Skip to content

feat: centralize semver-aware cooldown calculation#14600

Open
markhallen wants to merge 8 commits intomainfrom
feat/extract-cooldown-calculation-pr
Open

feat: centralize semver-aware cooldown calculation#14600
markhallen wants to merge 8 commits intomainfrom
feat/extract-cooldown-calculation-pr

Conversation

@markhallen
Copy link
Copy Markdown
Contributor

@markhallen markhallen commented Apr 1, 2026
edited
Loading

What are you trying to accomplish?

Resolves #14544

The uv ecosystem was not respecting release cooldown settings — PRs were opened for dependencies that were still within the configured cooldown window. The root cause was that the UV lockfile resolver was not forwarding update_cooldown options into LatestVersionFinder, so cooldown filtering was never applied during resolution.

This PR fixes that by passing cooldown options through the UV resolver code path, and also centralizes the duplicated cooldown calculation logic into a shared helper to prevent similar inconsistencies across ecosystems.

How the issue is resolved

  • UV lockfile resolver now forwards update_cooldown into LatestVersionFinder so cooldown filtering is applied during resolution.
  • Added specs verifying cooldown options are correctly passed through the UV resolver.

Additional improvements

  • Introduces a shared helper module Dependabot::UpdateCheckers::CooldownCalculation with within_cooldown_window?, cooldown_days_for, and skip_cooldown? methods.
  • Moves semver day selection logic into ReleaseCooldownOptions#cooldown_days_for so ecosystems share one implementation.
  • Bazel and Docker now compute cooldown days using current and candidate versions/tags rather than only default_days.
  • Adds DAY_IN_SECONDS constant to 7 ecosystem version finders that referenced it without defining it (Gradle, Go modules, GitHub Actions, pre-commit, devcontainers, Python, git submodules).
  • Removes unnecessary T.must wrappers in ReleaseCooldownOptions where tuple destructuring already guarantees non-nil values.
  • All Sorbet type checking passes cleanly.

How will you know you've accomplished your goal?

  • Added dedicated specs for the new shared helper (common/spec/dependabot/update_checkers/cooldown_calculation_spec.rb).
  • Added/updated specs for semver cooldown day selection (common/spec/dependabot/package/release_cooldown_options_spec.rb).
  • Updated bazel and docker specs to verify version-aware cooldown behavior.
  • Added uv resolver specs verifying cooldown options are passed to LatestVersionFinder.

Checklist

  • I have run the complete test suite to ensure all tests and linters pass.
  • I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
  • I have written clear and descriptive commit messages.
  • I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
  • I have ensured that the code is well-documented and easy to understand.

Copilot AI review requested due to automatic review settings April 1, 2026 19:48
@markhallen markhallen requested a review from a team as a code owner April 1, 2026 19:48
@github-actions github-actions bot added L: docker Docker containers L: python:uv labels Apr 1, 2026
Copilot AI reviewed Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Centralizes “release cooldown” behavior into a shared helper so multiple ecosystems apply semver-aware cooldown windows consistently, and ensures UV’s lockfile resolver forwards cooldown options into version resolution.

Changes:

  • Introduces Dependabot::UpdateCheckers::CooldownCalculation and refactors cooldown checks to use it.
  • Moves semver-based cooldown-day selection into ReleaseCooldownOptions#cooldown_days_for and updates common version filtering to use the shared logic.
  • Propagates update_cooldown through UV’s lockfile resolver into LatestVersionFinder, and updates Bazel/Docker cooldown handling + specs.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
common/lib/dependabot/update_checkers/cooldown_calculation.rb Adds shared cooldown calculation helpers (window check, day selection, skip logic).
common/spec/dependabot/update_checkers/cooldown_calculation_spec.rb Adds unit specs for the shared cooldown helper.
common/lib/dependabot/package/release_cooldown_options.rb Adds semver-aware cooldown_days_for to centralize day selection logic.
common/spec/dependabot/package/release_cooldown_options_spec.rb Adds coverage for semver-aware day selection behavior.
common/lib/dependabot/package/package_latest_version_finder.rb Refactors cooldown filtering to use the shared helper and semver-aware day selection.
docker/lib/dependabot/docker/update_checker.rb Updates Docker cooldown enforcement to be semver-aware per candidate tag.
docker/spec/dependabot/docker/update_checker_spec.rb Adds spec coverage for semver-aware Docker cooldown behavior.
bazel/lib/dependabot/bazel/update_checker.rb Updates Bazel cooldown enforcement to be semver-aware per candidate version.
bazel/spec/dependabot/bazel/update_checker_spec.rb Updates Bazel specs to match the new cooldown method signature and behavior.
uv/lib/dependabot/uv/update_checker/lock_file_resolver.rb Threads update_cooldown into LatestVersionFinder construction.
uv/lib/dependabot/uv/update_checker.rb Passes @update_cooldown into the lock file resolver.
uv/spec/dependabot/uv/update_checker/lock_file_resolver_spec.rb Adds coverage asserting cooldown options are forwarded into LatestVersionFinder.

@markhallen
Fix Sorbet type errors for DAY_IN_SECONDS and unnecessary T.must calls
2eaf27b 
- Add DAY_IN_SECONDS constant to 7 ecosystem version finders that
  reference it without defining it
- Remove unnecessary T.must wrappers in release_cooldown_options.rb
  where tuple destructuring already guarantees non-nil Integer values
@github-actions github-actions bot added L: java:gradle Maven packages via Gradle L: go:modules Golang modules L: github:actions GitHub Actions L: git:submodules Git submodules L: python L: devcontainers labels Apr 1, 2026
@markhallen markhallen requested a review from Copilot April 2, 2026 09:44
Copilot AI reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 19 out of 19 changed files in this pull request and generated 1 comment.

@markhallen
Address review feedback: guard against edge cases in within_cooldown_…
7768354 
…window?

- Return false when cooldown_days <= 0 (no cooldown configured)
- Return false when release_date is in the future (clock skew)
- Add spec for future release date edge case
- Fix misleading test description in uv lock_file_resolver_spec
@markhallen
Merge branch 'main' into feat/extract-cooldown-calculation-pr
db7ae68
@markhallen
Fix within_cooldown_window?: keep future releases in cooldown
6a275a8 
The guard against negative time deltas (future release dates) was
incorrect. A release with a future date (relative to Time.now) is
strictly newer than any recently-released version and should remain
within the cooldown window.

The cooldown_days <= 0 guard remains correct and is kept.
@markhallen markhallen mentioned this pull request Apr 2, 2026
Open
1 task
@markhallen
refactor: remove duplicated DAY_IN_SECONDS, delegate to CooldownCalcu…
d872afc 
…lation

Replace inline cooldown arithmetic in 7 ecosystem files with
CooldownCalculation.within_cooldown_window? from common. Each
ecosystem retains its own logic for computing cooldown days
(semver-aware, default-only, or custom) — only the time
comparison is centralised.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@robaiken robaiken robaiken approved these changes

Assignees

No one assigned

Labels

L: devcontainers L: docker Docker containers L: git:submodules Git submodules L: github:actions GitHub Actions L: go:modules Golang modules L: java:gradle Maven packages via Gradle L: python:uv L: python

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Error: cooldown behaves differently for uv than pip

3 participants

@markhallen @robaiken