHub releases fallback to PyPI links) |
| pkg/plugins/resources/pypi/changelog_test.go | Changelog unit tests |
| pkg/plugins/resources/pypi/target.go | Explicitly marks target as unsupported |
| pkg/plugins/resources/pypi/main_test.go | New() constructor validation tests |
| pkg/plugins/resources/pypi/test_utils.go | HTTP mock utilities + fixture JSON payloads |
| pkg/plugins/autodiscovery/pyproject/main.go | Crawler spec/config + initialization (defaults, rootdir handling, uv presence) |
| pkg/plugins/autodiscovery/pyproject/dependencies.go | TOML parsing + dependency discovery + manifest generation |
| pkg/plugins/autodiscovery/pyproject/manifestTemplate.go | Template used to generate Updatecli manifests for discovered deps |
| pkg/plugins/autodiscovery/pyproject/utils.go | File walking, uv/lock detection, PEP 508 parsing helpers |
| pkg/plugins/autodiscovery/pyproject/utils_test.go | Unit tests for PEP 508 parsing |
| pkg/plugins/autodiscovery/pyproject/matchingRule.go | Only/Ignore matching rules (path + package constraints) |
| pkg/plugins/autodiscovery/pyproject/matchingRule_test.go | Unit tests for matching rules logic |
| pkg/plugins/autodiscovery/pyproject/main_test.go | End-to-end-ish manifest generation tests from testdata projects |
| pkg/plugins/autodiscovery/pyproject/testdata/simple_project/pyproject.toml | Test fixture: basic deps |
| pkg/plugins/autodiscovery/pyproject/testdata/simple_project/uv.lock | Test fixture: uv lock presence |
| pkg/plugins/autodiscovery/pyproject/testdata/optional_deps/pyproject.toml | Test fixture: optional-dependencies groups |
| pkg/plugins/autodiscovery/pyproject/testdata/optional_deps/uv.lock | Test fixture: uv lock presence |
| pkg/plugins/autodiscovery/pyproject/testdata/no_version/pyproject.toml | Test fixture: dependency without constraint |
| pkg/plugins/autodiscovery/pyproject/testdata/no_version/uv.lock | Test fixture: uv lock presence |
| pkg/plugins/autodiscovery/pyproject/testdata/no_lockfile/pyproject.toml | Test fixture: source-only mode (no uv.lock) |
| pkg/plugins/autodiscovery/pyproject/testdata/markers/pyproject.toml | Test fixture: env markers in deps |
| pkg/plugins/autodiscovery/pyproject/testdata/markers/uv.lock | Test fixture: uv lock presence |
| pkg/core/pipeline/resource/main.go | Registers new pypi resource kind |
| pkg/core/pipeline/autodiscovery/main.go | Registers new pyproject crawler + alias python/uv |
| e2e/updatecli.d/success.d/autodiscovery/pyproject/pyproject.yaml | e2e config for pyproject autodiscovery (only rule) |
| e2e/updatecli.d/success.d/autodiscovery/pyproject/pyproject.versionfilter.yaml | e2e config for pyproject autodiscovery with versionfilter override |
| .github/workflows/go.yaml | Installs uv in CI to support pyproject/uv e2e coverage |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Member
|
@loispostula Thanks for the pullrequest, that's a big beast 😄 could you review copilot message? |
83d1c74 to
e06458b
Compare
Add Python ecosystem support to updatecli with two new plugins: - pypi resource: queries PyPI JSON API for package versions, with PEP 440 to semver normalization (a/b/rc pre-releases), private registry support (Bearer token), and yanked version filtering. - pyproject autodiscovery: discovers pyproject.toml + uv.lock pairs, parses PEP 508 dependencies, generates manifests using pypi source and uv add shell target. Named pyproject (alias python/uv) for multi-PM extensibility following the npm pattern. Signed-off-by: Loïs Postula <lois@postu.la>
3f57dc8 to
24ad585
Compare
24ad585 to
a6f721d
Compare
olblak
pushed a commit
to LeC-D/updatecli
that referenced
this pull request
Apr 5, 2026
…i#8155) * feat: add PyPI resource and pyproject autodiscovery plugins Add Python ecosystem support to updatecli with two new plugins: - pypi resource: queries PyPI JSON API for package versions, with PEP 440 to semver normalization (a/b/rc pre-releases), private registry support (Bearer token), and yanked version filtering. - pyproject autodiscovery: discovers pyproject.toml + uv.lock pairs, parses PEP 508 dependencies, generates manifests using pypi source and uv add shell target. Named pyproject (alias python/uv) for multi-PM extensibility following the npm pattern. Signed-off-by: Loïs Postula <lois@postu.la> * fix: cursor comments --------- Signed-off-by: Loïs Postula <lois@postu.la>
olblak
added a commit
that referenced
this pull request
Apr 5, 2026
* feat(github): add client-side pull request merge option (#2312) Add a new 'clientsidemerge' option to the GitHub action spec that allows updatecli to merge a pull request directly via the GitHub GraphQL API (mergePullRequest mutation), bypassing the need for server-side auto-merge which requires a paid plan or a public repository. When 'clientsidemerge: true' is set, updatecli will attempt to merge the pull request immediately after it is created or updated. The merge will fail if the PR is not in a mergeable state (e.g. has conflicts or failing required checks). The merge method is controlled by the existing 'mergemethod' field and defaults to GitHub's default ('MERGE') if not specified. The 'usetitleforautomerge' flag is also respected to set a custom commit headline for squash and rebase merges. Fixes #2312 * feat(github): restructure merge spec and deprecate automerge field - Replace ClientSideMerge bool with nested Merge.Strategy/After fields - Deprecate AutoMerge bool -> *bool with migration warning to merge.strategy: auto - Add merge.after support to delay client-side merge by a configured duration - Minimize mutationMergePullRequest response struct (Copilot suggestion) - Guard nil rateLimit before calling Pause() in MergePullRequest - Add CreatedAt field to PullRequestApi * feat: add PyPI resource and pyproject autodiscovery plugins (#8155) * feat: add PyPI resource and pyproject autodiscovery plugins Add Python ecosystem support to updatecli with two new plugins: - pypi resource: queries PyPI JSON API for package versions, with PEP 440 to semver normalization (a/b/rc pre-releases), private registry support (Bearer token), and yanked version filtering. - pyproject autodiscovery: discovers pyproject.toml + uv.lock pairs, parses PEP 508 dependencies, generates manifests using pypi source and uv add shell target. Named pyproject (alias python/uv) for multi-PM extensibility following the npm pattern. Signed-off-by: Loïs Postula <lois@postu.la> * fix: cursor comments --------- Signed-off-by: Loïs Postula <lois@postu.la> * fix: various fixes and improvements * use constants for merge client strategy * add closing pullrequest in cleanAction * set default value to 24h for auto merge client * correctly fallback from automerge setting to either manual or auto Signed-off-by: Olblak <me@olblak.com> * fix: ignore gosec Signed-off-by: Olblak <me@olblak.com> --------- Signed-off-by: Loïs Postula <lois@postu.la> Signed-off-by: Olblak <me@olblak.com> Co-authored-by: Olivier Vernin <olivier@vernin.me> Co-authored-by: Loïs Postula <lois@postu.la> Co-authored-by: Olblak <me@olblak.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add Python ecosystem support to updatecli with two new plugins: a
pypiresource andpyprojectautodiscovery.PyPI Resource (
pkg/plugins/resources/pypi/)Queries the PyPI JSON API for Python package versions.
project_urls, falls back to PyPI release page links0.51b0→0.51.0-beta.0,1.0a1→1.0.0-alpha.1,2.0rc1→2.0.0-rc.1) so that semver version filtering works with the Python ecosystemPyproject Autodiscovery (
pkg/plugins/autodiscovery/pyproject/)Discovers
pyproject.tomlfiles and generates updatecli manifests for dependency updates.detectLockFileSupport()[project.dependencies]and[project.optional-dependencies]pypisource +uv addshell target (updates pyproject.toml + uv.lock atomically)pyprojectwith aliaspython/uvignore/onlymatching rules, customversionfilter, and customindexurlExample configuration
Test
go test ./pkg/plugins/resources/pypi/... ./pkg/plugins/autodiscovery/pyproject/... -ve2e/updatecli.d/success.d/autodiscovery/pyproject/usingastral-sh/uv-fastapi-exampleAdditional Information
Checklist
Tradeoff
uv adddoes not support--dry-run, following the same approach as pnpm in the npm autodiscovery. Thechangedif: file/checksummechanism handles idempotency.a/b/rcpre-releases,.devreleases are excluded,.postreleases map to build metadata. Calendar versioning (e.g.,2024.1) is padded to 3-part semver. User can avoid this by usingonly/ignorePotential improvement
detectLockFileSupport()and adding corresponding target templates[dependency-groups]support (PEP 735)