Python: stabilize dependency maintenance final checks

[eavanvalkenburg]

Motivation & Context

The Python dependency maintenance workflow now gets past the release-cutoff bootstrap issue, but the manual run still failed during final validation. The generated update set was broadening beyond the script-selected dependency candidates: uv lock --upgrade refreshed unrelated lockfile entries, and auto-updating validation tooling/internal Agent Framework pins introduced failures unrelated to the intended dependency maintenance PR.

This keeps the workflow focused on dependencies selected by the maintenance scripts so final checks validate the generated PR instead of opportunistic toolchain or unrelated lockfile churn.

Description & Review Guide

• What are the major changes? Refresh the lockfile with uv lock instead of broad uv lock --upgrade, skip exact dev pins for validation tools (ruff, mypy, pyright, pyrefly, ty, zuban), and skip internal agent-framework-* dev pins in the automated dev-pin refresh.
• What is the impact of these changes? Dependency maintenance still updates selected external dev pins and package dependency ranges, but avoids self-inflicted final-check failures from new validator diagnostics, internal package versioning drift, and unrelated lockfile upgrades.
• What do you want reviewers to focus on? Whether the workflow now scopes automated updates narrowly enough: candidate selection happens in the scripts, while lockfile refresh only materializes those selected changes.

Related Issue

No linked issue; this fixes a scheduled/manual Python dependency maintenance workflow failure observed after #6658.

Contribution Checklist

• The code builds clean without any errors or warnings
• All unit tests pass, and I have added new tests where possible
• The PR follows the Contribution Guidelines
• This PR is linked to an issue and there is no other open PR for this issue (see Related Issue above).
• This is not a breaking change. If it is a breaking change, add the breaking change label (or add "[BREAKING]" to the title prefix, before or after any language prefix) — a workflow keeps the label and title prefix in sync automatically.

[Copilot]

Pull request overview

This PR narrows the Python dependency-maintenance automation so it only materializes/script-selects intended dependency changes, avoiding opportunistic lockfile churn and validator/tooling drift that can cause unrelated final-check failures.

Changes:

• Refresh python/uv.lock with uv lock (not uv lock --upgrade) after dev-pin and range updates to avoid broad lockfile upgrades.
• Update the dev-pin refresh logic to:
  • Skip internal agent-framework* dev pins (left to package versioning).
  • Skip exact dev pins for validation tools (ruff, mypy, pyright, pyrefly, ty, zuban).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
python/scripts/dependencies/_dependency_bounds_upper_impl.py	Stops auto-refreshing internal AF dev pins and validator tool pins during dev dependency pin replacement collection.
.github/workflows/python-dependency-maintenance.yml	Uses uv lock instead of uv lock --upgrade to keep the workflow’s lockfile updates scoped.

[github-actions]

Automated Code Review

Reviewers: 5 | Confidence: 91%

✓ Correctness

The changes are logically correct. Replacing uv lock --upgrade with uv lock properly scopes lockfile updates to only the changes made by the maintenance scripts. The removal of _load_workspace_package_versions is clean (no remaining references to lru_cache or the function). The new skip logic for agent-framework-* packages and validation tools with exact pins correctly prevents the two failure modes described in the PR rationale. The control flow after the changes is sound: validation tools are only skipped when they have an existing exact pin, and all other dev dependencies continue to be processed normally.

✓ Security Reliability

The PR narows the scope of automated dependency maintenance to avoid self-inflicted failures. Changes are straightforward and well-motivated: replacing uv lock --upgrade with uv lock prevents unrelated lockfile churn, skipping internal agent-framework-* pins and validation tool pins avoids cascading failures. The removed _load_workspace_package_versions function and lru_cache import are cleanly excised with no dangling references. No security or reliability concerns identified.

✓ Test Coverage

This PR introduces two new skip conditions in _collect_dev_pin_replacements (skip internal agent-framework packages, skip validation tool dev pins) and removes the _load_workspace_package_versions helper. None of these behavioral changes have corresponding unit tests. The python/scripts/dependencies/ directory has no test infrastructure at all — no test files exist for this module. While the lack of tests is a pre-existing gap, the new logic branches are non-trivial filtering decisions that would benefit from targeted unit tests to prevent regressions.

✓ Failure Modes

The changes are well-scoped and don't introduce silent failure paths. The switch from uv lock --upgrade to uv lock still materializes script-selected changes (exact pin bumps force lock updates), the _load_workspace_package_versions removal is clean (no remaining callers), the lru_cache import removal is safe (no remaining uses), and the new skip logic for validation tools and internal packages logs clear info messages before continuing. The control flow after the changes is sound: validation tool exact pins are preserved, non-pined validation tools still get processed, and the existing downgrade guard at line 328 remains correctly placed.

✗ Design Approach

I found two design issues. First, the final relock step now uses a plain uv lock, but the upper-bound validator probes candidate runtime versions only through isolated uv run --with <dependency>==<version> executions and then persists only the widened pyproject.toml bounds, so final checks can silently run against the old locked version instead of the candidate that actually passed validation. Second, the new validation-tool skip was added in a shared helper that is also used by package-scoped bound validation, which conflicts with that helper’s documented purpose of refreshing dev pins so stale tooling does not masquerade as dependency-compatibility failures.

Flagged Issues

• .github/workflows/python-dependency-maintenance.yml:288 now runs uv lock, but candidate runtime versions are only tested via isolated uv run --with <dependency>==<version> calls and the chosen result is persisted only as widened pyproject.toml bounds. If the previously locked version still satisfies the new range, uv lock will keep it, so the later install/check/typing steps validate the old version rather than the selected candidate.

---

Automated review by eavanvalkenburg's agents

[github-actions]

Flagged issue

.github/workflows/python-dependency-maintenance.yml:288 now runs uv lock, but candidate runtime versions are only tested via isolated uv run --with <dependency>==<version> calls and the chosen result is persisted only as widened pyproject.toml bounds. If the previously locked version still satisfies the new range, uv lock will keep it, so the later install/check/typing steps validate the old version rather than the selected candidate.

---

Source: automated DevFlow PR review