Skip to content

ci: group dependabot updates + fix python-binding workflow#25

Merged
systemslibrarian merged 4 commits into
mainfrom
chore/dependabot-grouping-and-ci-fix
Jun 4, 2026
Merged

ci: group dependabot updates + fix python-binding workflow#25
systemslibrarian merged 4 commits into
mainfrom
chore/dependabot-grouping-and-ci-fix

Conversation

@systemslibrarian
Copy link
Copy Markdown
Owner

@systemslibrarian systemslibrarian commented Jun 4, 2026

Summary

  • Group dependabot PRs: one weekly PR per ecosystem instead of one per dependency. Cryptographic primitives stay ungrouped so each bump still gets manual eyes.
  • Fix python-binding CI: pip install --upgrade pip maturin fails on pip 26+ (which now requires python -m pip install --upgrade pip). This was blocking PR Bump Microsoft.NET.Test.Sdk from 17.14.1 to 18.6.0 #17.
  • Drop py3.9 from the binding matrix: 3.9 went EOL Oct 2025, and actions/setup-python@v6 (PR build(deps): bump actions/setup-python from 5 to 6 #22) drops 3.9 support. Replaced with py3.10.

This is the prerequisite that lets PRs #17 and #22 actually pass CI.

Test plan

@systemslibrarian
ci: group dependabot updates, fix python-binding pip step, drop py3.9
4f4f030 
- dependabot.yml: group GitHub Actions, .NET non-crypto, and Rust
  non-crypto crates into single weekly PRs. Cryptographic primitives
  (BouncyCastle, ml-kem, ml-dsa, hkdf, sha2, sha3, generic-array,
  rand_core, zeroize) stay ungrouped so each bump gets manual review.
- python-binding.yml: pip 26+ rejects `pip install --upgrade pip`;
  use `python -m pip install --upgrade pip maturin` instead.
- python-binding.yml: replace py3.9 (EOL Oct 2025) with py3.10 in the
  matrix so actions/setup-python@v6 (which drops 3.9) can land.
@github-actions github-actions Bot added the ci CI workflows or supply-chain configuration. label Jun 4, 2026
@systemslibrarian
ci(python-binding): create venv before maturin develop
a017d00 
maturin 1.13+ refuses to install into the system Python and requires
VIRTUAL_ENV / CONDA_PREFIX / .venv. Create a venv in bindings/python
and export VIRTUAL_ENV + add it to PATH via GITHUB_ENV/GITHUB_PATH so
subsequent steps (pip install maturin, maturin develop, smoke test)
all use the venv's Python.
@systemslibrarian
ci(python-binding): pass venv python explicitly to maturin -i
2d72707 
maturin 1.13 on Windows refuses to use a bare `python.exe` ("could not
determine version from interpreter name"). Pass the venv's python by
absolute path via --interpreter so maturin uses the right one on all
three OSes without relying on filename version inference.
@systemslibrarian
ci(python-binding): switch to maturin build + pip install
28c35f5 
`maturin develop` requires an active venv and tries to detect the
interpreter from the venv directory; on Windows it can't infer the
version from a bare `python.exe`. Avoid the whole venv-detection path
by building a wheel with `maturin build` and installing it into the
host Python with pip — same end state, no venv juggling.
@systemslibrarian systemslibrarian merged commit c8213e5 into main Jun 4, 2026
40 checks passed
@systemslibrarian systemslibrarian deleted the chore/dependabot-grouping-and-ci-fix branch June 4, 2026 08:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ci CI workflows or supply-chain configuration.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@systemslibrarian