Skip to content

test: Update requirements.txt #159

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 3 commits into from
Closed

test: Update requirements.txt #159

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1db0599
test: Update requirements.txt
shenxianpeng Nov 5, 2025
0145c66
fix: Update requirements.txt
shenxianpeng Nov 5, 2025
f0e71ef
test: Update action.yml
shenxianpeng Nov 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 2 additions & 11 deletions action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,17 +48,8 @@ runs:
python3 -m venv venv
source venv/bin/activate

# Download artifact
python3 -m pip download -r "$GITHUB_ACTION_PATH/requirements.txt"

# Verify artifact attestations
if ! gh attestation verify commit_check-*.whl -R commit-check/commit-check; then
echo "Artifact verification failed. Aborting installation."
exit 1
fi

# Install artifact
python3 -m pip install commit_check-*.whl pygithub-*.whl
# Install artifacts
python3 -m pip install -r "$GITHUB_ACTION_PATH/requirements.txt"
Comment on lines +51 to +52
Copy link

@coderabbitai coderabbitai bot Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Update misleading comment on line 51.

The comment says "Install artifacts" but the code now installs from requirements.txt. Update for clarity:

-        # Install artifacts
+        # Install dependencies from requirements.txt
         python3 -m pip install -r "$GITHUB_ACTION_PATH/requirements.txt"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Install artifacts
python3 -m pip install -r "$GITHUB_ACTION_PATH/requirements.txt"
# Install dependencies from requirements.txt
python3 -m pip install -r "$GITHUB_ACTION_PATH/requirements.txt"
🤖 Prompt for AI Agents 
In action.yml around lines 51 to 52, the inline comment "Install artifacts" is
now misleading because the step installs Python packages from requirements.txt;
update the comment to clearly reflect the action (e.g., "Install Python
dependencies from requirements.txt") so it matches the pip install command and
improves readability.


python3 "$GITHUB_ACTION_PATH/main.py"
env:
Expand Down
2 changes: 1 addition & 1 deletion requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# Install commit-check CLI
# For details please see: https://github.com/commit-check/commit-check
commit-check==2.1.1
git+https://github.com/commit-check/commit-check.git@feature/support-github-user-to-get-env
Copy link

@coderabbitai coderabbitai bot Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Feature branch dependency is not production-ready for a GitHub Action.

Using feature/support-github-user-to-get-env as the source for commit-check introduces multiple risks:

  • Branches can be deleted, force-pushed, or contain unstable changes
  • No reproducibility guarantees across workflow runs
  • Users of this action cannot rely on consistent behavior

Additionally, the Git URL format should follow PEP 440 by including the package name: commit-check @ git+https://... instead of the direct URL format.

For reproducibility and stability, pin to a specific commit hash rather than a branch name. Consider whether this change should merge to main, or if it's temporary for testing issue #156.

Suggested format if committing to main:

-git+https://github.com/commit-check/commit-check.git@feature/support-github-user-to-get-env
+commit-check @ git+https://github.com/commit-check/commit-check.git@<COMMIT_HASH>

Or, if reverting to PyPI after testing:

-git+https://github.com/commit-check/commit-check.git@feature/support-github-user-to-get-env
+commit-check==2.1.1

I'll verify the key claims in the review comment by gathering information about pip dependency formats and the codebase context.

🏁 Script executed:

#!/bin/bash
# Check the full requirements.txt file and surrounding context
if [ -f "requirements.txt" ]; then
  echo "=== requirements.txt content ==="
  cat requirements.txt
  echo ""
  echo "=== file metadata ==="
  wc -l requirements.txt
else
  echo "requirements.txt not found"
fi

Length of output: 312

🌐 Web query:

PEP 440 pip git dependency format package name required

💡 Result:

Short answer: Yes — when using PEP 440 "direct references" as dependency specifiers (the supported form for install_requires / pyproject dependencies / PEP 508), you must include the package name: use "PackageName @ ". PEP 440 defines the "name @ URL" direct-reference form, and setuptools / modern tooling expect "Package @ git+https://…". Pip historically accepts legacy VCS URLs like git+https://... and can infer a name from a #egg= fragment for installs, but the canonical PEP‑440/PEP‑508 style is "Name @ URL" and omitting the name is not supported for dependency fields. [1][2][3][4]

Sources:

  • PEP 440 — direct references (name @ URL). [1]
  • setuptools documentation — "Direct URL dependencies" examples using "Package-A @ git+https://…". [2]
  • pip VCS docs — explanation of #egg fragment and legacy VCS URL behavior. [3]
  • PEP 508 note: PEP‑440's URL reference form and that tooling uses it. [4]

🌐 Web query:

commit-check PyPI package current version

💡 Result:

The current PyPI version of the commit-check package is 2.1.0 — uploaded Oct 20, 2025. [1]

Sources

  • PyPI project page for commit-check (release 2.1.0). [1]

🌐 Web query:

pip git+https without package name legacy format compatibility issues

💡 Result:

Short answer: the old "legacy" way (git+https://...#egg=Name or #egg=Name&subdirectory=...) is still supported by many pip versions but causes compatibility problems with newer packaging standards. Use the PEP‑508 direct-reference form "Name @ git+https://..." (and subdirectory= when needed) for best compatibility with modern pip, pip-tools, and pyproject-based builds.

Key points and examples

  • Legacy form: pip historically relied on the fragment #egg=PackageName (and &subdirectory=path) to determine the project name before metadata was inspected; that format can be fragile (editable installs, subdirectory resolution, older pip behavior). Example: git+https://github.com/user/repo.git#egg=pkg&subdirectory=src/pkg. [2][3]
  • Modern/PEP‑508 form: specify the install name up front: pkg @ git+https://github.com/user/repo.git@ref#subdirectory=src/pkg — this is the recommended form for current pip and tools that parse requirements. It avoids relying on the egg fragment and works better with pyproject-based projects. [1][3]
  • Practical compatibility warnings:
    • Very old pip versions required #egg and may not understand the PEP‑508 "pkg @" syntax; conversely, some tooling that still expects #egg can fail if you only use "pkg @ …". If you must support a wide range of pip versions, you may need to include both forms in documentation or pin minimum pip. [2][3]
    • Subdirectory handling and editable installs have historically had bugs (wrong egg-link target, entry_points/import issues). Test installs with your target pip version. [3]
    • pip writes direct_url.json / PEP‑610 metadata for direct VCS installs; modern installers/readers rely on that. Use current pip to get consistent metadata. [1]

Recommendations

Sources

  • PEP‑610 / direct URL metadata and examples (direct_url.json, VCS examples). [1]
  • pip VCS URL format and docs (git+https and #egg usage). [2]
  • Community reports and subdirectory/editable quirks (Stack Overflow examples). [3]

Feature branch dependency is not production-ready for a GitHub Action, and the format needs correction.

Using feature/support-github-user-to-get-env as the source for commit-check introduces real risks:

  • Branches can be deleted, force-pushed, or contain unstable changes
  • No reproducibility guarantees across workflow runs
  • Users of this action cannot rely on consistent behavior

The Git URL format must also follow PEP 440 by including the package name: commit-check @ git+https://... instead of the current direct URL format (which relies on legacy pip conventions).

For reproducibility and stability, pin to a specific commit hash rather than a branch name. Consider whether this change should merge to main, or if it's temporary for testing.

Suggested format if committing to main:

-git+https://github.com/commit-check/commit-check.git@feature/support-github-user-to-get-env
+commit-check @ git+https://github.com/commit-check/commit-check.git@<COMMIT_HASH>

Or, if reverting to PyPI after testing:

-git+https://github.com/commit-check/commit-check.git@feature/support-github-user-to-get-env
+commit-check==2.1.0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
git+https://github.com/commit-check/commit-check.git@feature/support-github-user-to-get-env
commit-check==2.1.0
🤖 Prompt for AI Agents 
In requirements.txt around line 3, the dependency points to a feature branch URL
which is unsafe for a production GitHub Action and uses a non-PEP440 pip URL
format; replace the branch reference with a fixed commit hash and conform to PEP
440 by prefacing the VCS URL with the package name (e.g., "commit-check @
git+https://github.com/commit-check/commit-check.git@<commit-hash>"), or
alternatively revert to the published PyPI package if this was only for testing;
ensure the chosen commit hash exists and is immutable, update the requirements
line accordingly, and consider merging the feature into main or switching back
to the PyPI package as a permanent solution.

# Interact with the GitHub API.
PyGithub==2.8.1
Loading