Skip to content

fix(agents): correctly parse and validate min sdk version #658

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix(agents): correctly parse and validate min sdk version #658

wants to merge 2 commits into from

Conversation

rektdeckard
Copy link
Member

@rektdeckard rektdeckard commented Aug 21, 2025
edited
Loading

Improve minimum SDK version check by supporting semver operators better and treating lockfile version and package file versions separately.

@rektdeckard rektdeckard force-pushed the tobias/fix-min-sdk-check branch from 27b0cd3 to b3f9860 Compare August 21, 2025 01:30
bcherry
bcherry approved these changes Aug 21, 2025
View reviewed changes
Copy link
Contributor

@bcherry bcherry left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Something we didn't discuss is what about git installs? We will see people with critical bugs in production who need to hotfix them ASAP and want to ship from git while the PR is merged and a new release is made. Whether from their own fork or from a branch on the main repo.

What will our checker do?

@rektdeckard rektdeckard force-pushed the tobias/fix-min-sdk-check branch from b3f9860 to c75dcc7 Compare August 21, 2025 04:31
@rektdeckard rektdeckard force-pushed the tobias/fix-min-sdk-check branch from c75dcc7 to 0797e2e Compare August 21, 2025 04:33
@rektdeckard
Copy link
Member Author

@bcherry that's a great point, and not an easy one to deal with. We would have to clone the repo at the specified hash and then do project detection in the repo, which is a bigger can of worms, since they could use any build tools. Should we quietly allow this?

@rektdeckard
Copy link
Member Author

There's also the issue that the Dockerfile can literally do anything it wants after we check. It could install different package versions than specified in the lockfile or package file. I think we need a runtime solution.

@davidzhao
Copy link
Member

Something we didn't discuss is what about git installs? We will see people with critical bugs in production who need to hotfix them ASAP and want to ship from git while the PR is merged and a new release is made. Whether from their own fork or from a branch on the main repo.

What will our checker do?

I added handling for git (as I had to test it directly from git before). it attributes it as latest after my PR

@rektdeckard
Copy link
Member Author

rektdeckard commented Aug 21, 2025
edited
Loading

That works for the base case, but you can totally specify a commit hash, branch, tag, etc. too. I might revert some of this and turn this into warnings, and we go ahead with implementing runtime check.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcherry bcherry bcherry approved these changes

@real-danm real-danm real-danm approved these changes

@davidzhao davidzhao Awaiting requested review from davidzhao

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rektdeckard @davidzhao @bcherry @real-danm