build: switch from pip to uv for dependency management#416
Merged
Conversation
## What Replace pip-based dependency management with uv across the project, consolidating requirements.txt and requirements-test.txt into pyproject.toml with a generated uv.lock. Add a workflow to keep uv.lock in sync on Dependabot PRs. ## Why uv provides faster installs, deterministic lockfile resolution, and a simpler single-tool workflow for dependency and virtualenv management. ## Notes - Dockerfile now copies uv binary from ghcr.io/astral-sh/uv:latest and uses uv sync --frozen --no-dev instead of pip install - CI workflows use astral-sh/setup-uv with caching enabled - test_contributors.py reformatted by black (with-statement style change) - Dependabot will update pyproject.toml but does not natively understand uv.lock, so update-uv-lock.yml auto-commits the regenerated lockfile back to Dependabot PR branches - If branch protection requires signed commits, the update-uv-lock workflow may need a GitHub App token instead of GITHUB_TOKEN - Update CI matrix to include python 3.13 and 3.14 Signed-off-by: jmeridth <jmeridth@gmail.com>
de513ac to
d7e6bff
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR migrates the project's dependency management from pip (with requirements.txt and requirements-test.txt) to uv, consolidating dependencies into pyproject.toml with a deterministic uv.lock. It also updates CI workflows, the Dockerfile, the Makefile, and documentation to use uv commands.
Changes:
- Replaced
requirements.txtandrequirements-test.txtwithpyproject.tomlanduv.lock; updatedDockerfile,Makefile, and all CI workflows to useuv sync/uv runinstead of pip - Added
.github/workflows/update-uv-lock.ymlto auto-regenerateuv.lockwhen Dependabot modifiespyproject.toml - Reformatted
test_contributors.pywith-statement blocks using Black's parenthesized context manager style (cosmetic only)
Reviewed changes
Copilot reviewed 9 out of 11 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| pyproject.toml | New file defining project metadata, runtime dependencies, and dev dependency group |
| uv.lock | Auto-generated lockfile for deterministic dependency resolution |
| requirements.txt | Deleted — replaced by pyproject.toml |
| requirements-test.txt | Deleted — replaced by pyproject.toml dev dependencies |
| Dockerfile | Uses COPY --from=ghcr.io/astral-sh/uv:latest and uv sync --frozen --no-dev; changes ENTRYPOINT to uv run |
| Makefile | Prefixes all Python tool commands with uv run |
| README.md | Updates local usage instructions to reference uv |
| .github/workflows/python-ci.yml | Replaces setup-python + pip install with setup-uv + uv sync |
| .github/workflows/copilot-setup-steps.yml | Same uv migration as python-ci.yml |
| .github/workflows/update-uv-lock.yml | New workflow to keep uv.lock in sync on Dependabot PRs |
| test_contributors.py | Black reformatting of with blocks (no functional change) |
## What Pin the uv Docker image to a versioned digest, restore unbuffered Python output in the container, and update the super-linter workflow to use uv instead of the deleted requirements files. ## Why The review identified three issues: supply-chain risk from using a mutable :latest tag, loss of unbuffered stdout/stderr behavior needed for GitHub Actions log streaming, and the super-linter workflow still referencing the removed requirements.txt files. ## Notes - uv image pinned to 0.10.9@sha256:10902f58... — will need Dependabot or manual updates to rotate - PYTHONUNBUFFERED=1 replaces the previous python3 -u entrypoint flag Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth
commented
Mar 8, 2026
| HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \ | ||
| CMD python3 -c "import os,sys; sys.exit(0 if os.path.exists('/action/workspace/contributors.py') else 1)" | ||
|
|
||
| ENV PYTHONUNBUFFERED=1 |
Collaborator
Author
There was a problem hiding this comment.
this is in place of the -u that used to be passed to python3 in the ENTRYPOINT.
jmeridth
commented
Mar 8, 2026
| contributors_module.markdown, "write_to_markdown" | ||
| ), patch.object( | ||
| contributors_module.json_writer, "write_to_json" | ||
| with ( |
Collaborator
Author
There was a problem hiding this comment.
linting formatting fix, nothing more.
jmeridth
commented
Mar 8, 2026
| contributors_module.markdown, "write_to_markdown" | ||
| ), patch.object( | ||
| contributors_module.json_writer, "write_to_json" | ||
| with ( |
Collaborator
Author
There was a problem hiding this comment.
linting formatting fix, nothing more.
jmeridth
commented
Mar 8, 2026
| @@ -0,0 +1,35 @@ | |||
| --- | |||
Collaborator
Author
There was a problem hiding this comment.
this whole workflow is required because dependabot uv management doesn't handle uv.lock files. Renovate does but we'd need to have the app installed into the github-community-projects org. Figured this was easier. If we do head down the Renovate path, I'd like to entertain installing the octo-sts app also. A conversation for later.
## What Fix zizmor bot-conditions audit and codespell false positive on uv.lock. ## Why The zizmor audit flagged github.actor as spoofable since it refers to the last actor to modify the PR, not the creator. Codespell flagged "astroid" (a real Python package) in uv.lock as a misspelling of "asteroid". ## Notes - Replaced github.actor with github.event.pull_request.user.login which refers to the PR creator and cannot be spoofed by later commits - Added .codespellrc to ignore-words-list for "astroid" Signed-off-by: jmeridth <jmeridth@gmail.com>
## What Add .venv to jscpd ignore list in the linter configuration. ## Why The uv sync step creates a .venv in the workspace during CI. jscpd was scanning vendored C files inside mypyc and reporting 50.58% duplication over the 50% threshold, failing the super-linter check. ## Notes - This only became an issue after switching to uv, which creates .venv in the workspace rather than installing into the system Python Signed-off-by: jmeridth <jmeridth@gmail.com>
zkoppert
reviewed
Mar 8, 2026
zkoppert
reviewed
Mar 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request
Proposed Changes
What
Replace pip-based dependency management with uv across the project, consolidating requirements.txt and requirements-test.txt into pyproject.toml with a generated uv.lock. Add a workflow to keep uv.lock in sync on Dependabot PRs.
Why
uv provides faster installs, deterministic lockfile resolution, and a simpler single-tool workflow for dependency and virtualenv management.
Notes
astroid(uv org). It thinks it should beasteroid. 😄Readiness Checklist
Author/Contributor
make lintand fix any issues that you have introducedmake testand ensure you have test coverage for the lines you are introducing