Dependencies¶
Every version EasySpeak pins lives in one of four data files; nothing is pinned inside scripts or code. When a version changes, exactly one of these files changes — the consuming scripts stay untouched.
| Lock file | Maintained | Pins |
|---|---|---|
pins.toml |
just update-pins |
Speech models, bundled CPython, build container, nfpm |
pyproject.toml |
by hand | Supported Python range, dependency lower bounds |
uv.lock |
just requirements |
Exact Python library versions, wheel hashes |
flake.lock |
nix flake update |
nixpkgs revision for dev shell and nix run |
pins.toml¶
The hand-maintained lock file for everything that is downloaded by the packaging scripts and the Nix flake rather than resolved by a package manager. Each entry pins an immutable revision (a Hugging Face commit or tag, a release version, an image tag), plus SHA-256 checksums where the artifact is a single file. Its consumers:
flake.nix— fetches the Piper voice viabuiltins.fromTOML, checksum-verified byfetchurl.packaging/stage-lang.sh— downloads the speech models for eacheasyspeak-lang-*package; Piper files are checksum-verified withsha256sum.packaging/stage-bundle.sh— materialises the pinned standalone CPython.packaging/build-in-docker.sh— pulls the pinned build-container image and nfpm release.
The easyspeak-lang-* packages carry the app's release version, so a newer
package version does not imply newer model content — the model content changes
only when pins.toml does.
just update-pins bumps every entry to its current upstream version and
recomputes checksums; the build container advances only when its LTS leaves
standard support, since its glibc is the packages' compatibility floor.
Review the diff before committing.
Deliberately floating¶
- uv itself: latest in CI (
astral-sh/setup-uv) and in the build container (install script); pinned only for the dev shell viaflake.lock. - GitHub Actions: pinned by major version tag, floating within it.
- The Whisper model at runtime: with
EASYSPEAK_OFFLINE=relaxedand no local model, faster-whisper fetches the latest snapshot from Hugging Face (src/core/config.py); installing the language package avoids this entirely.