konflux: fix pip compile bug on package hash

[raptorsun]

Description

Fix a bug from pip compile that the hash generated in the output file designated by -o parameter is different from the stdout. For example the package aiohappyeyeballs has different hash generated in output file and stdout.

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement

Tools used to create PR

Identify any AI code assistants used in this PR (for transparency and review context)

• Assisted-by: (e.g., Claude, CodeRabbit, Ollama, etc., N/A if not used)
• Generated by: (e.g., tool name and version; N/A if not used)

Related Tickets & Documents

• Related Issue #
• Closes #

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

• Please provide detailed steps to perform tests related to this code change.
• How were the fix/results from this change verified? Please provide relevant screenshots or results.

Summary by CodeRabbit

• Chores
  • Removed greenlet from active package lists and moved it to commented/optional entries.
  • Bumped multiple build/runtime dependencies (packaging, wheel, setuptools, poetry-core, kubernetes, litellm, trl, etc.).
  • Performed a broad lockfile/hash refresh with many updated versions and hashes.
  • Added override pins for pandas, pyarrow, and sqlalchemy.
  • Adjusted build/hash scripting to exclude specified packages from wheel hashing and to change hash output redirection.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Removes "greenlet" from Tekton prefetch binary package lists, bumps several build dependency versions, refreshes source and wheel hash lockfiles with many updated versions/hashes and added packages, adds overrides for pandas/pyarrow/sqlalchemy, and updates konflux requirements script to route certain packages to source hashes.

Changes

Cohort / File(s)	Summary
Tekton pipeline configs .tekton/lightspeed-stack-pull-request.yaml, .tekton/lightspeed-stack-push.yaml	Removed the greenlet entry from prefetch binary/pip packages lists.
Build requirements / overrides requirements-build.txt, requirements.overrides.txt	Version bumps (e.g., packaging 25.0→26.0, poetry-core 2.2.1→2.3.0, uv-dynamic-versioning, wheel, setuptools); added/adjusted commented entries (urllib3, pycparser, wcwidth, greenlet); added overrides pandas==2.3.3, pyarrow==22.0.0, sqlalchemy==2.0.45.
Hash lockfiles (source & wheel) requirements.hashes.source.txt, requirements.hashes.wheel.txt	Large lockfile refresh: many package version updates (e.g., kubernetes, trl, sse-starlette, litellm), new package entries (including greenlet, markupsafe, pycparser, wcwidth), and extensive SHA256 hash changes across many packages.
Build script scripts/konflux_requirements.sh	Added NO_WHEEL_PACKAGES exclusion and routing of excluded packages to source hash output; replaced pip-compile -o outputs with shell redirection to hash files and added explicit --index-url/--universal adjustments.

Sequence Diagram(s)

(omitted — changes are configuration, lockfile, and scripting updates without new multi-component control flow requiring visualization)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• konflux: use wheels from RHOAI index #994: Modifies the same Tekton pipeline YAMLs and prefetch package lists (strong overlap with removal/alteration of prefetch binary packages).
• konflux: set py-version to 3.12 and prefer binary for prefetching #966: Also updates prefetch binary/prefetch-input configuration in the Tekton YAMLs.
• LCORE-1026: Konflux requirements updates #871: Related lockfile/dependency edits affecting greenlet and other dependency adjustments.

Suggested reviewers

• tisnik
• radofuchs

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main change: fixing a pip-compile hash bug by switching from file output (-o) to shell redirection in the konflux build script.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tisnik]

LGTM

[raptorsun]

/retest

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@requirements.overrides.txt`:
- Line 15: Update the setuptools entry in requirements.overrides.txt by
replacing the incomplete version string "setuptools==80.9" with the full
semantic version "setuptools==80.9.0"; locate the line containing the exact
token setuptools==80.9 and change it to setuptools==80.9.0 so it matches the
version in requirements.hashes.wheel.txt and PyPI.

In `@scripts/konflux_requirements.sh`:
- Line 45: Replace the sed call that strips the "==..." suffix with bash
parameter expansion to avoid spawning a subshell: update the assignment to
compute package_name from current_package using the longest-match suffix removal
(use the %% pattern) so package_name contains current_package up to but
excluding "==...". Replace the line that sets package_name using sed with an
equivalent using parameter expansion (refer to the variables package_name and
current_package and the removal pattern using %%==*).

🧹 Nitpick comments (1)

scripts/konflux_requirements.sh (1)

53-54: Fragile substring matching may cause false positives.

The check [[ "$NO_WHEEL_PACKAGES" == *"$package_name"* ]] performs substring matching. If a package named safe existed, it would incorrectly match markupsafe. Consider using word-boundary matching or array-based lookup for robustness.

Proposed fix using word boundaries

 # packages to exclude from the wheel list
-NO_WHEEL_PACKAGES="markupsafe"
+NO_WHEEL_PACKAGES=",markupsafe,"
 ...
-            elif [[ "$NO_WHEEL_PACKAGES" == *"$package_name"* ]]; then
+            elif [[ "$NO_WHEEL_PACKAGES" == *",$package_name,"* ]]; then

Alternatively, use an associative array for O(1) lookup if the exclusion list grows.

[raptorsun]

this is the fix to pip compile problem, strange but it works :P