fix: install lightspeed_rag_content module itself in hermetic built image#85
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughAdds a new PyPI wheel-hash file and moves several packages between wheel/source sets; updates Tekton prefetch inputs, Containerfile build steps, wheel/source hash files, requirements and override files, and the konflux requirements script. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Note Currently processing new changes in this PR. This may take a few minutes, please wait... ✏️ Tip: You can disable in-progress messages and the fortune message in your review settings. Tip Flake8 can be used to improve the quality of Python code reviews.Flake8 is a Python linter that wraps PyFlakes, pycodestyle and Ned Batchelder's McCabe script. To configure Flake8, add a '.flake8' or 'setup.cfg' file to your project root. See Flake8 Documentation for more details. ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
2 similar comments
|
Note Currently processing new changes in this PR. This may take a few minutes, please wait... ✏️ Tip: You can disable in-progress messages and the fortune message in your review settings. Tip Flake8 can be used to improve the quality of Python code reviews.Flake8 is a Python linter that wraps PyFlakes, pycodestyle and Ned Batchelder's McCabe script. To configure Flake8, add a '.flake8' or 'setup.cfg' file to your project root. See Flake8 Documentation for more details. ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Note Currently processing new changes in this PR. This may take a few minutes, please wait... ✏️ Tip: You can disable in-progress messages and the fortune message in your review settings. Tip Flake8 can be used to improve the quality of Python code reviews.Flake8 is a Python linter that wraps PyFlakes, pycodestyle and Ned Batchelder's McCabe script. To configure Flake8, add a '.flake8' or 'setup.cfg' file to your project root. See Flake8 Documentation for more details. ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
📝 WalkthroughWalkthroughAdds an editable pip install step ( Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Caution Review failedFailed to post review comments 📝 WalkthroughWalkthroughAdds an editable pip install step ( Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@Containerfile`:
- Line 42: Replace the editable install flag in the pip install command: change
"pip install --no-cache-dir --no-deps -e ." to a normal install and make it
hermetic by including the same flags used earlier; e.g. "pip install
--no-cache-dir --no-deps --no-index --find-links ${PIP_FIND_LINKS} ." and also
add "--no-build-isolation" if you must prevent build backends from attempting
network fetches; update the pip install line accordingly (the line containing
"pip install --no-cache-dir --no-deps -e .").
|
/retest |
raptorsun
force-pushed
the
hermetic-fix
branch
2 times, most recently
from
54f2639 to
c65e824
Compare
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
requirements-build.txt (1)
122-148:⚠️ Potential issue | 🟡 MinorVerify pkg_resources compatibility with setuptools 82.0.0
setuptools 82.0.0 (released Feb 8, 2026) removes
pkg_resources—a breaking change. Projects or dependencies still relying onpkg_resourceswill fail. Confirm that the codebase and all dependencies (especially sentence-transformers, sqlalchemy, and other listed packages) do not depend onpkg_resources.
🧹 Nitpick comments (1)
requirements.hashes.source.txt (1)
5-6: Consider updating antlr4-python3-runtime to a more recent version if compatibility allows.The pinned version 4.9.3 (Nov 2021) is approximately 2.75 years old, with multiple releases available, including 4.13.2 (Aug 2024). No known security vulnerabilities have been identified for 4.9.3. If this specific version is not required for compatibility, updating to a more recent release could provide access to bug fixes and improvements.
raptorsun
force-pushed
the
hermetic-fix
branch
3 times, most recently
from
982668f to
1d5a610
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@requirements.hashes.wheel.pypi.txt`:
- Around line 5-10: Remove the invalid PyPI entries "griffecli==2.0.0" and
"griffelib==2.0.0" from requirements.hashes.wheel.pypi.txt (or replace them with
the correct package names if there was a typo); keep the legitimate
"griffe==2.0.0" entry and ensure the file only contains verifiable PyPI packages
with correct --hash values so installations won't fail or pull unintended
packages.
🧹 Nitpick comments (1)
requirements.hashes.source.txt (1)
5-6: antlr4-python3-runtime pinned to old version 4.9.3.This is a 2021-era release. This is likely pinned due to omegaconf's dependency constraint, but worth noting for future security reviews.
| griffe==2.0.0 \ | ||
| --hash=sha256:5418081135a391c3e6e757a7f3f156f1a1a746cc7b4023868ff7d5e2f9a980aa | ||
| griffecli==2.0.0 \ | ||
| --hash=sha256:9f7cd9ee9b21d55e91689358978d2385ae65c22f307a63fb3269acf3f21e643d | ||
| griffelib==2.0.0 \ | ||
| --hash=sha256:01284878c966508b6d6f1dbff9b6fa607bc062d8261c5c7253cb285b06422a7f |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Search for references to griffe packages in the repository
rg -n 'griffe|griffecli|griffelib' --glob '*.txt' --glob '*.toml' --glob '*.cfg' --glob '*.py' -iRepository: lightspeed-core/rag-content
Length of output: 235
🌐 Web query:
griffe package PyPI Python documentation
💡 Result:
Griffe is a Python package for extracting (“signatures for”) the structure and docstrings of Python codebases—commonly used to generate API documentation (e.g., via mkdocstrings) and to detect API breaking changes. (pypi.org)
- PyPI page (install + quick usage):
pip install griffeand basic CLI/Python examples (e.g.,griffe dump ...,griffe check ...,griffe.load(...)). (pypi.org) - Official documentation (user guide + API reference): hosted at the Griffe docs site. (mkdocstrings.github.io)
- Related docs tooling: mkdocstrings’ Python handler uses Griffe to collect API data for MkDocs-based documentation sites. (mkdocstrings.github.io)
Citations:
- 1: https://pypi.org/pypi/griffe?utm_source=openai
- 2: https://pypi.org/pypi/griffe?utm_source=openai
- 3: https://mkdocstrings.github.io/griffe/?utm_source=openai
- 4: https://mkdocstrings.github.io/python/?utm_source=openai
🌐 Web query:
griffecli griffelib PyPI packages
💡 Result:
griffecli(PyPI): I can’t find any PyPI project currently published under the namegriffecli(no matching project page shows up in PyPI search results).griffelib(PyPI): I can’t find any PyPI project currently published under the namegriffelib(no matching project page shows up in PyPI search results).- What to use instead: The actively published package is
griffe, which provides both the library and thegriffecommand-line tool. Install withpip install griffe. [1]
Sources:
[1] (pypi.org)
Citations:
Remove griffecli and griffelib from requirements.hashes.wheel.pypi.txt—these packages do not exist on PyPI.
griffe==2.0.0 is a legitimate package for extracting Python code structure and docstrings (used in documentation tooling). However, griffecli and griffelib have no corresponding PyPI projects. These may be typos, removed packages, or placeholder entries that will cause installation to fail or potentially install malicious packages if they exist under those names. Verify the intended package names and either correct them or remove them from the file.
🤖 Prompt for AI Agents
In `@requirements.hashes.wheel.pypi.txt` around lines 5 - 10, Remove the invalid
PyPI entries "griffecli==2.0.0" and "griffelib==2.0.0" from
requirements.hashes.wheel.pypi.txt (or replace them with the correct package
names if there was a typo); keep the legitimate "griffe==2.0.0" entry and ensure
the file only contains verifiable PyPI packages with correct --hash values so
installations won't fail or pull unintended packages.
1d5a610 to
4a92b53
Compare
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Fix all issues with AI agents
In `@requirements-build.txt`:
- Line 118: The pin to setuptools==82.0.0 may break the build due to removal of
pkg_resources; search the codebase and dependency manifests for usages of
"pkg_resources" (and imports in modules/scripts), and if any are found update
those callers to use importlib.resources or importlib.metadata (or adapt import
paths) or update dependency versions that still require pkg_resources; if
migration is not possible before merge, modify requirements-build.txt to pin
setuptools to a pre-82 release (e.g., setuptools<82) and add a short TODO
comment explaining the temporary pin and that pkg_resources usages must be
migrated.
In `@requirements.hashes.wheel.txt`:
- Around line 104-108: The lxml dependency was bumped to 6.0.2 which has
breaking changes; search the repo for direct uses of lxml APIs and features
(e.g., any imports of MemDebug.dump or MemDebug.show, Schematron-related code,
reliance on automatic gzip/lzma decompression or HTTP/FTP URL parsing) and
update or remove those usages, ensure CI/tests run under Python >=3.8, and if
your code depends on automatic decompression or HTTP/FTP parsing enable the
corresponding libxml2 options or replace with explicit decompression/HTTP client
logic; after changes run the full test suite and fix any failures in modules
referencing lxml-specific features (look for references in code, tests, and
scripts).
🧹 Nitpick comments (1)
Containerfile (1)
41-42: Core fix: local package installation added to hermetic build — this addresses the PR objective.Line 42 (
pip install --no-cache-dir --no-deps .) is the key change that installs thelightspeed_rag_contentmodule into the image, fixing the reported issue (LCORE-791). The split into twopip installcommands (one for requirements, one for the local package) is clean.One minor note: Line 42 omits
--no-index --find-links ${PIP_FIND_LINKS}unlike Line 41. Since--no-depsprevents runtime dependency resolution this is likely fine, but if the build backend needs to fetch build requirements, it could attempt network access (which would fail in hermetic mode). Consider adding--no-build-isolationto be safe, as build deps should already be present.Suggested hardening
- pip install --no-cache-dir --no-deps . && \ + pip install --no-cache-dir --no-deps --no-build-isolation . && \
|
|
||
| # The following packages are considered to be unsafe in a requirements file: | ||
| setuptools==80.10.2 | ||
| setuptools==82.0.0 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
setuptools 82.0.0 PyPI release
💡 Result:
Setuptools 82.0.0 was released on February 8, 2026 on PyPI, and requires Python ≥ 3.9. [1]
Key change in v82.0.0: pkg_resources was removed from Setuptools (with guidance to use importlib.resources / importlib.metadata, or pin an older setuptools if you still depend on pkg_resources). [2]
Files on PyPI include setuptools-82.0.0.tar.gz and setuptools-82.0.0-py3-none-any.whl. [1]
Sources: [1] [2]
Setuptools 82.0.0 includes a breaking change — verify pkg_resources dependency.
setuptools 82.0.0 was released on February 8, 2026 and is available on PyPI (requires Python ≥ 3.9). However, a critical change in this release is the removal of pkg_resources. Before merging, verify that neither the codebase nor its dependencies rely on pkg_resources. If they do, either migrate to importlib.resources / importlib.metadata or pin setuptools to an older version.
🤖 Prompt for AI Agents
In `@requirements-build.txt` at line 118, The pin to setuptools==82.0.0 may break
the build due to removal of pkg_resources; search the codebase and dependency
manifests for usages of "pkg_resources" (and imports in modules/scripts), and if
any are found update those callers to use importlib.resources or
importlib.metadata (or adapt import paths) or update dependency versions that
still require pkg_resources; if migration is not possible before merge, modify
requirements-build.txt to pin setuptools to a pre-82 release (e.g.,
setuptools<82) and add a short TODO comment explaining the temporary pin and
that pkg_resources usages must be migrated.
| lxml==6.0.2 \ | ||
| --hash=sha256:24b30860c922d98d63395514957a9a13a171c59aed72a4de97190e39eb1e7d6e \ | ||
| --hash=sha256:4c6c1194bbdaba3a57b0cc34f0e665d5be4d2ebe9e263ec64c0034b746b9f112 \ | ||
| --hash=sha256:5e8b6f0c4a8b09347d43f17f3cd9ee626fa345850f732be1811368fe5b4f6ae4 \ | ||
| --hash=sha256:6965df12e52a5d9e6917ca097607cd00309cb583cb91531ea12bb3142f602ea1 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
lxml 6.0 breaking changes migration guide
💡 Result:
Key lxml 6.0.0 (released 2025-06-26) changes that can break/affect upgrades, plus what to do. [1]
1) Python version floor raised
- Breaking: support for Python < 3.8 removed. [1]
- Migrate: upgrade runtimes/CI to Python 3.8+ (and adjust
python_requires, tox envs, docker images, etc.).
2) Automatic decompression is becoming opt-in (libxml2 ≥ 2.15)
- Behavior change / potential break: new parser option
decompress=Falsecontrols automatic input decompression; code that relied on auto-decompression will need to enable it (once running against libxml2 2.15+). [1] - Migrate: if you parse compressed inputs and expect transparent decompression, set
decompress=Trueexplicitly in the parser you use (where applicable). Otherwise, decompress in Python before parsing.
3) zlib/lzma “parse compressed bytes directly” is now optional
- Behavior change / portability: direct parsing of zlib (or lzma) compressed data is now considered optional and may disappear in future releases; don’t assume it’s always available. [1]
- Migrate: stop depending on this feature; decompress yourself; or gate it with:
"zlib" in etree.LIBXML_FEATURES(same idea for"lzma"). [1]
4) Schematron is deprecated (future removal)
- Future-breaking:
lxml.etree.Schematronis deprecated and will become non-functional in a future lxml version as libxml2 removes it. [1] - Migrate: plan to move Schematron validation to an alternative implementation/toolchain (don’t start new dependencies on
Schematron).
5) URL parsing via libxml2 HTTP/FTP may stop working in wheels
- Behavior change: binary wheels ship libxml2 builds where direct HTTP/FTP parsing from URLs is disabled; test with
"http" in etree.LIBXML_FEATURES. [1] - Migrate: fetch content with Python HTTP clients (urllib/requests), then parse from bytes/streams.
6) Removed APIs
- Breaking:
MemDebug.dump()andMemDebug.show()were removed. [1] - Migrate: remove calls or replace with other profiling/debug approaches (these were tied to libxml2 functionality that was dropped).
If you share what you’re upgrading from (e.g., 4.9 → 6.0 or 5.x → 6.0) and which parts you use (Schematron, URL parsing, compressed inputs), I can turn this into a targeted checklist.
Sources: lxml 6.0.0 changelog / release notes. [1]
lxml major version bump from 5.4.0 to 6.0.2 introduces breaking changes.
Verify downstream code compatibility. Notable changes include: Python < 3.8 no longer supported, automatic decompression becoming opt-in (with libxml2 ≥ 2.15), direct zlib/lzma parsing now optional, Schematron deprecated, HTTP/FTP URL parsing disabled in wheels, and removal of MemDebug.dump()/MemDebug.show(). Ensure code doesn't rely on any of these features or update accordingly.
🤖 Prompt for AI Agents
In `@requirements.hashes.wheel.txt` around lines 104 - 108, The lxml dependency
was bumped to 6.0.2 which has breaking changes; search the repo for direct uses
of lxml APIs and features (e.g., any imports of MemDebug.dump or MemDebug.show,
Schematron-related code, reliance on automatic gzip/lzma decompression or
HTTP/FTP URL parsing) and update or remove those usages, ensure CI/tests run
under Python >=3.8, and if your code depends on automatic decompression or
HTTP/FTP parsing enable the corresponding libxml2 options or replace with
explicit decompression/HTTP client logic; after changes run the full test suite
and fix any failures in modules referencing lxml-specific features (look for
references in code, tests, and scripts).
4a92b53 to
26fb02e
Compare
…mage + update konflux requirements. Signed-off-by: Haoyu Sun <[email protected]>
raptorsun
force-pushed
the
hermetic-fix
branch
from
26fb02e to
13d2d5c
Compare
2 participants
Description
This fixes the issue that python module lightspeed_rag_content is missing in the konflux image.
update requirement files for the docling upgrade by raptorsun@7f688b0#diff-50c86b7ed8ac2cf95bd48334961bf0530cdc77b5a56f852c5c61b89d735fd711R55-R56
Type of change
Tools used to create PR
Identify any AI code assistants used in this PR (for transparency and review context)
Related Tickets & Documents
Checklist before requesting a review
Testing
Summary by CodeRabbit