chore: pin Docker Python base image to 3.14.x#1182
Merged
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
📜 Recent review details⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
🧰 Additional context used🧠 Learnings (10)📓 Common learnings📚 Learning: 2026-03-15T21:32:02.880ZApplied to files:
📚 Learning: 2026-03-15T18:17:43.675ZApplied to files:
📚 Learning: 2026-04-02T16:11:16.315ZApplied to files:
📚 Learning: 2026-04-02T08:47:46.313ZApplied to files:
📚 Learning: 2026-03-31T14:28:28.895ZApplied to files:
📚 Learning: 2026-03-15T18:17:43.675ZApplied to files:
📚 Learning: 2026-03-21T14:12:17.848ZApplied to files:
📚 Learning: 2026-03-15T18:17:43.675ZApplied to files:
📚 Learning: 2026-03-19T07:12:14.508ZApplied to files:
🔇 Additional comments (3)
WalkthroughThe Dependabot configuration file was updated to add ignore rules for Python dependency updates with versions >= 3.15. These rules were added to three Docker package ecosystem entries in the backend, web, and sandbox directories. Each entry maintains its existing ignore rule for chainguard/python while adding a new ignore rule targeting the generic python dependency with the specified version constraint. Suggested labels
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Comment |
Contributor
There was a problem hiding this comment.
Pull request overview
Pins Docker Python base image updates to the 3.14.x line by preventing Dependabot from proposing Python >= 3.15 tags for the three Docker ecosystems (backend, web, sandbox), avoiding accidental upgrades to unsuitable 3.15 alpha images.
Changes:
- Added a
python >= 3.15ignore rule to the existing/docker/backendDependabot entry. - Introduced new
ignoresections for/docker/weband/docker/sandboxto blockpython >= 3.15.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Snapshot WarningsEnsure that dependencies are being submitted on PR branches. Re-running this action after a short time may resolve the issue. See the documentation for more information and troubleshooting advice. Scanned FilesNone |
Aureliolo
added a commit
that referenced
this pull request
Apr 9, 2026
🤖 I have created a release *beep* *boop* --- ## [0.6.5](v0.6.4...v0.6.5) (2026-04-09) ### Features * add control-plane API endpoints batch ([#1118](#1118), [#1119](#1119), [#1120](#1120), [#1121](#1121)) ([#1138](#1138)) ([af11f0a](af11f0a)) * engine intelligence v2 -- trace enrichment, compaction, versioning eval ([#1139](#1139)) ([ed57dfa](ed57dfa)), closes [#1123](#1123) [#1125](#1125) [#1113](#1113) * generalize versioning to VersionSnapshot[T] for all entity types ([#1155](#1155)) ([5f563ce](5f563ce)), closes [#1131](#1131) [#1132](#1132) [#1133](#1133) * implement auxiliary tool categories -- design, communication, analytics ([#1152](#1152)) ([b506ba4](b506ba4)) * implement multi-project support -- engine orchestration ([#242](#242)) ([#1153](#1153)) ([74f1362](74f1362)) * implement SharedKnowledgeStore append-only + MVCC consistency model (Phase 1.5) ([#1134](#1134)) ([965d3a1](965d3a1)), closes [#1130](#1130) * implement shutdown strategies and SUSPENDED task status ([#1151](#1151)) ([6a0db11](6a0db11)) * persistent cost aggregation for project-lifetime budgets ([#1173](#1173)) ([5c212c5](5c212c5)), closes [#1156](#1156) * Prometheus /metrics endpoint and OTLP exporter ([#1122](#1122)) ([#1135](#1135)) ([aaeaae9](aaeaae9)), closes [#1124](#1124) * Prometheus metrics -- daily budget %, per-agent cost, per-agent budget % ([#1154](#1154)) ([581c494](581c494)), closes [#1148](#1148) ### Bug Fixes * communication hardening -- meeting cooldown, circuit breaker backoff, debate fallback ([#1140](#1140)) ([fe82894](fe82894)), closes [#1115](#1115) [#1116](#1116) [#1117](#1117) ### CI/CD * bump wrangler from 4.80.0 to 4.81.0 in /.github in the all group ([#1144](#1144)) ([b7c0945](b7c0945)) ### Maintenance * bump python from `6869258` to `5e59aae` in /docker/backend in the all group ([#1141](#1141)) ([01e99c2](01e99c2)) * bump python from `6869258` to `5e59aae` in /docker/sandbox in the all group ([#1143](#1143)) ([ea755bd](ea755bd)) * bump python from `6869258` to `5e59aae` in /docker/web in the all group ([#1142](#1142)) ([5416dd9](5416dd9)) * bump the all group across 1 directory with 2 updates ([#1181](#1181)) ([d3d5adf](d3d5adf)) * bump the all group across 1 directory with 3 updates ([#1146](#1146)) ([c609e6c](c609e6c)) * bump the all group in /cli with 2 updates ([#1177](#1177)) ([afd9cde](afd9cde)) * bump the all group in /site with 3 updates ([#1178](#1178)) ([7cff82a](7cff82a)) * bump the all group with 2 updates ([#1180](#1180)) ([199a1a8](199a1a8)) * bump vitest from 4.1.2 to 4.1.3 in /site in the all group ([#1145](#1145)) ([a8c1194](a8c1194)) * consolidated web deps (11 packages + hono security + test fixes) ([#1150](#1150)) ([63a9390](63a9390)), closes [#1147](#1147) [#1136](#1136) [#1137](#1137) * pin Docker Python base image to 3.14.x ([#1182](#1182)) ([8ffdd86](8ffdd86)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Code Review
This pull request updates the Dependabot configuration to ignore Python versions 3.15 and above across multiple update groups. The review feedback suggests using update-types to ignore major and minor updates instead of specific version ranges, as this is a more robust method for pinning to the 3.14.x series and correctly handles pre-releases that might bypass simple version range filters.
Comment on lines
+167
to
+168
| - dependency-name: python | ||
| versions: [">=3.15"] |
Contributor
There was a problem hiding this comment.
To robustly pin the Python base image to the 3.14.x series and avoid future major or minor updates (including the 3.15 alpha mentioned), it is recommended to use update-types instead of a specific version range. This approach prevents Dependabot from proposing any updates that change the major or minor version while still allowing security and patch updates for the 3.14 line. Note that ">=3.15" might not catch pre-releases like 3.15.0a8 due to semantic versioning rules where pre-releases are considered lower than the base version.
- dependency-name: python
update-types: ["version-update:semver-major", "version-update:semver-minor"]
Comment on lines
+188
to
+190
| ignore: | ||
| - dependency-name: python | ||
| versions: [">=3.15"] |
Contributor
There was a problem hiding this comment.
As noted in the previous section, using update-types is a more maintainable way to pin to a specific minor version series compared to hardcoding version ranges.
ignore:
- dependency-name: python
update-types: ["version-update:semver-major", "version-update:semver-minor"]
Comment on lines
+210
to
+212
| ignore: | ||
| - dependency-name: python | ||
| versions: [">=3.15"] |
Contributor
There was a problem hiding this comment.
Using update-types ensures that Dependabot only proposes patch updates for the Python base image, adhering to the project's target of Python 3.14.x.
ignore:
- dependency-name: python
update-types: ["version-update:semver-major", "version-update:semver-minor"]
This was referenced Apr 9, 2026
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pin Docker Python base image to 3.14.x by adding
ignorerules forpython >= 3.15in all three Docker ecosystem entries (backend, web, sandbox).Dependabot was proposing upgrades to Python 3.15.0a8-slim -- an alpha release that fails CI on 2 of 3 images and is not suitable for production Docker containers. The project targets Python 3.14+.
Changes
docker/backend: addedpython >= 3.15ignore (alongside existingchainguard/pythonignore)docker/web: added newignoresection withpython >= 3.15docker/sandbox: added newignoresection withpython >= 3.15Test plan
check-yamlhook