From 43caae4bb174f4ce5ae7e6d8bb85eb54f0fd9e80 Mon Sep 17 00:00:00 2001
From: Sviatoslav Sydorenko <wk@sydorenko.org.ua>
Date: Sat, 7 Dec 2024 02:24:42 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=92=85=F0=9F=93=A6=20Split=20transitive?=
 =?UTF-8?q?=20dep=20constraints?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This is a structural change allowing for better placement of direct
dependencies and limiting the transitive ones.
---
 requirements/runtime-constraints.in | 20 ++++++++++++++++++++
 requirements/runtime.in             |  7 ++-----
 requirements/runtime.txt            |  2 +-
 3 files changed, 23 insertions(+), 6 deletions(-)
 create mode 100644 requirements/runtime-constraints.in

diff --git a/requirements/runtime-constraints.in b/requirements/runtime-constraints.in
new file mode 100644
index 0000000..a934c36
--- /dev/null
+++ b/requirements/runtime-constraints.in
@@ -0,0 +1,20 @@
+###############################################################################
+#                                                                             #
+# This file is only meant to exclude broken dependency versions, not feature  #
+# dependencies.                                                               #
+#                                                                             #
+# GUIDELINES:                                                                 #
+#   1. Only list PyPI project versions that need to be excluded using `!=`    #
+#      and `<`.                                                               #
+#   2. It is allowed to have transitive dependency limitations in this file.  #
+#   3. Apply bare minimum constraints under narrow conditions, use            #
+#      environment markers if possible. E.g.  `; python_version < "3.12"`.    #
+#   4. Whenever there are no constraints, let the file and this header        #
+#      remain in Git.                                                         #
+#                                                                             #
+###############################################################################
+
+# NOTE: 1.12.0 and later enable support for metadata 2.4
+# NOTE: This can be dropped once twine stops using pkginfo
+# Ref: https://github.com/pypa/twine/pull/1180
+pkginfo ~= 1.12.0
diff --git a/requirements/runtime.in b/requirements/runtime.in
index 63d2a7d..c2060b7 100644
--- a/requirements/runtime.in
+++ b/requirements/runtime.in
@@ -1,9 +1,6 @@
-twine ~= 6.0
+-c runtime-constraints.in  # limits known broken versions
 
-# NOTE: 1.12.0 and later enable support for metadata 2.4
-# NOTE: This can be dropped once twine stops using pkginfo
-# Ref: https://github.com/pypa/twine/pull/1180
-pkginfo ~= 1.12.0
+twine ~= 6.0
 
 # NOTE: Used to detect an ambient OIDC credential for OIDC publishing,
 # NOTE: as well as PEP 740 attestations.
diff --git a/requirements/runtime.txt b/requirements/runtime.txt
index 638b3cf..98bbda9 100644
--- a/requirements/runtime.txt
+++ b/requirements/runtime.txt
@@ -68,7 +68,7 @@ packaging==24.1
     #   twine
 pkginfo==1.12.0
     # via
-    #   -r runtime.in
+    #   -c runtime-constraints.in
     #   twine
 platformdirs==4.2.2
     # via sigstore