chore(deps): bump python-gitlab from 4.3.0 to 7.0.0

[dependabot]

Bumps python-gitlab from 4.3.0 to 7.0.0.

Release notes

Sourced from python-gitlab's releases.

v7.0.0 (2025-10-29)

This release is published under the LGPL-3.0-or-later License.

Features

• Drop Python 3.9 support and add Python 3.14 (22941ac)

Breaking Changes

• As of python-gitlab 7.0.0, Python 3.9 is no longer supported. Python 3.10 or higher is required.

---

Detailed Changes: v6.5.0...v7.0.0

v6.5.0 (2025-10-17)

This release is published under the LGPL-3.0-or-later License.

Bug Fixes

• semantic-release: Enable CHANGELOG.md generation (fb9693b)

Continuous Integration

• stale: Fix permission for stale action and allow manual run (9357a37)

Documentation

• pull_mirror: Fix incorrect start() method usage example (2acac19)

Features

• api: Add content_ref and dry_run_ref parameters to ProjectCiLintManager (e8d2538)

• users: Implement 'skip_confirmation' in users 'emails' creation (2981730)

---

Detailed Changes: v6.4.0...v6.5.0

v6.4.0 (2025-09-28)

This release is published under the LGPL-3.0-or-later License.

Chores

• deps: Update actions/setup-python action to v6 (89cdb78)

... (truncated)

Changelog

Sourced from python-gitlab's changelog.

v7.0.0 (2025-10-29)

Features

• Drop Python 3.9 support and add Python 3.14 (22941ac)

Breaking Changes

• As of python-gitlab 7.0.0, Python 3.9 is no longer supported. Python 3.10 or higher is required.

v6.5.0 (2025-10-17)

Bug Fixes

• semantic-release: Enable CHANGELOG.md generation (fb9693b)

Continuous Integration

• stale: Fix permission for stale action and allow manual run (9357a37)

Documentation

• pull_mirror: Fix incorrect start() method usage example (2acac19)

Features

• api: Add content_ref and dry_run_ref parameters to ProjectCiLintManager (e8d2538)

• users: Implement 'skip_confirmation' in users 'emails' creation (2981730)

v6.4.0 (2025-09-28)

Features

• users: Implement missing arguments in users 'list' (99923d4)

• users: Sort 'user list' arguments against documentation (99923d4)

v6.3.0 (2025-08-28)

... (truncated)

Commits

• 378b72d chore: release v7.0.0
• 22941ac feat!: drop Python 3.9 support and add Python 3.14
• adbc833 chore(deps): update github artifact actions
• 0f5655c chore(deps): upgrade coverage to 7.11.0 for Python > 3.9
• e213849 chore(deps): update pre-commit hook pycqa/pylint to v4
• d623085 chore(deps): update pre-commit hook pycqa/isort to v7
• 2e0831c chore(deps): update dependency isort to v7
• 0a6c408 chore(deps): update dependency pylint to v4
• f78a873 chore: release v6.5.0
• 2acac19 docs(pull_mirror): fix incorrect start() method usage example
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[mergebot-dev]

Impact Assessment Report for PR/MR #219

Overall Impact Score: 4.8

Recommendation: Requires human review

---

Summary Table

Assessment Agent	Score	Key Findings	Suggested Actions
Code Analysis Agent	6.0	Major dependency upgrade (python-gitlab 4.3.0 → 7.0.0); breaking changes; no direct logic changes but moderate risk.	Ensure environment compatibility (Python 3.10+), review breaking changes, run comprehensive integration tests, monitor closely after deployment.
Complexity Assessment Agent	3.0	Low complexity—only dependency management files updated; primary complexity risk is ecosystem compatibility.	Validate deployment pipelines for Python 3.10+, document new requirements, review integration tests for python-gitlab API usage.
Test Coverage Agent	2.0	No coverage lost, CI passed, but no added tests for new dependency features/changes; minimal new coverage for updated APIs.	Add integration/smoke tests for python-gitlab v7.0.0, verify runtime compatibility with supported Python versions, update tests for API changes as necessary.
Risk Assessment Agent	6.0	Moderate risk due to breaking changes, raised Python min version, potential API incompatibility; successful CI reduces immediate risk.	Conduct targeted integration and compatibility testing, security review of new version, prepare rollback plan, review changelogs, monitor after deployment.

---

Detailed Assessments

• Code Analysis Agent: Score 6.0

  • Findings: This PR upgrades python-gitlab from 4.3.0 to 7.0.0, a breaking change that impacts dependency management and drops Python 3.9 support. While no direct application code is changed, reliance on the updated dependency could expose the codebase to ecosystem compatibility issues, especially if python-gitlab APIs have shifted or if deployment environments are not kept up to date.
  • Suggested Action: Double-check that all environments (local, CI, production) are using Python ≥3.10. Scrutinize python-gitlab API usage for deprecated/changed behaviors and carefully monitor post-deploy.

• Complexity Assessment Agent: Score 3.0

  • Findings: Very limited scope—only version bumps in locked dependencies and metadata. No new algorithms or code paths introduced. Primary complexity is at the boundaries, due to the new Python version constraint and indirect effects via python-gitlab’s API changes.
  • Suggested Action: Review and document the new Python and dependency requirements. Confirm through CI and environment tooling that the required versions are satisfied across all deployment targets.

• Test Coverage Agent: Score 2.0

  • Findings: There is no reduction in test coverage, and all existing tests are passing in CI with the new dependency. However, the PR does not introduce or adapt any tests for potential behavioral/API changes arising from python-gitlab 7.0.0, leading to a small coverage gap for new/changed functionality.
  • Suggested Action: Implement integration or smoke tests targeting the key functionalities that rely on python-gitlab, especially those likely to be affected by API or behavior changes; check behavioral compatibility explicitly.

• Risk Assessment Agent: Score 6.0

  • Findings: The risk profile is moderate: this dependency is a critical integration point (GitLab API client), undergoing a major upgrade with breaking changes (including minimum Python version and functional APIs). While successful pipeline execution means immediate breakage is unlikely, latent compatibility or runtime issues could still manifest.
  • Suggested Action: Validate all environments are at least Python 3.10, review python-gitlab’s changelog for deprecated or changed APIs, conduct deep integration tests (especially around gitlab API usage), monitor after deploy, and have quick rollback capability.

---

Triage & Next Steps

Triage Level: Medium

• Reviewers should:
  • Verify that all environments (local, CI, production, staging) are compliant with the new Python 3.10+ requirement.
  • Scrutinize all places in the codebase that interact directly with python-gitlab for potential breakage or API drift—compare to python-gitlab 7.0.0 changelog.
  • Confirm the addition of targeted integration or smoke tests covering the main usages of python-gitlab, especially if the codebase uses features that had breaking changes or were flagged as deprecated in older versions.
  • Check for any lingering dependencies or third-party libraries that are incompatible with Python 3.10+.
  • Ensure that a monitoring and rapid rollback strategy is prepared for post-deployment.

Blockers before approval:

• Confirmation of environment readiness (Python ≥3.10).
• Successful completion of targeted integration tests against upgraded dependency.
• Documentation update for new Python and dependency requirements.
• Reviewer signoff on compatibility review.

---

Justification

The overall impact score is 4.8, which exceeds the auto-approval threshold of 3.0 (per approval policy) and therefore requires manual review. While the PR itself is technically low complexity—with only dependency file modifications and no direct logic changes—it raises moderate risk due to a major breaking dependency upgrade. The new minimum Python version (3.10), potential for API breakage with python-gitlab, and lack of targeted test adaptation make it essential for a human reviewer to scrutinize compatibility and ensure environmental readiness.

Mitigation actions—such as targeted integration testing, environment validation, and improved monitoring—are crucial to limit production risks from this upgrade. Once reviewers confirm the above actions, merging can proceed with good confidence.

---

Requesting Another Review

Trigger	Command	Description
Comment command	/mergebot review	Queue an immediate re-analysis by Mergebot.
Mention	@mergebot-dev[bot]	Mention the Mergebot account in any PR comment to request a follow-up review.
Dashboard	Check "Request a Rerun" in the Mergebot dashboard	Adds this PR to the rerun queue for the next scheduled scan.

[mergebot-dev]

❌ PR has not been auto-approved as per the Impact Assessment Report.
Please review the report and take necessary actions manually.

[thehapyone]

/mergebot review

[mergebot-dev]

Impact Assessment Report for PR/MR #219

Overall Impact Score: 4.4

Recommendation: Requires human review

---

Summary Table

Assessment Agent	Score	Key Findings	Suggested Actions
Code Analysis Agent	5.0	Major dependency (python-gitlab) upgrade; no source code changes; passes tests; risk in API change and Python version bump	Review changelog; verify environments; add integration tests
Complexity Assessment Agent	4.0	Moderate complexity due to major version bump with minimal direct code change	Ensure comprehensive integration testing; check for API compliance
Test Coverage Agent	3.0	Unit tests pass, but lacks new tests for upgraded dependency/API changes, hidden risk possible	Add/expand tests for compatibility and new features
Risk Assessment Agent	5.0	Moderate overall risk: API changes, Python version requirement, potential environment and security impacts	Audit usage; verify environments; monitor after merge

---

Detailed Assessments

• Code Analysis Agent: Score 5.0

  • Findings: The PR updates the python-gitlab dependency from v4.3.0 to v7.0.0. No direct source code changes are involved; updates are limited to dependency management files. The upgrade introduces potential risk due to a major version jump and increased minimum required Python version (from 3.8 to 3.10), which could affect environment compatibility as well as any code using the python-gitlab API. Unit tests and code style checks pass, but there’s moderate risk related to possible breaking API changes and environment drift.
  • Suggested Action: Carefully review the python-gitlab v7.0.0 changelog for breaking/deprecated changes. Ensure all deployment and CI environments are upgraded to Python 3.10 or above. Implement and run integration tests covering all usages of python-gitlab.

• Complexity Assessment Agent: Score 4.0

  • Findings: While the PR only touches dependency files and doesn’t increase codebase structural complexity, the major version bump introduces complexity via indirect changes, especially if the project depends heavily on python-gitlab’s API. Potential for incompatible behaviors means integration and regression testing are essential.
  • Suggested Action: Verify that all functional areas relying on python-gitlab are tested under the new version. Create/expand integration tests to confirm behavioral compatibility.

• Test Coverage Agent: Score 3.0

  • Findings: No tests are added or updated. While existing tests still pass, they may not fully exercise updated or deprecated functionality in the new dependency. Current test suite may leave gaps in coverage for API changes and the new Python version.
  • Suggested Action: Augment coverage with tests specifically targeting upgraded python-gitlab API surfaces and error handling. Confirm all test suites run under Python 3.10+ environments.

• Risk Assessment Agent: Score 5.0

  • Findings: The main risks are potential malfunction due to breaking API changes, failure if run on environments below Python 3.10, and possible new or changed behavior in authentication, security, or performance. If not all environments are ready for Python 3.10+, production/deployment could break. No evidence was found of critical vulnerabilities being fixed/introduced, but ambiguity remains until integration is fully tested.
  • Suggested Action: Audit all usages of python-gitlab, confirm environments’ Python versions, monitor production logs after deployment, and perform staged rollout if feasible.

---

Triage & Next Steps

Triage Level: Medium-High

• Reviewers must focus on:
  • Ensuring deployment and CI environments are on Python 3.10 or above
  • Auditing code for breaking changes in the python-gitlab API
  • Verifying that integration and end-to-end tests pass and cover relevant workflows
• Open questions: Are all developer and deployment environments confirmed to already run Python 3.10+? Has the full suite of integration/regression tests been run?
• Blockers:
  • Lack of explicit integration testing with python-gitlab v7.0.0
  • Unconfirmed Python runtime environment compatibility for all users/deployments

---

Justification

The aggregate impact score is calculated as follows:

• CodeAnalysis (5.0) × 0.40 = 2.00
• ComplexityAnalysis (4.0) × 0.20 = 0.80
• TestAnalysis (3.0) × 0.20 = 0.60
• RiskAnalysis (5.0) × 0.20 = 1.00

Overall Impact Score = 2.00 + 0.80 + 0.60 + 1.00 = 4.4

Since the overall impact score (4.4) exceeds the auto-approval threshold of 3.0, this PR requires human review. The main factors driving this decision are the major version upgrade of a core dependency (python-gitlab), increased minimum Python version requirement (potentially breaking existing environments), and the absence of new or revised tests to validate compatibility with the upgrade. While no immediate failures are detected, the risks are moderate and compounded by possible hidden incompatibilities in code paths not covered by existing tests.

Recommended next steps:
Perform targeted integration and regression testing; confirm environment readiness across all usage contexts; audit code for API breaks. Only proceed with merge once these gaps are rectified and risk is adequately mitigated.

---

Requesting Another Review

Trigger	Command	Description
Comment command	/mergebot review	Queue an immediate re-analysis by Mergebot.
Mention	@mergebot-dev[bot]	Mention the Mergebot account in any PR comment to request a follow-up review.
Dashboard	Check "Request a Rerun" in the Mergebot dashboard	Adds this PR to the rerun queue for the next scheduled scan.

[mergebot-dev]

❌ PR has not been auto-approved as per the Impact Assessment Report.
Please review the report and take necessary actions manually.

[thehapyone]

/mergebot review

[mergebot-dev]

Impact Assessment Report for PR/MR #219

Overall Impact Score: 5.0

Recommendation: Requires human review

---

Summary Table

Assessment Agent	Score	Key Findings	Suggested Actions
Code Analysis Agent	6.0	Major dependency bump (python-gitlab 4.3.0 → 7.0.0), impacts Python version and APIs.	Verify environments run Python ≥3.10, review API usages and changelog, test integrations
Complexity Assessment Agent	4.0	Moderate integration risk, no direct code changes, new version requirements.	Review release notes, perform integration testing, update docs on new Python requirements
Test Coverage Agent	2.0	Unit tests pass but no new coverage for upgraded library integration.	Add integration tests for python-gitlab 7.0.0 usage, update tests based on new dependency
Risk Assessment Agent	5.0	Drops Python 3.9 support, moderate risk for compatibility and stability.	Audit target environments, address "blocked" merge state, prepare rollback, run security scan

---

Detailed Assessments

• Code Analysis Agent: Score 6.0

  • Findings: The PR upgrades a core dependency (python-gitlab) across several major versions, requiring Python ≥3.10 and introducing possible breaking changes. No direct source code is changed, but dependency versions in manifests are updated and other sub-dependencies get minimum version bumps.
  • Suggested Action: Ensure all development/deployment environments run Python 3.10 or higher; review how the codebase interacts with python-gitlab APIs and update as necessary; consult upgrade changelogs; run full integration and system tests.

• Complexity Assessment Agent: Score 4.0

  • Findings: The complexity is driven by external library updates, not internal code changes. There are possible integration and compatibility challenges, especially with the significant version jump and related dependency bumps. Python version requirement was increased.
  • Suggested Action: Carefully review dependency changelogs and API changes, execute thorough integration and regression tests, monitor for runtime issues, document the new Python version minimum in project documentation.

• Test Coverage Agent: Score 2.0

  • Findings: The PR passes current unit tests, but does not introduce new or updated tests to address the specific risks and scenarios exposed by the dependency bump, especially around integration with GitLab APIs. Coverage for the new library version is minimal.
  • Suggested Action: Add or enhance integration and smoke tests for functionalities depending on python-gitlab; verify compatibility with API changes and Python 3.10+; ensure mock/stub tests are updated for the new version.

• Risk Assessment Agent: Score 5.0

  • Findings: Moderate overall risk, particularly re: compatibility with Python 3.10, possible API breaking changes, and potential dependency conflicts. The PR is currently blocked, indicating unresolved merge issues or CI concerns. Security and reliability are not immediately threatened but require validation for new/unknown vulnerabilities.
  • Suggested Action: Verify all running environments meet new Python requirement, ensure unblock of merge state, audit for dependency conflicts, run security and vulnerability scans, stage/test before production, maintain rollback plans.

---

Triage & Next Steps

Triage Level: Medium

• Guidance for Reviewers:

  • Focus on validation of Python environment compatibility (≥3.10).
  • Investigate direct usages of python-gitlab in the codebase for required adjustments per API changes.
  • Ensure integration/functional tests, not just unit tests, are passing and reflect new dependency behaviors.
  • Address mergeable_state: blocked by resolving any CI issues or conflicts.
  • Consider preparatory steps (staging environment, rollbacks, update documentation).

• Blockers:

  • PR cannot be merged until "blocked" state is resolved.
  • Python version alignment across all environments is critical.
  • Integration and coverage gaps must be addressed.

---

Justification

The overall impact score is calculated as follows (using configured weights):

• Code Analysis (0.40 × 6.0) = 2.40
• Complexity (0.20 × 4.0) = 0.80
• Test Coverage (0.20 × 2.0) = 0.40
• Risk Assessment (0.20 × 5.0) = 1.00
• Total Impact Score: 2.40 + 0.80 + 0.40 + 1.00 = 5.0

This score exceeds the auto-approval threshold (≤3.0), mainly driven by the major dependency upgrade, required Python version bump, notable risk for breaking integrations, and lack of targeted test coverage improvements. While current unit tests pass, the absence of dedicated integration testing, unresolved PR blockers, and broad ecosystem impacts demand thorough human review before merging.

Auto-approval is NOT recommended. Manual review is required, addressing the items above to ensure stability, compatibility, and robust functionality post-merge.

---

Requesting Another Review

Trigger	Command	Description
Comment command	/mergebot review	Queue an immediate re-analysis by Mergebot.
Mention	@mergebot-dev[bot]	Mention the Mergebot account in any PR comment to request a follow-up review.
Dashboard	Check "Request a Rerun" in the Mergebot dashboard	Adds this PR to the rerun queue for the next scheduled scan.

> _This report was automatically generated by [MergeBot](https://github.com/thehapyone/Mergebot)

[mergebot-dev]

❌ PR has not been auto-approved as per the Impact Assessment Report.
Please review the report and take necessary actions manually.

[thehapyone]

/mergebot review

[mergebot-dev]

Impact Assessment Report for PR/MR #219

Overall Impact Score: 4.8

Recommendation: Requires human review

---

Summary Table

Assessment Agent	Score	Key Findings	Suggested Actions
Code Analysis Agent	6.0	Major version bump of python-gitlab, increased Python minimum version, core dependency.	Validate environment compatibility, audit integration points, and monitor post-release.
Complexity Assessment Agent	2.0	Dependency upgrade only; low immediate code complexity risk.	Conduct thorough integration testing for new dependency version.
Test Coverage Agent	2.0	No source/test code changes; CI pipeline passed; minimal direct coverage impact.	Add integration tests for gitlab interactions; verify compatibility with Python ≥3.10.
Risk Assessment Agent	6.0	Moderate risk: API changes, Python version upgrade, environment compatibility concerns.	Confirm environment readiness, audit API usage, monitor runtime, review security posture.

---

Detailed Assessments

• Code Analysis Agent: Score 6.0

  • Findings: This PR upgrades a core dependency (python-gitlab) from v4.3.0 to v7.0.0, affecting only metadata files (poetry.lock, pyproject.toml). The upgrade is a major version bump including deprecation of Python versions <3.10 and updating sub-dependencies. Although success in the CI pipeline is positive, breaking changes in the library or environment incompatibility may cause runtime failures.
  • Suggested Action: Verify all environments use Python ≥3.10, review the python-gitlab changelog for compatibility, and run integration tests for all features using python-gitlab.

• Complexity Assessment Agent: Score 2.0

  • Findings: The change is limited to a dependency upgrade without modifications to the codebase or introduction of new logic. Complexity risk is introduced only by possible integration challenges post-upgrade.
  • Suggested Action: Focus post-upgrade validation on areas of the codebase that interface directly with python-gitlab, emphasizing integration testing rather than code-level review.

• Test Coverage Agent: Score 2.0

  • Findings: Passing CI indicates the upgrade does not break basic build and test workflows, but the lack of targeted integration/regression tests for the new python-gitlab version or the updated Python runtime reduces confidence in full compatibility.
  • Suggested Action: Enhance coverage with integration/smoke tests for GitLab API interactions. Validate CI pipeline and runtime environments meet the new Python ≥3.10 requirement.

• Risk Assessment Agent: Score 6.0

  • Findings: Moderate risk due to major dependency version bump, Python version requirement change, and possible breaking API changes. Successful CI runs mitigate risk but do not entirely remove it—especially regarding environment compatibility and deep integration behaviors.
  • Suggested Action: Audit all application areas that use python-gitlab, perform staging tests mirroring production, ensure documentation is updated, and carefully monitor system behavior after deployment.

---

Triage & Next Steps

Triage Level: Medium

• Reviewer Guidance:

  • Validate that all build, deploy, and runtime environments are on Python 3.10 or later.
  • Review the application's usage of python-gitlab for deprecated or modified API calls.
  • Ensure additional integration tests are added/expanded to cover GitLab API usage.
  • Carefully monitor for runtime errors and regressions post-release, especially relating to authentication, token handling, and GitLab operations.
  • Review documentation for deployment and development teams on new environment and dependency requirements.

• Blockers Before Approval:

  • Absence of targeted integration tests for critical GitLab API interactions.
  • Uncertainty around environment readiness for Python 3.10+ and new python-gitlab extras.
  • Lack of documented review/audit of API changes between python-gitlab v4.x and v7.x.

---

Justification

This impact assessment aggregates four distinct viewpoints weighted per policy: Code Analysis (40%), Complexity (20%), Test Coverage (20%), and Risk (20%). The overall weighted impact score is 4.8, exceeding the auto-approval threshold of 3.0.

The change is significant because it introduces:

• A major dependency upgrade (python-gitlab) with possible breaking API changes.
• A minimum Python version increase, risking environment compatibility.
• Sub-dependency upgrades and introduction of a new extra (graphql).
• No source code changes, yet substantive integration risk remains.

Although the CI pipeline passed basic tests, existing tests may not check for subtle runtime and integration issues with the upgraded dependency. The risk of breaking critical GitLab-related features, environment compatibility, or introducing subtle functionality or security regressions is moderate.

For these reasons, manual review is recommended with focused attention to:

• Environment readiness (Python ≥3.10),
• Comprehensive integration and regression testing,
• Application code audit for API usage compatibility,
• Post-deployment monitoring.

Auto-approval is not advised; human intervention is necessary to secure a safe, reliable, and robust upgrade.

---

Requesting Another Review

Trigger	Command	Description
Comment command	/mergebot review	Queue an immediate re-analysis by Mergebot.
Mention	@mergebot-dev[bot]	Mention the Mergebot account in any PR comment to request a follow-up review.
Dashboard	Check "Request a Rerun" in the Mergebot dashboard	Adds this PR to the rerun queue for the next scheduled scan.

_This report was automatically generated by MergeBot

[mergebot-dev]

❌ PR has not been auto-approved as per the Impact Assessment Report.
Please review the report and take necessary actions manually.