LCORE-1326: Updated Konflux references

[tisnik]

Description

LCORE-1326: Updated Konflux references

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement
• Benchmarks improvement

Tools used to create PR

• Assisted-by: N/A
• Generated by: N/A

Related Tickets & Documents

• Related Issue #LCORE-1326

Summary by CodeRabbit

• Chores
  • Updated many dependency versions, added several new runtime packages, removed a few obsolete entries (including one networking library), and expanded verification hashes across the dependency set to strengthen supply-chain integrity and streamline prefetch/package lists.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Updated dependency lock files and CI prefetch configs: numerous dependency versions and their hashes were updated or added in requirements.hashes.source.txt; requirements.hashes.wheel.txt removed starlette==0.50.0 and yarl==1.22.0; Tekton prefetch YAMLs removed yarl from binary package lists. No code or API signatures changed.

Changes

Cohort / File(s)	Summary
Source lock updates requirements.hashes.source.txt	Bulk dependency version/hash updates: fastapi, sentence-transformers, sse-starlette, trl, uvicorn, wcwidth, urllib3 etc. New full-hash blocks added for starlette, tenacity, websockets, yarl and many transitive deps; several older package blocks replaced with newer versions.
Wheel lock removals requirements.hashes.wheel.txt	Removed starlette==0.50.0 and yarl==1.22.0 entries and their hashes; other entries unchanged.
CI prefetch configs .tekton/lightspeed-stack-pull-request.yaml, .tekton/lightspeed-stack-push.yaml	Removed yarl from the binary/packages prefetch lists (shortened package string); no other prefetch packages changed.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title references 'Updated Konflux references' but the actual changes are primarily dependency version updates in requirements files and removal of yarl from Tekton configurations, with no substantive Konflux reference updates visible in the changeset.	Update the PR title to accurately reflect the main changes, such as 'Dependency updates and Tekton configuration adjustments' or provide clearer explanation of which Konflux references were updated.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

requirements-build.txt (1)

57-63: ⚠️ Potential issue | 🟠 Major

Resolve conflicting duplicate pins in requirements-build.txt.

This file contains unsatisfiable dependency constraints:

• hatchling: pinned to both 1.26.3 (line 57) and 1.29.0 (line 62)
• setuptools: pinned to both 81.0.0 (line 215) and 82.0.0 (line 217)

The file is consumed as requirements_build_files in Tekton workflows, so these conflicts will break dependency resolution during prefetch.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@requirements-build.txt` around lines 57 - 63, requirements-build.txt contains
duplicate conflicting pins for the same packages (hatchling and setuptools);
choose and keep a single version for each package across the file (e.g.,
consolidate hatchling to one pin—prefer the higher compatible version 1.29.0—and
consolidate setuptools to a single pin such as 82.0.0), remove the duplicate
entries so only one line pins hatchling and one line pins setuptools, update any
accompanying comments/markers that referenced the removed pins, and re-run your
dependency lock/prefetch step (or regenerate the requirements file) to ensure
the Tekton `requirements_build_files` consumer sees a consistent,
non-conflicting set of pins.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@requirements-build.txt`:
- Around line 57-63: requirements-build.txt contains duplicate conflicting pins
for the same packages (hatchling and setuptools); choose and keep a single
version for each package across the file (e.g., consolidate hatchling to one
pin—prefer the higher compatible version 1.29.0—and consolidate setuptools to a
single pin such as 82.0.0), remove the duplicate entries so only one line pins
hatchling and one line pins setuptools, update any accompanying comments/markers
that referenced the removed pins, and re-run your dependency lock/prefetch step
(or regenerate the requirements file) to ensure the Tekton
`requirements_build_files` consumer sees a consistent, non-conflicting set of
pins.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1bd8afec-ef84-4860-be12-be8a87775bfd

📥 Commits

Reviewing files that changed from the base of the PR and between ca6097a and 9683662.

📒 Files selected for processing (5)

• .tekton/lightspeed-stack-pull-request.yaml
• .tekton/lightspeed-stack-push.yaml
• requirements-build.txt
• requirements.hashes.source.txt
• requirements.hashes.wheel.txt

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pyproject.toml`:
- Line 25: The project runtime deps are incomplete: add the missing packages
fastapi, starlette, llama_stack_client, and uvicorn to pyproject.toml
dependencies (in addition to the existing cffi==2.0.0) so imports in
src/app/main.py and src/runners/uvicorn.py resolve at runtime, then regenerate
or update the lock (uv.lock) to include these packages; ensure versions are
compatible with your code (or use caret/latest pinned versions) and run the
lock/update command your toolchain uses to produce an updated uv.lock.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a35fa8d0-5223-4b10-9637-368e77cb8172

📥 Commits

Reviewing files that changed from the base of the PR and between 9683662 and 3c762b0.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (7)

• .tekton/lightspeed-stack-pull-request.yaml
• .tekton/lightspeed-stack-push.yaml
• pyproject.toml
• requirements-build.txt
• requirements.hashes.source.txt
• requirements.hashes.wheel.txt
• requirements.overrides.txt

💤 Files with no reviewable changes (3)

• requirements.hashes.wheel.txt
• requirements.overrides.txt
• requirements.hashes.source.txt

🚧 Files skipped from review as they are similar to previous changes (1)

• .tekton/lightspeed-stack-pull-request.yaml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

python - <<'PY'
import pathlib, re, tomllib

pyproject = tomllib.loads(pathlib.Path("pyproject.toml").read_text())
declared = {
    re.split(r'[<>=!~\[]', dep, 1)[0].strip().lower().replace("_", "-")
    for dep in pyproject.get("project", {}).get("dependencies", [])
}

lock_text = pathlib.Path("uv.lock").read_text() if pathlib.Path("uv.lock").exists() else ""
locked = set(re.findall(r'(?m)^name = "([^"]+)"', lock_text))

checks = {
    "fastapi": "fastapi",
    "starlette": "starlette",
    "llama_stack_client": "llama-stack-client",
    "uvicorn": "uvicorn",
}
files = ["src/app/main.py", "src/runners/uvicorn.py"]

missing = []
for f in files:
    p = pathlib.Path(f)
    if not p.exists():
        continue
    txt = p.read_text()
    for module, pkg in checks.items():
        if re.search(rf'(?m)^(from|import)\s+{re.escape(module)}\b', txt):
            if pkg not in declared and pkg not in locked:
                missing.append((f, module, pkg))

print("Declared deps:", sorted(declared))
print("Locked packages:", sorted(locked))

if missing:
    print("\nMissing runtime packages (not declared and not locked):")
    for f, module, pkg in missing:
        print(f"- {f}: imports '{module}' but '{pkg}' is absent")
    raise SystemExit(1)

print("\nOK: runtime imports are covered by declared dependencies or uv.lock.")
PY

Repository: lightspeed-core/lightspeed-stack

Length of output: 492

---

Restore runtime dependencies required by application entrypoints.

Line 25 declares only cffi, but runtime code imports fastapi, starlette, llama_stack_client, and uvicorn (src/app/main.py, src/runners/uvicorn.py). These packages are absent from both pyproject.toml dependencies and uv.lock, causing import/startup failures outside hermetic prefetch flows.

Proposed direction

 dependencies = [
     "cffi==2.0.0",
+    # restore direct runtime deps used by entrypoints
+    "fastapi",
+    "starlette",
+    "uvicorn",
+    "llama-stack-client",
 ]

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"cffi==2.0.0",
	dependencies = [
	"cffi==2.0.0",
	# restore direct runtime deps used by entrypoints
	"fastapi",
	"starlette",
	"uvicorn",
	"llama-stack-client",
	]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pyproject.toml` at line 25, The project runtime deps are incomplete: add the
missing packages fastapi, starlette, llama_stack_client, and uvicorn to
pyproject.toml dependencies (in addition to the existing cffi==2.0.0) so imports
in src/app/main.py and src/runners/uvicorn.py resolve at runtime, then
regenerate or update the lock (uv.lock) to include these packages; ensure
versions are compatible with your code (or use caret/latest pinned versions) and
run the lock/update command your toolchain uses to produce an updated uv.lock.

[tisnik]

/retest

[tisnik]

/retest

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@requirements.hashes.source.txt`:
- Around line 805-810: The requirements pin violates FastAPI's Starlette upper
bound: replace the conflicting starlette==0.52.1 (or update the FastAPI pin) so
fastapi==0.128.1's requirement starlette<0.51.0 is satisfied; specifically
either downgrade starlette to a 0.50.x (e.g., starlette==0.50.*) or upgrade
fastapi (the fastapi package pin) to a version that declares compatibility with
starlette 0.52.x, then run dependency resolution/lock regeneration to ensure all
hashes and transitive deps (starlette, fastapi, sse-starlette, uvicorn,
websockets) are consistent.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ffe5078a-d330-4f71-9c55-81482ae92e9c

📥 Commits

Reviewing files that changed from the base of the PR and between ac74ab0 and b264db4.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• requirements.hashes.source.txt
• requirements.hashes.wheel.txt

💤 Files with no reviewable changes (1)

• requirements.hashes.wheel.txt