sigstore-python icon indicating copy to clipboard operation
sigstore-python copied to clipboard
verified publisher icon sigstore

Tighter update loop for hashed requirements file

Open di opened this issue 3 years ago • 1 comments

In #114 @woodruffw raised that this file may become stale on new releases.

To resolve this and provide a tighter feedback loop on a release -> update, we could

  • a) add a pin to the requirements.in file
  • b) introduce a workflow that ensures the compiled file is up to date, and
  • c) also introduce a dependabot-like workflow that runs on every new new release to create a PR to update the pin (something like https://github.com/di/pip-api/blob/master/.github/workflows/pip-feed.yml should work).

di avatar Jun 03 '22 17:06 di

Another small thing we'll need to handle: if we have pre-releases or alphas as part of the development process, we'll probably want to keep the requirements.in behind until the next stable becomes available.

woodruffw avatar Jun 04 '22 18:06 woodruffw

CC @tnytown

woodruffw avatar Mar 08 '23 15:03 woodruffw