Skip to content

chore(deps): upgrade dependencies#590

Open
backgroundagents wants to merge 1 commit into
mainfrom
github-actions/upgrade-main
Open

chore(deps): upgrade dependencies#590
backgroundagents wants to merge 1 commit into
mainfrom
github-actions/upgrade-main

Conversation

@backgroundagents

@backgroundagents backgroundagents commented Jul 11, 2026

Copy link
Copy Markdown
Collaborator

Upgrades project dependencies. See details in workflow run.


Automatically created by the "upgrade-main" workflow

@backgroundagents backgroundagents force-pushed the github-actions/upgrade-main branch from 8d518b0 to 6e06eca Compare July 11, 2026 00:32
@backgroundagents backgroundagents requested a review from a team as a code owner July 11, 2026 00:32
@backgroundagents backgroundagents requested a review from a team as a code owner July 11, 2026 00:32
@backgroundagents backgroundagents force-pushed the github-actions/upgrade-main branch 4 times, most recently from 7c7ba9e to fee375b Compare July 15, 2026 00:28

@scottschreckengaust scottschreckengaust left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review: PR #590 chore(deps): upgrade dependencies

Verdict: REQUEST_CHANGES — this bot dep-bump is not mergeable as-is because it breaks the build. build (agentcore) is RED and the cause is a dependency in this very diff (the ty type-checker bump), not a pre-existing/flaky failure. For a dependency PR, CI-green is the load-bearing signal, so a bump that turns the build red must be fixed before merge — even for routine bot hygiene.

Everything else in the bump is safe (details below); the block is narrow and mechanical.

Vision alignment

Bounded blast radius, mostly. Lockfile-only change (agent/uv.lock + yarn.lock; no package.json / pyproject.toml edits), so every bump stays within existing semver ranges. No attack-surface widening, no new top-level deps. The one leak past the intended boundary is ty: it is pinned bare ("ty", no version bound) in agent/pyproject.toml, so "regenerate within pins" still walked the type-checker forward to a stricter engine (0.0.56 → 0.0.59) that rejects previously-accepted source.

Blocking

B1 — ty 0.0.56 → 0.0.59 breaks //agent:typecheck (build (agentcore) job is RED). agent/uv.lock (ty package block; +version = "0.0.59").

  • //agent:typecheck runs uv run ty check (agent/mise.toml:44). ty 0.0.59 now emits 9 new diagnostics in agent/tests/test_models.py — the source is unchanged in this PR, so this is purely the engine getting stricter/regressing on the same code:
    • invalid-assignment "Property … is read-only" at test_models.py:30, 63, 140, 170, 416, 447. Each is an intentional negative test asserting Pydantic immutability (e.g. c.author = "bob" inside with pytest.raises(ValidationError):) on models declared model_config = ConfigDict(frozen=True, …) (agent/src/models.py:20, 47, 62, 117, 294, 305).
    • invalid-argument-type at test_models.py:237, 244: content_trust={"issue": "untrusted-external", …} is inferred as dict[str, str] and rejected against the declared dict[str, ContentTrustLevel] where ContentTrustLevel = Literal["trusted","untrusted-external","memory"] (agent/src/models.py:71, 130).
  • Note this is a two-step jump vs main, which currently pins ty 0.0.50.
  • Fix — pick one, none should be silent:
    1. Cleanest for a pure dep-bump: pin ty==0.0.56 (last known-green) in agent/pyproject.toml and revert only the ty block of agent/uv.lock; let the other 8 Python bumps + all yarn bumps land green.
    2. If keeping ty current is desired: that requires touching agent/tests/test_models.py source (per-line # ty: ignore[invalid-assignment] on the 6 deliberate frozen-write negative tests, and an explicit dict[str, ContentTrustLevel] annotation / cast for the 2 content_trust literals). Source changes fall outside bot dep-hygiene and need a governance issue per ADR-003 — so this should be split out, not ridden in on the auto-approve bump.
    • Do not globally relax [tool.ty.rules] to mask this — it would hide real future frozen-write / literal bugs.

Non-blocking observations

  • Cedar parity: intact. Neither cedarpy (Python) nor @cedar-policy/cedar-wasm (TS) is touched — cedarpy==4.8.4 and cedar-wasm@4.8.2 are unchanged on both sides. The paired-engine rule (AGENTS.md "Common mistakes") is not triggered; no contracts/cedar-parity/ refresh needed.
  • No downgrades. All 9 uv.lock and ~60 yarn.lock transitions move forward.
  • No synth-affecting core CDK bump. aws-cdk-lib and constructs are not changed (the @@ aws-cdk-lib@^2.260.0 line is only a hunk-context header). @aws-cdk/cloud-assembly-schema 54.8.0→54.11.0 and the aws-cdk CLI 2.1129.0→2.1131.0 are the CLI/cxapi side, within the pinned major — CDK snapshot tests should not shift.
  • AWS SDK v3 clients (@aws-sdk/client-bedrock-agentcore/-runtime/-dynamodb/-ecs/-lambda/-s3/-secrets-manager) 3.1081.0→3.1087.0: standard weekly patch/minor cadence, no majors.
  • Python bumps anyio 4.14.1→4.14.2, asgiref 3.11.1→3.12.1, botocore 1.43.42→1.43.48, coverage 7.15.0→7.15.1, grpcio 1.81.1→1.82.1, ruff 0.15.20→0.15.21, s3transfer 0.19.0→0.19.1, websockets 16.0→16.1 — all patch/minor, none with a known advisory.

Documentation

N/A — pure lockfile bump; no docs/guides/ or docs/design/ source touched, so no Starlight mirror sync required.

Tests & CI

  • Secrets, deps, and workflow scan (OSV Scanner on yarn.lock + agent/uv.lock): pass — no advisories or vulnerable pulls introduced. CodeQL / Analyze (actions, js-ts, python): pass. Dead-code (advisory): pass. Validate PR title: pass.
  • build (agentcore): FAIL//agent:typecheck Found 9 diagnostics → exit 1 (B1). This is the sole failure and it is deterministic, not a flake.
  • No new tests expected for a dep bump; the concern is that existing tests/typecheck must stay green, and they do not.

Review agents run

  • pr-review-toolkit:code-reviewerran; independently reproduced the ty build-breaker mechanism and confirmed no downgrades / no synth-affecting core bump / Cedar untouched.
  • silent-failure-hunter, type-design-analyzeromitted (out of scope: lockfile-only diff, no error-handling or type-definition source changes).

Human heuristics

Base is fresh (PR head merge-base == origin/main @ 22705e83, single commit). Author is the backgroundagents bot; missing approved-issue is normal for pure dep hygiene and is not the basis for this block. The auto-approve label is present but must not auto-merge a red build — the failing agentcore job is a legitimate, self-caused gate failure. The narrowest green path is option (1): pin ty back and re-run.

🤖 Generated with Claude Code

Comment thread agent/uv.lock
{ url = "https://files.pythonhosted.org/packages/c3/36/f51d4666d2de6cf33c1f3a1fcc4bb6b70b197dd6ceaa491eef71d78fe8e8/ty-0.0.56-py3-none-win32.whl", hash = "sha256:b30687bb5cd9729d34c889a289edf32770388d9bb05243e534e723fb45e0381b", size = 11093759, upload-time = "2026-07-01T16:44:49.171Z" },
{ url = "https://files.pythonhosted.org/packages/5e/b4/8fb5d4acfa4afb152245b20fa263069a7547bd1f8e4bfca4eda280c897d7/ty-0.0.56-py3-none-win_amd64.whl", hash = "sha256:ad4c8c47b6f4e3f9ed3fc0b1a5d650088d229e17dd8f63c1826d6bbe94cc3235", size = 12100327, upload-time = "2026-07-01T16:44:51.26Z" },
{ url = "https://files.pythonhosted.org/packages/b8/fc/6a183e71edde90d0c35c2303f23f7a45b6891d1a2c45daf7b8f869831e19/ty-0.0.56-py3-none-win_arm64.whl", hash = "sha256:57538f273d444a5f1293fa7860e967178afe3917611fc5eff16b64e1204fe0d6", size = 11538780, upload-time = "2026-07-01T16:44:53.8Z" },
version = "0.0.59"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Blocking: this ty bump (0.0.56 → 0.0.59) is what turns build (agentcore) red. ty is pinned bare ("ty") in agent/pyproject.toml, so the lockfile is its only bound and regenerating walked it to a stricter engine. uv run ty check (agent/mise.toml:44) now emits 9 new diagnostics in agent/tests/test_models.py (6 frozen-attribute negative tests + 2 content_trust Literal narrowings) even though that source is unchanged in this PR.

Cleanest fix to keep this a green, pure dep-bump: pin ty==0.0.56 in agent/pyproject.toml and revert just this ty block of the lockfile; let the other bumps land. Keeping ty current instead requires editing test_models.py (deliberate # ty: ignore + explicit dict[str, ContentTrustLevel] annotations), which is source work that should go through a governance issue rather than the auto-approve bot bump.

Upgrades project dependencies. See details in [workflow run].

[Workflow Run]: https://github.com/aws-samples/sample-autonomous-cloud-coding-agents/actions/runs/29461601257

------

*Automatically created by the "upgrade-main" workflow*

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@backgroundagents backgroundagents force-pushed the github-actions/upgrade-main branch from fee375b to dfdf967 Compare July 16, 2026 00:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants