Skip to content

chore: widen cryptography constraint and bump CDK to 7.21.1#1044

Merged
Aaron ("AJ") Steers (aaronsteers) merged 6 commits into
mainfrom
devin/1780715268-remove-cryptography-upper-bound
Jun 7, 2026
Merged

chore: widen cryptography constraint and bump CDK to 7.21.1#1044
Aaron ("AJ") Steers (aaronsteers) merged 6 commits into
mainfrom
devin/1780715268-remove-cryptography-upper-bound

Conversation

@aaronsteers

@aaronsteers Aaron ("AJ") Steers (aaronsteers) commented Jun 6, 2026
edited by devin-ai-integration Bot
Loading

Copy link
Copy Markdown
Member

Summary

Widens cryptography from >=44.0.0,<45.0.0 to >=44.0.0,<47.0.0,!=45.0.0,!=45.0.1 — the negation constraints exclude 45.0.0/45.0.1 which had load_pem_private_key() regressions (fixed in 45.0.2+). PyAirbyte imports cryptography directly in airbyte/_processors/sql/snowflake.py for key-pair auth, so we keep the explicit dependency.

Bumps airbyte-cdk lower bound from >=7.3.9 to >=7.21.1 — CDK 7.21.1 includes the same widened cryptography constraint, so the two packages no longer conflict on resolution.

Restores workflow_dispatch trigger to pypi_publish.yml (removed by #944), which broke the /prerelease slash command. Adds security hardening (persist-credentials: false, conditional cache disable) and uses SHA-pinned action references.

Unblocks boring-semantic-layer>=0.3.0 in downstream projects (specifically airbytehq/airbyte-transforms-poc) which transitively requires cryptography>=45.0.3.

Link to Devin session: https://app.devin.ai/sessions/9f900ef4021147adb369727617d08827
Requested by: Aaron ("AJ") Steers (@aaronsteers)

@devin-ai-integration

devin-ai-integration Bot commented Jun 6, 2026

Copy link
Copy Markdown
Contributor

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

@github-actions

github-actions Bot commented Jun 6, 2026

Copy link
Copy Markdown

👋 Greetings, Airbyte Team Member!

Here are some helpful tips and reminders for your convenience.

💡 Show Tips and Tricks

Testing This PyAirbyte Version

You can test this version of PyAirbyte using the following:

# Run PyAirbyte CLI from this branch:
uvx --from 'git+https://github.com/airbytehq/PyAirbyte.git@devin/1780715268-remove-cryptography-upper-bound' pyairbyte --help

# Install PyAirbyte from this branch for development:
pip install 'git+https://github.com/airbytehq/PyAirbyte.git@devin/1780715268-remove-cryptography-upper-bound'

PR Slash Commands

Airbyte Maintainers can execute the following slash commands on your PR:

  • /fix-pr - Fixes most formatting and linting issues
  • /uv-lock - Updates uv.lock file
  • /test-pr - Runs tests with the updated PyAirbyte
  • /prerelease - Builds and publishes a prerelease version to PyPI
📚 Show Repo Guidance

Helpful Resources

Community Support

Questions? Join the #pyairbyte channel in our Slack workspace.

📝 Edit this welcome message.

@coderabbitai

coderabbitai Bot commented Jun 6, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Too much diff to scan? Review this PR in Change Stack to start with the highest-impact changes.

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

The PR widens the cryptography dependency range with explicit exclusions, and extends the PyPI publish workflow with manual dispatch inputs plus split release-versus-dispatch execution steps, including conditional publish behavior.

Changes

Dependency Relaxation

Layer / File(s) Summary
Cryptography dependency constraint relaxation
pyproject.toml		 Updated cryptography from >=44.0.0,<45.0.0 to >=44.0.0,<47.0.0,!=45.0.0,!=45.0.1.

PyPI Publish Workflow

Layer / File(s) Summary
Workflow dispatch trigger and header
.github/workflows/pypi_publish.yml		 Inserted a dispatch comment and added workflow_dispatch inputs: git_ref, version_override, and publish (default true).
Publish job rework (checkout, build, conditional publish)
.github/workflows/pypi_publish.yml		 Reorganized publish_to_pypi job so release events download assets, dispatch events checkout the requested ref, install uv, build with UV_DYNAMIC_VERSIONING_BYPASS from version_override, and publish runs on release or when inputs.publish == 'true'.

Sequence Diagram(s)

sequenceDiagram
  participant Trigger as GitHubEvent
  participant Actions as GitHubActions
  participant Runner as JobRunner
  participant PyPI as PyPI
  Trigger->>Actions: start from release or workflow_dispatch
  Actions->>Runner: on dispatch checkout selected git_ref
  Runner->>Runner: install uv and build with UV_DYNAMIC_VERSIONING_BYPASS
  Runner->>PyPI: publish when release event or inputs.publish == 'true'
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Would you like me to suggest a brief PR checklist for testing dispatch runs locally or in a staging repo before merging? wdyt?

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Title check ⚠️ Warning The PR title mentions widening the cryptography constraint, which matches a key change in pyproject.toml, but omits the significant workflow_dispatch enhancement to the CI/CD pipeline added in .github/workflows/pypi_publish.yml. Consider updating the title to reflect both major changes, such as: 'chore: widen cryptography constraint and enhance PyPI publish workflow' to accurately represent the full scope of changes.
✅ Passed checks (4 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch devin/1780715268-remove-cryptography-upper-bound

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-code-quality

github-code-quality Bot commented Jun 6, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: Python

Python / code-coverage/pytest-fast

The overall coverage in the branch is 67%. The coverage in the branch is 65%.

Show a code coverage summary of the most impacted files.
File d9f652f 1f10c9e +/-
airbyte/_util/api_util.py 36% 37% +1%
airbyte/registry.py 70% 72% +2%
airbyte/mcp/_tool_utils.py 72% 77% +5%
airbyte/mcp/int...c_history_ui.py 0% 36% +36%
airbyte/mcp/int...hared_models.py 0% 81% +81%
airbyte/cloud/models.py 0% 91% +91%
airbyte/mcp/int..._registry_ui.py 0% 92% +92%
airbyte/mcp/int...nc_status_ui.py 0% 97% +97%
airbyte/mcp/int...ive/__init__.py 0% 100% +100%
airbyte/mcp/int...tive/_prefab.py 0% 100% +100%

Python / code-coverage/pytest-no-creds

The overall coverage in the branch is 67%. The coverage in the branch is 65%.

Show a code coverage summary of the most impacted files.
File d9f652f 1f10c9e +/-
airbyte/_util/api_util.py 36% 37% +1%
airbyte/registry.py 70% 72% +2%
airbyte/mcp/_tool_utils.py 72% 77% +5%
airbyte/mcp/int...c_history_ui.py 0% 36% +36%
airbyte/mcp/int...hared_models.py 0% 81% +81%
airbyte/cloud/models.py 0% 91% +91%
airbyte/mcp/int..._registry_ui.py 0% 92% +92%
airbyte/mcp/int...nc_status_ui.py 0% 97% +97%
airbyte/mcp/int...ive/__init__.py 0% 100% +100%
airbyte/mcp/int...tive/_prefab.py 0% 100% +100%

Python / code-coverage/pytest

The overall coverage in the branch is 72%. The coverage in the branch is 71%.

Show a code coverage summary of the most impacted files.
File d9f652f 1f10c9e +/-
airbyte/_util/api_util.py 72% 72% 0%
airbyte/registry.py 70% 72% +2%
airbyte/mcp/_tool_utils.py 72% 77% +5%
airbyte/mcp/int...c_history_ui.py 0% 36% +36%
airbyte/mcp/int...hared_models.py 0% 81% +81%
airbyte/mcp/int..._registry_ui.py 0% 92% +92%
airbyte/cloud/models.py 0% 93% +93%
airbyte/mcp/int...nc_status_ui.py 0% 97% +97%
airbyte/mcp/int...ive/__init__.py 0% 100% +100%
airbyte/mcp/int...tive/_prefab.py 0% 100% +100%

Updated June 07, 2026 05:01 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@github-actions

github-actions Bot commented Jun 6, 2026
edited
Loading

Copy link
Copy Markdown

Prerelease Build Started

Building and publishing prerelease package from this PR...
Check job output.
Prerelease Build/Publish Failed

The prerelease encountered an error.
Check publish workflow output for details.

You can still install directly from this PR branch:

pip install 'git+https://github.com/airbytehq/PyAirbyte.git@devin/1780715268-remove-cryptography-upper-bound'

@devin-ai-integration devin-ai-integration Bot changed the title chore: remove stale cryptography<45 upper bound chore: widen cryptography constraint and pin CDK prerelease Jun 6, 2026
coderabbitai[bot]

This comment was marked as resolved.

Sign in to view

@github-actions

github-actions Bot commented Jun 6, 2026
edited
Loading

Copy link
Copy Markdown

Prerelease Build Started

Building and publishing prerelease package from this PR...
Check job output.
Prerelease Build/Publish Failed

The prerelease encountered an error.
Check publish workflow output for details.

You can still install directly from this PR branch:

pip install 'git+https://github.com/airbytehq/PyAirbyte.git@devin/1780715268-remove-cryptography-upper-bound'

coderabbitai[bot]

This comment was marked as resolved.

Sign in to view

@github-actions

github-actions Bot commented Jun 6, 2026
edited
Loading

Copy link
Copy Markdown

Prerelease Build Started

Building and publishing prerelease package from this PR...
Check job output.
Prerelease Build/Publish Failed

The prerelease encountered an error.
Check publish workflow output for details.

You can still install directly from this PR branch:

pip install 'git+https://github.com/airbytehq/PyAirbyte.git@devin/1780715268-remove-cryptography-upper-bound'

@github-actions

github-actions Bot commented Jun 6, 2026
edited
Loading

Copy link
Copy Markdown

Prerelease Build Started

Building and publishing prerelease package from this PR...
Check job output.
Prerelease Published to PyPI

Version: 0.47.0.dev104427053790217
View publish workflow

Install with:

pip install airbyte==0.47.0.dev104427053790217

devin-ai-integration Bot and others added 4 commits June 6, 2026 05:34
@devin-ai-integration @aaronsteers
chore: remove stale cryptography<45 upper bound
ae73d7b 
Co-Authored-By: AJ Steers <aj@airbyte.io>
@devin-ai-integration @aaronsteers
chore: exclude buggy cryptography 45.0.0 and 45.0.1 via negation
887c89b 
Co-Authored-By: AJ Steers <aj@airbyte.io>
@devin-ai-integration @aaronsteers
chore: pin airbyte-cdk to prerelease with widened cryptography constr…
516874f 
…aint

Co-Authored-By: AJ Steers <aj@airbyte.io>
@devin-ai-integration @aaronsteers
chore: pin to latest CDK prerelease 7.21.0.post4.dev27052511259
933daf6 
Co-Authored-By: AJ Steers <aj@airbyte.io>
@devin-ai-integration devin-ai-integration Bot force-pushed the devin/1780715268-remove-cryptography-upper-bound branch from 38ebf95 to 933daf6 Compare June 6, 2026 05:35
@aaronsteers

Aaron ("AJ") Steers (aaronsteers) commented Jun 6, 2026
edited by github-actions Bot
Loading

Copy link
Copy Markdown
Member Author

/prerelease

Prerelease Build Started

Building and publishing prerelease package from this PR...
Check job output.
Prerelease Published to PyPI

Version: 0.47.0.dev104427054033685
View publish workflow

Install with:

pip install airbyte==0.47.0.dev104427054033685

@aaronsteers Aaron ("AJ") Steers (aaronsteers) marked this pull request as ready for review June 6, 2026 05:43
Copilot AI review requested due to automatic review settings June 6, 2026 05:43
devin-ai-integration[bot]
devin-ai-integration Bot reviewed Jun 6, 2026
View reviewed changes

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 1 additional finding.

Open in Devin Review

Copilot AI reviewed Jun 6, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates PyAirbyte’s Python dependency constraints to allow newer cryptography releases and updates the minimum required airbyte-cdk version, with the lockfile regenerated accordingly.

Changes:

  • Relax cryptography constraint from <45.0.0 to a wider range (<47.0.0) while excluding 45.0.0 and 45.0.1.
  • Raise the minimum airbyte-cdk dependency to 7.21.0.post4.dev27052511259.
  • Update uv.lock to reflect the new dependency constraints and resolved versions.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 5 comments.

File Description
pyproject.toml Updates runtime dependency constraints for cryptography and airbyte-cdk.
uv.lock Regenerated lockfile reflecting the updated constraints and resolved airbyte-cdk version.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pyproject.toml Outdated
Comment thread pyproject.toml Outdated
Comment thread pyproject.toml Outdated
Comment thread pyproject.toml Outdated
Comment thread pyproject.toml Outdated
aaronsteers
Aaron ("AJ") Steers (aaronsteers) commented Jun 7, 2026
View reviewed changes
Comment thread pyproject.toml Outdated
aaronsteers
Aaron ("AJ") Steers (aaronsteers) commented Jun 7, 2026
View reviewed changes
Comment thread pyproject.toml
@devin-ai-integration devin-ai-integration Bot changed the title chore: widen cryptography constraint and pin CDK prerelease chore: widen cryptography constraint and bump CDK to 7.21.1 Jun 7, 2026
@aaronsteers Aaron ("AJ") Steers (aaronsteers) merged commit c5d5a58 into main Jun 7, 2026
22 checks passed
@aaronsteers Aaron ("AJ") Steers (aaronsteers) deleted the devin/1780715268-remove-cryptography-upper-bound branch June 7, 2026 05:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

Copilot code review Copilot Copilot left review comments

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

@aaronsteers Aaron ("AJ") Steers (aaronsteers)

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aaronsteers @airbyte-support-bot