8Knot automatically tests dependency updates every night at 2 AM UTC to ensure the application remains compatible with the latest package versions and secure from known vulnerabilities.
- Removes version pins from
requirements.txtto get latest versions - Uses
uvfor fast dependency resolution and installation - Creates backup of original requirements for rollback
- Runs
safetytool to scan for known CVEs in dependencies - Generates security reports in JSON format
- Flags vulnerable packages for immediate attention
- Builds Docker Compose stack with updated dependencies
- Tests all critical endpoints to ensure functionality
- Monitors application logs for errors or exceptions
- Verifies database connectivity through health check endpoint
- Checks dependency compatibility using
uv pip check - Identifies version conflicts between packages
- Reports resolution issues for manual review
- Creates GitHub issues automatically when tests fail
- Includes detailed error information and workflow links
- Attaches debugging artifacts (security reports, package lists)
- Prevents duplicate issues (maximum one per day)
The nightly test verifies these critical application pages:
/- Welcome page/contributions- Contribution metrics/contributors/contribution_types- Contributor type analysis/contributors/behavior- Contributor behavior patterns/chaoss- CHAOSS metrics/codebase- Codebase analysis/affiliation- Organization affiliation data/info- Information and definitions/repo_overview- Repository overview/health- Health check endpoint
The application includes a health check endpoint at /health that:
- Tests database connectivity to ensure Augur database is accessible
- Returns JSON status with timestamp and connection status
- Used by nightly CI to verify application readiness
Example response:
{
"status": "healthy",
"database": "connected",
"timestamp": "2024-01-15 10:30:00"
}If the nightly test fails, GitHub automatically creates an issue with:
- Error details and links to failed workflow runs
- Security scan results if vulnerabilities are found
- Downloadable artifacts for debugging:
safety_report.json- Security vulnerability reportrequirements_latest_pinned.txt- Latest package versions testedinstalled_packages.txt- Full list of installed packagesrequirements.txt.backup- Original requirements backup
- Security vulnerabilities - New CVEs discovered in dependencies
- Breaking changes - Latest package versions break existing functionality
- Dependency conflicts - Packages can't resolve compatible versions
- Application errors - Code incompatible with new package APIs
To test dependency updates locally before they're automatically tested:
# 1. Backup your requirements
cp requirements.txt requirements.txt.backup
# 2. Remove version pins to get latest versions
sed 's/==.*$//' requirements.txt > requirements_latest.txt
mv requirements_latest.txt requirements.txt
# 3. Install uv for fast dependency management
curl -LsSf https://astral.sh/uv/install.sh | sh
source $HOME/.cargo/env
# 4. Build and test with updated dependencies
docker compose up --build -d
# 5. Wait for services to be ready
timeout 300 bash -c 'until curl -f http://localhost:8080/health; do sleep 5; done'
# 6. Test critical endpoints
curl http://localhost:8080/
curl http://localhost:8080/contributions
curl http://localhost:8080/health
# 7. Run security scan
uv pip install --system safety
safety check
# 8. Check for dependency conflicts
uv pip check --system
# 9. Restore original requirements when done
mv requirements.txt.backup requirements.txt# Same steps as Docker, but replace 'docker compose' with 'podman compose'
podman compose up --build -d
podman compose logs app-server- All dependencies updated successfully
- No security vulnerabilities found
- All endpoints responding correctly
- No dependency conflicts detected
- Security vulnerabilities discovered
- Breaking changes in new package versions
- Dependency resolution conflicts
- Application errors with updated packages
- Check the GitHub issue created automatically
- Download artifacts from the failed workflow
- Review security report for vulnerable packages
- Test locally using the steps above
- Pin problematic packages in requirements.txt if needed
- Daily scans of all Python dependencies
- JSON reports saved as artifacts
- Immediate alerts via GitHub issues
- CVE database integration through
safetytool
- Review security issues promptly when created
- Update vulnerable packages as soon as patches available
- Pin versions temporarily if updates break functionality
- Monitor security advisories for critical dependencies
- Early Detection - Find dependency issues before they affect users
- Security Monitoring - Automated vulnerability scanning
- Compatibility Testing - Ensure new versions don't break functionality
- Zero Maintenance - Fully automated with issue creation
- Artifact Preservation - Debug information saved for analysis
- Runtime: Every night at 2:00 AM UTC
- Duration: ~30 minutes maximum
- Timeout: Automatic failure if tests take longer
- Manual Trigger: Available via GitHub Actions interface
The nightly dependency testing ensures 8Knot stays secure and compatible with the evolving Python ecosystem while requiring minimal manual intervention.