Skip to content

Pin dependencies to exact versions#170

Merged
negz merged 2 commits into
mainfrom
pin-it
Jun 17, 2026
Merged

Pin dependencies to exact versions#170
negz merged 2 commits into
mainfrom
pin-it

Conversation

@negz

@negz negz commented Jun 16, 2026

Copy link
Copy Markdown
Collaborator

Description of your changes

Modelplane's provider dependencies were pulled from the Upbound registry (xpkg.upbound.io/upbound), and provider-helm and provider-kubernetes used a >= range rather than an exact version. The ranges let the resolved version drift, so two checkouts could build against different provider versions.

Pinning to exact versions on the Upbound registry takes some care. Per Upbound's package policies, a downstream main release stays available for 12 months, but once a minor line has a newer minor, its remaining patch releases are backports that require a paid subscription and pull secrets. So pinning to a downstream-only backport like provider-kubernetes:v1.2.6 or provider-aws-efs:v2.5.3 would point anonymous users at an artifact they can't pull.

The versions that exist upstream on crossplane-contrib are retained on the Upbound registry for 12+ months, so pinning each provider to its latest upstream release keeps the artifacts pullable without a subscription while still getting the signed, SBOM-bearing downstream builds. This pins the AWS and GCP family providers (including provider-aws-efs) to v2.6.0, provider-helm to v1.2.0, and provider-kubernetes to v1.2.1.

The preparatory commit fixes a related problem in schema generation. There were two entrypoints: nix run .#generate regenerated only the dependency half of schemas/python/, while the XRD-derived models under models/ai/ are written by crossplane project build (nix run .#build-crossplane). Running .#generate alone produced an incomplete tree. Both generators were also additive, never removing models or lock entries for dependencies that had been dropped or renamed, which is how schemas/.lock.json accumulated entries for unused provider versions. That commit removes .#generate, makes .#build-crossplane the single entrypoint, and has it delete schemas/ before regenerating so the output reflects only the current XRDs and dependencies.

The bulk of the diff is the regenerated schemas/python/ tree and schemas/.lock.json.

I have:

  • Read and followed Modelplane's contribution process.
  • Run nix flake check (or ./nix.sh flake check) and made sure it passes.
  • Added or updated tests covering any composition function changes. No composition function changes.
  • Signed off every commit with git commit -s.

Copilot AI review requested due to automatic review settings June 16, 2026 21:12

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review this pull request because it exceeds the maximum number of files (300). Try reducing the number of changed files and requesting a review from Copilot again.

negz added 2 commits June 16, 2026 22:16
The repository had two schema generation entrypoints with overlapping but
unequal responsibilities. nix run .#generate ran crossplane dependency
update-cache, which regenerates only the dependency half of the schemas
under schemas/python/ (provider and Crossplane CRD models) plus their
schemas/.lock.json entries. The XRD-derived models under
schemas/python/models/ai/ are written instead by crossplane project build
(nix run .#build-crossplane). Running .#generate alone therefore produced
an incomplete tree, and a contributor following CONTRIBUTING.md would
regenerate schemas without the local XRD models.

Both generators are also additive: they overwrite the files they emit but
never remove models or lock entries for XRDs or dependencies that have been
dropped or renamed. Stale schemas and lock entries accumulated across
regenerations. This is how schemas/.lock.json came to carry entries for
provider versions the project no longer referenced.

This change removes the .#generate app and makes .#build-crossplane the
single schema generation entrypoint, since crossplane project build already
regenerates both halves of the tree. The build first deletes
schemas/python/ and schemas/.lock.json wholesale, so the regenerated output
reflects only the current XRDs and dependencies. CONTRIBUTING.md and the dev
shell help are updated to point at .#build-crossplane.

Signed-off-by: Nic Cope <nicc@rk0n.org>
Modelplane's provider dependencies were pulled from the Upbound registry
(xpkg.upbound.io/upbound), and provider-helm and provider-kubernetes used a
>= range rather than an exact version. The ranges let the resolved version
drift, so two checkouts could build against different provider versions.

Pinning to exact versions on the Upbound registry needs care. Per Upbound's
package policies, a downstream main release stays available for 12 months,
but once a minor line has a newer minor, its remaining patch releases are
backports that require a paid subscription. Pinning to a downstream-only
backport such as provider-kubernetes v1.2.6 or provider-aws-efs v2.5.3 would
point anonymous users at an artifact they can't pull.

The versions that exist upstream on crossplane-contrib are retained on the
Upbound registry for 12+ months, so pinning to the latest upstream release
of each provider keeps the artifacts pullable without a subscription while
still getting the signed, SBOM-bearing downstream builds. This pins every
provider to that version: the AWS and GCP family providers (including
provider-aws-efs) to v2.6.0, provider-helm to v1.2.0, and provider-kubernetes
to v1.2.1.

The generated schemas and schemas/.lock.json are regenerated against the
pinned dependencies.

Signed-off-by: Nic Cope <nicc@rk0n.org>
@negz negz changed the title Pin dependencies to the upstream Crossplane registry Pin dependencies to exact versions retained on the Upbound registry Jun 17, 2026
@negz negz changed the title Pin dependencies to exact versions retained on the Upbound registry Pin dependencies to exact versions Jun 17, 2026
@dennis-upbound dennis-upbound self-requested a review June 17, 2026 16:25
@negz negz merged commit d46e347 into main Jun 17, 2026
5 checks passed
@negz negz deleted the pin-it branch June 18, 2026 03:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants