Pin and automate doing isolated bumps of hub image dependencies' major versions

Author: consideRatio

.github/dependabot.yaml

@@ -15,3 +15,15 @@ updates:
       interval: monthly
       time: "05:00"
       timezone: Etc/UTC
+  - package-ecosystem: pip
+    directory: /images/hub/unfrozen
+    labels: [breaking]
+    groups:
+      major-versions:
+        update-types: [major]
+        exclude-patterns:
+          - jupyterhub # bumped by other automation
+    schedule:
+      interval: daily
+      time: "05:00"
+      timezone: Etc/UTC

.github/workflows/watch-dependencies.yaml

@@ -4,7 +4,7 @@
 # - Watch multiple images tags referenced in values.yaml to match the latest
 #   image tag.
 #
-# - Watch the jupyterhub pinning in images/*/requirements.in to match the
+# - Watch the jupyterhub pinning in images/*/unfrozen/requirements.txt to match the
 #   latest jupyterhub version available on PyPI, and if doing this, also
 #   refreeze images/*/requirements.txt.
 #
@@ -20,7 +20,7 @@ name: Watch dependencies
 on:
   push:
     paths:
-      - "images/*/requirements.in"
+      - "images/*/unfrozen/requirements.txt"
       - ".github/workflows/watch-dependencies.yaml"
     branches: ["main"]
   schedule:
@@ -142,10 +142,10 @@ jobs:
       - name: Install Python dependencies
         run: pip install packaging requests
 
-      - name: Get images/hub/requirements.in pinned version of jupyterhub
+      - name: Get images/hub/unfrozen/requirements.txt pinned version of jupyterhub
         id: local
         run: |
-          local_version=$(cat images/hub/requirements.in | grep 'jupyterhub==' | sed 's/jupyterhub==//')
+          local_version=$(cat images/hub/unfrozen/requirements.txt | grep 'jupyterhub==' | sed 's/jupyterhub==//')
           echo "version=$local_version" >> $GITHUB_OUTPUT
 
       - name: Get latest version of jupyterhub
@@ -168,11 +168,11 @@ jobs:
         if: steps.local.outputs.version != steps.latest.outputs.version
         run: |
           for img in hub singleuser-sample; do
-            sed --in-place 's/jupyterhub==${{ steps.local.outputs.version }}/jupyterhub==${{ steps.latest.outputs.version }}/g' images/$img/requirements.in
+            sed --in-place 's/jupyterhub==${{ steps.local.outputs.version }}/jupyterhub==${{ steps.latest.outputs.version }}/g' images/$img/unfrozen/requirements.txt
           done
           sed --in-place 's/appVersion: "${{ steps.local.outputs.version }}"/appVersion: "${{ steps.latest.outputs.version }}"/g' jupyterhub/Chart.yaml
 
-      - name: Refreeze images/*/requirements.txt based on images/*/requirements.in
+      - name: Refreeze images/*/requirements.txt based on images/*/unfrozen/requirements.txt
         if: steps.local.outputs.version != steps.latest.outputs.version
         run: ci/refreeze
 
@@ -208,7 +208,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Refreeze images/*/requirements.txt based on images/*/requirements.in
+      - name: Refreeze images/*/requirements.txt based on images/*/unfrozen/requirements.txt
         run: ci/refreeze
 
       - name: git diff
@@ -227,4 +227,4 @@ jobs:
           title: "hub image: refreeze requirements.txt"
           body: >-
             The hub image's requirements.txt has been refrozen based on
-            requirements.in.
+            unfrozen/requirements.txt.

ci/refreeze

@@ -14,6 +14,6 @@ for img in ${IMAGES}; do
         --workdir=/io \
         --user=root \
         python:3.12-bookworm \
-        sh -c 'pip install pip-tools==7.* && pip-compile --allow-unsafe --strip-extras --upgrade'
+        sh -c 'pip install pip-tools==7.* && pip-compile --allow-unsafe --strip-extras --upgrade --output-file=requirements.txt unfrozen/requirements.txt'
     popd
 done

images/hub/README.md

@@ -3,7 +3,7 @@
 The Dockerfile in this folder is built by
 [chartpress](https://github.com/jupyterhub/chartpress#readme), using the
 requirements.txt file. The requirements.txt file is updated based on the
-requirements.in file using [`pip-compile`](https://pip-tools.readthedocs.io).
+unfrozen/requirements.txt file using [`pip-compile`](https://pip-tools.readthedocs.io).
 
 ## How to update requirements.txt
 

images/hub/requirements.in

@@ -0,0 +1,33 @@
+# This file is the input to requirements.txt, which is a frozen version of this.
+#
+# To update:
+# - the jupyterhub version or the frozen requirements.txt file, use the
+#   "Run workflow" button at https://github.com/jupyterhub/zero-to-jupyterhub-k8s/actions/workflows/watch-dependencies.yaml.
+# - the major version pins in this file, trigger dependabot to run via
+#   https://github.com/jupyterhub/zero-to-jupyterhub-k8s/network/updates
+#
+
+# JupyterHub itself
+jupyterhub==5.2.1
+
+# JupyterHub Spawner, kubernetes specific
+jupyterhub-kubespawner==7.*
+
+# JupyterHub Authenticator choices
+jupyterhub-firstuseauthenticator==1.*
+jupyterhub-hmacauthenticator==1.*
+jupyterhub-ldapauthenticator==2.*
+jupyterhub-ltiauthenticator==1.*
+jupyterhub-nativeauthenticator==1.*
+jupyterhub-tmpauthenticator==1.*
+oauthenticator[googlegroups,mediawiki]==17.*
+
+# JupyterHub service shutting servers after a period of inactivity
+jupyterhub-idle-culler==1.*
+
+# Other optional dependencies for additional features
+pymysql==1.*  # mysql
+psycopg2==2.*  # postgres
+pycurl==7.*  # internal http requests handle more load with pycurl
+sqlalchemy-cockroachdb==2.* # cocroachdb
+statsd==4.*  # statsd metrics collection (TODO: remove soon, since folks use prometheus)

images/hub/unfrozen/requirements.txt

@@ -0,0 +1,17 @@
+# This file is the input to requirements.txt, which is a frozen version of this.
+#
+# To update:
+# - the jupyterhub version or the frozen requirements.txt file, use the
+#   "Run workflow" button at https://github.com/jupyterhub/zero-to-jupyterhub-k8s/actions/workflows/watch-dependencies.yaml.
+#
+
+# JupyterHub itself, update this version pinning by running the workflow
+# mentioned above.
+jupyterhub==5.2.1
+
+# UI
+jupyterlab
+nbclassic
+
+# plugins
+nbgitpuller