Skip to content

Fail constraints generation when a released provider is downgraded#69870

Open
potiuk wants to merge 2 commits into
mainfrom
flag-provider-downgrade-in-constraints
Open

Fail constraints generation when a released provider is downgraded#69870
potiuk wants to merge 2 commits into
mainfrom
flag-provider-downgrade-in-constraints

Conversation

@potiuk

@potiuk potiuk commented Jul 14, 2026

Copy link
Copy Markdown
Member

Regular constraints (PyPI-providers) generation now fails, instead of silently publishing, when a released apache-airflow-providers-* package would be downgraded below the version already in the published constraints. Released providers only ever move forward on PyPI, so a downgrade means highest-resolution dragged an old provider back in because a broken dependency constrained it — the exact failure mode behind the recent databricks-sql-connector / thrift issue.

The check compares each released provider against the latest published constraints and exits non-zero on any downgrade, so it surfaces in CI. On canary/push builds (where there is no PR author watching) it also posts an alert to the #internal-airflow-ci-cd Slack channel via the existing slackapi/slack-github-action, so maintainers are notified immediately. The in-container step only writes the Slack payload; the workflow layer holds the token and sends it (skipped on fork PRs where no secret is available).


Was generative AI tooling used to co-author this PR?
  • Yes — Claude Code (Opus 4.8)

Generated-by: Claude Code (Opus 4.8) following the guidelines

Released provider versions only ever move forward on PyPI, so a lower
provider version in freshly generated PyPI constraints than in the
already-published constraints is never intentional. It means the highest
resolution dragged an old provider back in because a broken dependency
version constrained it. Left unnoticed, such a downgrade would be
committed to the constraints branch and shipped to users.

The regular `constraints` generation now compares each released provider
against the latest published constraints and stops with an error when any
would be downgraded, so the problem surfaces in CI instead of being
published. When it happens on the canary/push builds it also posts an
alert to the CI Slack channel, since there is no PR author watching those
runs, so maintainers learn about it immediately.
The script read the gitignored, generated generated/provider_dependencies.json
at import time. That file is not generated in the "Scripts tests" CI job, so
importing the module (which the new tests do at collection) failed with
FileNotFoundError and broke test collection. Only get_all_active_provider_distributions
needs the data, so load it there instead of at module import, keeping the module
importable without the generated artifact.

@eladkal eladkal left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great!
I do still think we need a validation step in the RM guide. I mean, RM can easily not see the open slack note and proceed with cutting release rather than check for resolution. cc @vatsrahul1001 WDYT?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants