feat(ci): Add tasks for checking and updating UV lock files (uv.lock); Add check to GH workflow.#1507
Conversation
|
Note Other AI code review bot(s) detectedCodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review. WalkthroughAdds a GitHub Actions workflow that runs UV lock-file checks on PRs, pushes and daily; adds Taskfile tasks to check/update uv.lock across multiple projects; and updates documentation describing the new workflow. Changes
Sequence Diagram(s)sequenceDiagram
autonumber
participant GH as GitHub Actions (workflow)
participant Runner as Runner (macOS/Ubuntu)
participant Repo as Repository
participant Task as Task CLI (@go-task/cli)
participant UV as uv installer / uv tool
GH->>Runner: start job (matrix)
Runner->>Repo: checkout (with submodules)
Runner->>Runner: npm install -g @go-task/cli@3.44.0
Runner->>UV: install uv (remote script)
Runner->>Task: run task deps:lock:check-uv
Task->>Repo: for each PROJECT_DIR -> execute uv lock --check
alt all checks pass
Task->>Runner: exit 0
Runner->>GH: success
else any check fails
Task->>Runner: exit non-zero
Runner->>GH: failure
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes
Possibly related issues
Pre-merge checks and finishing touches❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✨ Finishing touches
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - name: "Install task" | ||
| shell: "bash" | ||
| run: "npm install -g @go-task/cli@3.44.0" | ||
|
|
||
| - name: "Validate lock files" | ||
| shell: "bash" |
There was a problem hiding this comment.
Install uv before running lock checks
The new workflow calls task deps:lock:check-uv, whose uv-lock task executes uv lock …, but the job never installs the uv CLI. Unlike the existing clp-lint workflow that explicitly runs curl …/uv/install.sh, this job will fail immediately on the hosted runners because uv is not preinstalled. Please add a setup step to install uv on each matrix runner before invoking the task so that the lockfile checks can execute.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Actionable comments posted: 5
📜 Review details
Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (3)
.github/workflows/clp-uv-checks.yaml(1 hunks)docs/src/dev-docs/tooling-gh-workflows.md(1 hunks)taskfiles/deps/lock.yaml(2 hunks)
🧰 Additional context used
🧠 Learnings (2)
📚 Learning: 2025-10-22T21:02:31.113Z
Learnt from: junhaoliao
PR: y-scope/clp#0
File: :0-0
Timestamp: 2025-10-22T21:02:31.113Z
Learning: Repository y-scope/clp: Maintain deterministic CI/builds for Rust; add a check to verify Cargo.lock is in sync with Cargo.toml without updating dependencies (non-mutating verification in clp-rust-checks workflow).
Applied to files:
.github/workflows/clp-uv-checks.yaml
📚 Learning: 2025-10-22T21:14:12.225Z
Learnt from: junhaoliao
PR: y-scope/clp#1466
File: .github/workflows/clp-rust-checks.yaml:14-15
Timestamp: 2025-10-22T21:14:12.225Z
Learning: Repository y-scope/clp: In GitHub Actions workflows (e.g., .github/workflows/clp-rust-checks.yaml), YAML anchors/aliases are acceptable and preferred to avoid duplication; if actionlint flags an alias node (e.g., on push.paths) as an error, treat it as a tool limitation and do not require inlining unless the team asks to silence the warning.
Applied to files:
.github/workflows/clp-uv-checks.yaml
🪛 actionlint (1.7.8)
.github/workflows/clp-uv-checks.yaml
18-18: "paths" section must be sequence node but got alias node with "" tag
(syntax-check)
🪛 LanguageTool
docs/src/dev-docs/tooling-gh-workflows.md
[uncategorized] ~97-~97: It appears that hyphens are missing in the adjective “up-to-date”.
Context: ...r each UV Python project's uv.lock is up to date with its pyproject.toml.
(UP_TO_DATE_HYPHEN)
🪛 YAMLlint (1.37.1)
.github/workflows/clp-uv-checks.yaml
[error] 1-1: wrong new line character: expected \n
(new-lines)
[warning] 3-3: truthy value should be one of [false, true]
(truthy)
[warning] 39-39: too few spaces before comment: expected 2
(comments)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (18)
- GitHub Check: ubuntu-jammy-lint
- GitHub Check: package-image
- GitHub Check: musllinux_1_2-x86_64-static-linked-bins
- GitHub Check: musllinux_1_2-x86_64-dynamic-linked-bins
- GitHub Check: ubuntu-jammy-dynamic-linked-bins
- GitHub Check: ubuntu-jammy-static-linked-bins
- GitHub Check: manylinux_2_28-x86_64-dynamic-linked-bins
- GitHub Check: centos-stream-9-static-linked-bins
- GitHub Check: manylinux_2_28-x86_64-static-linked-bins
- GitHub Check: centos-stream-9-dynamic-linked-bins
- GitHub Check: build-macos (macos-14, true)
- GitHub Check: build-macos (macos-15, true)
- GitHub Check: build-macos (macos-14, false)
- GitHub Check: rust-checks (ubuntu-24.04)
- GitHub Check: rust-checks (ubuntu-22.04)
- GitHub Check: rust-checks (macos-15)
- GitHub Check: lint-check (ubuntu-24.04)
- GitHub Check: lint-check (macos-15)
🔇 Additional comments (4)
taskfiles/deps/lock.yaml (2)
13-24: Task structure and implementation look correct.The
check-uvtask properly iterates over UV projects and applies lock validation with--checkflag.
32-38: Task definition is correct.The
update-uvtask properly reuses the project list and appliesuv lockwithout flags..github/workflows/clp-uv-checks.yaml (2)
3-22: Trigger configuration is well-designed.The workflow triggers cover all necessary scenarios (PRs, pushes, scheduled daily run, and manual dispatch) with comprehensive path monitoring. The use of YAML anchors aligns with codebase practices.
24-27: Concurrency configuration is appropriate.The concurrency group properly prevents duplicate runs for the same branch.
| strategy: | ||
| matrix: | ||
| os: | ||
| - "macos-15" | ||
| - "ubuntu-22.04" | ||
| - "ubuntu-24.04" | ||
| runs-on: "${{matrix.os}}" |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
Consider whether multi-platform validation is necessary for UV lock files.
Since uv.lock files are meant to be deterministic across platforms (similar to lockfiles in other ecosystems), running the same validation on macOS, Ubuntu 22.04, and Ubuntu 24.04 may be redundant. A single validation run could save CI time and resources.
If cross-platform determinism validation is important, this operational strategy is sound. Otherwise, consider running on a single OS to optimize CI runtime.
Could you clarify whether cross-platform validation is a requirement? If not, you might optimize to:
strategy:
matrix:
os:
- - "macos-15"
- - "ubuntu-22.04"
- - "ubuntu-24.04"
+ - "ubuntu-24.04"📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| strategy: | |
| matrix: | |
| os: | |
| - "macos-15" | |
| - "ubuntu-22.04" | |
| - "ubuntu-24.04" | |
| runs-on: "${{matrix.os}}" | |
| strategy: | |
| matrix: | |
| os: | |
| - "ubuntu-24.04" | |
| runs-on: "${{matrix.os}}" |
🤖 Prompt for AI Agents
.github/workflows/clp-uv-checks.yaml around lines 31 to 37: the CI currently
runs uv.lock validation across macos-15, ubuntu-22.04 and ubuntu-24.04 which may
be redundant; if cross-platform determinism is NOT required, replace the matrix
with a single runs-on (recommend ubuntu-24.04) to save CI time by removing the
matrix.strategy.matrix.os block and set runs-on: ubuntu-24.04; if cross-platform
validation IS required, keep the matrix as-is and add a comment explaining the
requirement so reviewers know it’s intentional.
| # Runs `uv lock` in the UV project directory with the specified flags. | ||
| # | ||
| # @param {string} PROJECT_DIR | ||
| # @param {string} UV_LOCK_FLAGS The flags to pass to the `uv lock` command. | ||
| uv-lock: | ||
| internal: true | ||
| requires: | ||
| vars: ["PROJECT_DIR", "UV_LOCK_FLAGS"] | ||
| dir: "{{.PROJECT_DIR}}" | ||
| cmd: |- | ||
| uv lock {{.UV_LOCK_FLAGS}} |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
Consider adding clarification on uv tool availability.
The task assumes the uv CLI tool is available in the environment but doesn't declare this as a dependency. Consider adding a comment or checking if other tasks in the file declare similar toolchain dependencies.
You may want to verify whether a toolchain dependency (like deps: ["toolchains:python"] or similar) should be declared to ensure uv is available, consistent with how cargo-workspace-fetch depends on toolchains:rust (line 48).
🤖 Prompt for AI Agents
In taskfiles/deps/lock.yaml around lines 66 to 76, the uv-lock task assumes the
`uv` CLI is present but does not declare any toolchain dependency or note the
requirement; add a dependency entry similar to cargo-workspace-fetch (e.g. deps:
["toolchains:uv"] or the appropriate toolchain that provides `uv`) or at minimum
add a short comment above the task documenting that `uv` must be installed, and
align the dependency pattern with other tasks in this file so the tool is
guaranteed available in CI/local runs.
There was a problem hiding this comment.
it's documented here already:
clp/docs/src/dev-docs/building-package.md
Line 23 in 2ac456e
uv isn't installed the same way as the rust toolchain in a task, although i agree that at some point we probably should. it's out of scope of the current PR anyways
There was a problem hiding this comment.
@junhaoliao, thank you for the clarification! You're absolutely right—UV is documented in the building-package guide, and since it's not managed through a task dependency like the rust toolchain, adding that now would indeed be out of scope. I appreciate you pointing out the documentation location and explaining the current approach.
✏️ Learnings added
Learnt from: junhaoliao
PR: y-scope/clp#1507
File: taskfiles/deps/lock.yaml:66-76
Timestamp: 2025-10-27T04:05:01.545Z
Learning: In the CLP project, the `uv` CLI tool is documented as a prerequisite in docs/src/dev-docs/building-package.md and is not installed via a task dependency like the rust toolchain. UV is expected to be available in the environment rather than being provisioned by the taskfile system.
Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.
🧠 Learnings used
Learnt from: Bill-hbrhbr
PR: y-scope/clp#1271
File: components/core/tools/scripts/lib_install/centos-stream-9/install-prebuilt-packages.sh:41-43
Timestamp: 2025-08-29T07:31:24.032Z
Learning: In CLP's build tool installation scripts, uv version constraints should use lower bound constraints (uv>=0.8) rather than exact version pinning, following the same philosophy used for other build tools to accommodate platform differences while ensuring minimum required functionality.
|
@codex review again |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - name: "Install uv" | ||
| shell: "bash" | ||
| run: "curl --fail --location --silent --show-error https://astral.sh/uv/install.sh | sh" | ||
|
|
||
| - name: "Validate lock files" |
There was a problem hiding this comment.
Add uv to PATH before running lockfile checks
The workflow installs uv via the curl script but never appends the installation directory to PATH. On GitHub macOS runners the script installs the binary under $HOME/.local/bin without exporting that path for subsequent steps, so the following task deps:lock:check-uv invocation will fail with uv: command not found on macOS while the Linux jobs may pass. Consider adding echo "$HOME/.local/bin" >> "$GITHUB_PATH" (or similar) after the install so that uv is available in the validation step.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - name: "Install uv" | ||
| shell: "bash" | ||
| run: "curl --fail --location --silent --show-error https://astral.sh/uv/install.sh | sh" | ||
|
|
||
| - name: "Validate lock files" |
There was a problem hiding this comment.
Add uv to PATH before running lockfile checks
The workflow installs uv via the curl script but never appends the installation directory to PATH. On GitHub macOS runners the script installs the binary under $HOME/.local/bin without exporting that path for subsequent steps, so the following task deps:lock:check-uv invocation will fail with uv: command not found on macOS while the Linux jobs may pass. Consider adding echo "$HOME/.local/bin" >> "$GITHUB_PATH" (or similar) after the install so that uv is available in the validation step.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Each run keyword represents a new process and shell in the runner environment. When you provide multi-line commands, each line runs in the same shell.
the lockfile checks are not in the same "multi-line" command as the "Install uv" step, right? so if a new shell is to be started on every new step, the new step should have had read the shell profile again and get the correct PATH if the uv installation script has correctly set the PATH?
LinZhihao-723
left a comment
There was a problem hiding this comment.
Minor comments. Otherwise lgtm.
| - name: "Install uv" | ||
| shell: "bash" | ||
| run: "curl --fail --location --silent --show-error https://astral.sh/uv/install.sh | sh" |
There was a problem hiding this comment.
It might be worth to add this to the repo (like how we set up cargo)?
But I guess it's not gonna be in this PR. How about let's try https://github.com/astral-sh/setup-uv?
Co-authored-by: Lin Zhihao <59785146+LinZhihao-723@users.noreply.github.com>
LinZhihao-723
left a comment
There was a problem hiding this comment.
For the PR title, how about:
feat(ci): Add tasks for checking and updating UV lock files (`uv.lock`); Add check to GH workflow.
to mirror #1448
uv.lock); Add check to GH workflow.
…`); Add check to GH workflow. (y-scope#1507)
Description
This PR adds tasks to update and check UV's dependency lock files (
uv.lock) in all UV Python projects:deps:lock:check-uv: loops over defined UV projects and runsuv lock --check.deps:lock:update-uv: loops over the same set and runsuv lockto refresh lockfiles.This PR also introduces a GitHub Actions workflow,
clp-uv-checks, to run the check task.Checklist
breaking change.
Validation performed
The new tasks
clp/integration-tests/pyproject.toml
Line 20 in 2ac456e
"mypy>=1.18.2"task deps:lock:check-uvand observedtask deps:lock:update-uvand observed theintegration-tests/uv.lockwas changed in VCS.task deps:lock:check-uvagain and observed no failure (confirmed the exit code was0byecho $?).The new worflow
Summary by CodeRabbit
Release Notes
New Features
Documentation