Add Dependabot manifest and pin deps (#53)

Maxim-Doronin · web-flow · commit 0f5fc57d8bab · 2025-04-15T14:43:57.000+01:00
* Add Dependabot manifest

* Pin python deps

* Unfold directories in dependabot config

* Add contrib guide

* Allow unsafe setuptools

* Adding patchelf and cpu-only torch
diff --git a/.github/actions/compile-models/action.yml b/.github/actions/compile-models/action.yml
@@ -38,7 +38,7 @@ runs:
       shell: bash
       run: |
         python3 -m pip install --upgrade pip
-        python3 -m pip install -r ${{ github.action_path }}/requirements.txt
+        python3 -m pip install --require-hashes -r ${{ github.action_path }}/requirements.txt
 
     - name: Prepare OpenVINO environment
       if: ${{ inputs.compiler-type == 'MLIR' }}
diff --git a/.github/actions/compile-models/requirements.in b/.github/actions/compile-models/requirements.in
@@ -0,0 +1,18 @@
+--extra-index-url https://download.pytorch.org/whl/cpu
+
+# Core
+transformers>=4.51.1
+torch==2.6.0+cpu
+torchvision==0.21.0+cpu
+onnx>=1.17.0
+onnxruntime>=1.21.0
+onnxruntime-tools>=1.7.0
+
+# Hugging Face Hub
+huggingface_hub>=0.30.2
+
+# Utils
+pillow>=11.1.0
+requests>=2.32.3
+tqdm>=4.67.1
+accelerate>=1.6.0
diff --git a/.github/actions/compile-models/requirements.txt b/.github/actions/compile-models/requirements.txt
diff --git a/.github/actions/download-models/action.yml b/.github/actions/download-models/action.yml
@@ -22,7 +22,7 @@ runs:
       shell: bash
       run: |
         python3 -m pip install --upgrade pip
-        python3 -m pip install -r ${{ github.action_path }}/requirements.txt
+        python3 -m pip install --require-hashes -r ${{ github.action_path }}/requirements.txt
 
     - name: Run downloader script
       shell: bash
diff --git a/.github/actions/download-models/requirements.in b/.github/actions/download-models/requirements.in
@@ -0,0 +1,3 @@
+huggingface_hub>=0.30.2
+hf_xet>=1.0.2
+requests>=2.32.3
diff --git a/.github/actions/download-models/requirements.txt b/.github/actions/download-models/requirements.txt
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,26 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "pip"
+    directory: "/.github"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "pip"
+    directory: "/.github/actions/compile-models"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "pip"
+    directory: "/.github/actions/download-models"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "pip"
+    directory: "/scripts"
+    schedule:
+      interval: "weekly"
diff --git a/.github/requirements-dev.in b/.github/requirements-dev.in
@@ -0,0 +1,4 @@
+setuptools>=70.1,<75.9
+wheel>=0.38.1
+build<1.3
+patchelf<=0.17.2.1; sys_platform == 'linux' and platform_machine == 'x86_64'
diff --git a/.github/requirements-dev.txt b/.github/requirements-dev.txt
@@ -0,0 +1,42 @@
+#
+# This file is autogenerated by pip-compile with Python 3.13
+# by the following command:
+#
+#    pip-compile --allow-unsafe --generate-hashes .github/requirements-dev.in
+#
+build==1.2.2.post1 \
+    --hash=sha256:1d61c0887fa860c01971625baae8bdd338e517b836a2f70dd1f7aa3a6b2fc5b5 \
+    --hash=sha256:b36993e92ca9375a219c99e606a122ff365a760a2d4bba0caa09bd5278b608b7
+    # via -r .github/requirements-dev.in
+colorama==0.4.6 \
+    --hash=sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44 \
+    --hash=sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6
+    # via build
+packaging==24.2 \
+    --hash=sha256:09abb1bccd265c01f4a3aa3f7a7db064b36514d2cba19a2f694fe6150451a759 \
+    --hash=sha256:c228a6dc5e932d346bc5739379109d49e8853dd8223571c7c5b55260edc0b97f
+    # via build
+patchelf==0.17.2.1; \
+    sys_platform == 'linux' and platform_machine == 'x86_64' \
+    --hash=sha256:3c8d58f0e4c1929b1c7c45ba8da5a84a8f1aa6a82a46e1cfb2e44a4d40f350e5 \
+    --hash=sha256:a6eb0dd452ce4127d0d5e1eb26515e39186fa609364274bc1b0b77539cfa7031 \
+    --hash=sha256:a9e6ebb0874a11f7ed56d2380bfaa95f00612b23b15f896583da30c2059fcfa8 \
+    --hash=sha256:ccb266a94edf016efe80151172c26cff8c2ec120a57a1665d257b0442784195d \
+    --hash=sha256:d1a9bc0d4fd80c038523ebdc451a1cce75237cfcc52dbd1aca224578001d5927 \
+    --hash=sha256:f47b5bdd6885cfb20abdd14c707d26eb6f499a7f52e911865548d4aa43385502 \
+    --hash=sha256:fc329da0e8f628bd836dfb8eaf523547e342351fa8f739bf2b3fe4a6db5a297c
+    # via -r .github/requirements-dev.in
+pyproject-hooks==1.2.0 \
+    --hash=sha256:1e859bd5c40fae9448642dd871adf459e5e2084186e8d2c2a79a824c970da1f8 \
+    --hash=sha256:9e5c6bfa8dcc30091c74b0cf803c81fdd29d94f01992a7707bc97babb1141913
+    # via build
+wheel==0.45.1 \
+    --hash=sha256:661e1abd9198507b1409a20c02106d9670b2576e916d58f520316666abca6729 \
+    --hash=sha256:708e7481cc80179af0e556bbf0cc00b8444c7321e2700b8d8580231d13017248
+    # via -r .github/requirements-dev.in
+
+# The following packages are considered to be unsafe in a requirements file:
+setuptools==75.8.2 \
+    --hash=sha256:4880473a969e5f23f2a2be3646b2dfd84af9028716d398e46192f84bc36900d2 \
+    --hash=sha256:558e47c15f1811c1fa7adbd0096669bf76c1d3f433f58324df69f3f5ecac4e8f
+    # via -r .github/requirements-dev.in
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -1,6 +1,7 @@
 name: "CodeQL Advanced"
 
 on:
+  workflow_dispatch:
   push:
     branches:
       - develop
diff --git a/.github/workflows/job_build_mlir_linux.yml b/.github/workflows/job_build_mlir_linux.yml
@@ -133,11 +133,7 @@ jobs:
       - name: Install python dependencies
         if: ${{ !steps.cache-restore.outputs.cache-hit }}
         run: |
-          python3 -m pip install -r ${OPENVINO_REPO}/src/bindings/python/wheel/requirements-dev.txt
-          python3 -m pip install -r ${OPENVINO_REPO}/src/frontends/onnx/tests/requirements.txt
-          python3 -m pip install -r ${OPENVINO_REPO}/src/frontends/tensorflow/tests/requirements.txt
-          python3 -m pip install -r ${OPENVINO_REPO}/src/frontends/tensorflow_lite/tests/requirements.txt
-          python3 -m pip install -r ${OPENVINO_REPO}/src/frontends/paddle/tests/requirements.txt
+          python3 -m pip install --require-hashes -r ${NPU_COMPILER_REPO}/.github/requirements-dev.txt
 
       - name: Prepare environment
         if: ${{ !steps.cache-restore.outputs.cache-hit }}
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -0,0 +1,115 @@
+# Contributing to OpenVINO™ Intel® NPU Compiler
+
+We welcome contributions to the **OpenVINO™ Intel® NPU Compiler** project from both Intel employees and the open-source community.  
+This document provides guidelines to help you make successful contributions and ensure a smooth review and integration process.
+If you want to contribute to OpenVINO NPU plugin or have general questions about OpenVINO Toolkit contributions, refer to the [OpenVINO Contributing Guide](https://github.com/openvinotoolkit/openvino/blob/master/CONTRIBUTING.md)
+
+## Table of Contents
+1. [Ways to Contribute](#ways-to-contribute)  
+2. [Code Contribution Process](#code-contribution-process)  
+3. [Pull Request Requirements](#pull-request-requirements)  
+4. [Review Process](#review-process)  
+5. [Responsibilities](#responsibilities)  
+6. [Additional Resources](#additional-resources)
+
+
+## Ways to Contribute
+
+### Report Bugs or Propose Features
+
+- If you experience unexpected behavior or have ideas for improvement:
+  - Submit a [GitHub issue](https://github.com/openvinotoolkit/npu_compiler/issues) with a clear description, logs, and steps to reproduce.
+  - Or join the OpenVINO [GitHub Discussions](https://github.com/openvinotoolkit/openvino/discussions) if it's exploratory or architectural.
+
+### Suggest Architecture Improvements
+
+- For major proposals or POCs, open a **Draft Pull Request** and mark it as such to initiate discussion without triggering full review flow.
+
+### Contribute Code
+
+- Start from a [Good First Issue](https://github.com/orgs/openvinotoolkit/projects/3) or any open item in the issue tracker.
+- Follow our [Pull Request Process](#code-contribution-process).
+
+
+## Code Contribution Process
+
+The OpenVINO™ Intel® NPU Compiler project inherits its contribution process from the main [OpenVINO PR Contributing Guidelines](https://github.com/openvinotoolkit/openvino/blob/master/CONTRIBUTING_PR.md). We recommend familiarizing yourself with them before submitting a PR.
+
+1. **Fork the Repository**  
+   All contributions must come from **forks**, not branches in the main repository. This helps streamline CI and maintain stability.
+
+2. **Create a Draft PR for Early Feedback**  
+   - Draft PRs will **not auto-assign codeowners**.  
+   - Use this to share ideas, work-in-progress or early architecture.
+
+3. **Mark as Ready for Review**  
+   - Remove "Draft" status  
+   - Apply `READY_FOR_REVIEW` label  
+   - Follow [PR Requirements](#pull-request-requirements)
+
+4. **Get Review and Approval**  
+   - Request reviews from relevant [Codeowners](./CODEOWNERS)  
+   - Address feedback, rebase your branch, and rerun validation
+
+5. **Ready for Merge**  
+   - Apply `READY_FOR_MERGE` label  
+   - Assign to a [Maintainer](#maintainer) once validation passes and approvals are in place
+
+
+## Pull Request Requirements
+
+Your PR must:
+
+✅ **Target a single purpose (Feature / Bug / Refactor / etc.)**  
+✅ Be tied to a JIRA ticket or GitHub issue with a clear description and acceptance criteria  
+✅ Include a meaningful title, summary, and platform/classification  
+✅ Be rebased on the target branch (no merge commits)  
+✅ Contain logically separated commits with descriptions (avoid "squash-all" style)  
+✅ Add test coverage for all new or affected behavior  
+✅ Use proper GitHub labels, milestones, and assignees  
+✅ Contain **validation results**, either:
+   - Automatic CI logs
+   - Links to manual test runs if auto-checks are not applicable  
+
+## Review Process
+
+- Request initial review from subject matter experts
+- Make sure **all discussions are resolved**, especially blocking ones
+- PR can only be assigned to a Maintainer once:
+  - All codeowners have approved  
+  - CI is green or justified in PR comments  
+  - Discussions are closed  
+- Maintainer performs final review and merge
+
+> **Note:** For large PRs (e.g. refactor, submodule bump), mark it explicitly in the header so maintainers can manage merge conflicts accordingly.
+
+## Responsibilities
+
+### Pull Request Author
+- Own the PR lifecycle from creation to merge
+- Rebase, resolve comments, and ensure validation
+- Escalate blockers proactively
+- Ensure functionality lands in the correct branches
+
+### Reviewer
+- Provide timely, constructive feedback
+- Approve only when confident in change scope and correctness
+
+### Maintainer
+- Confirm all merge conditions are satisfied
+- Avoid conflicts with other recent changes
+- Merge only when CI + review criteria are met
+
+## Additional Resources
+
+- [OpenVINO Code Style Guide](https://github.com/openvinotoolkit/openvino/blob/master/docs/dev/coding_style.md)  
+- [How to fork a repository](https://docs.github.com/en/get-started/quickstart/fork-a-repo)  
+- [CODEOWNERS](./CODEOWNERS)
+
+💬 **Got Questions?**  
+Submit a [GitHub issue](https://github.com/openvinotoolkit/npu_compiler/issues) or start a [GitHub Discussion](https://github.com/openvinotoolkit/openvino/discussions) or reach out to the development team through internal channels (for Intel employees).
+
+
+---
+
+By contributing to this repository, you agree that your work will be licensed under the terms of the [LICENSE](./LICENSE).

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+huggingface_hub>=0.30.2`
	`2`	`+hf_xet>=1.0.2`
	`3`	`+requests>=2.32.3`