Skip to content

build: migrate from pip to uv for dependency management#346

Merged
jmeridth merged 5 commits intomainfrom
jm_move_to_uv
Mar 10, 2026
Merged

build: migrate from pip to uv for dependency management#346
jmeridth merged 5 commits intomainfrom
jm_move_to_uv

Conversation

@jmeridth
Copy link
Collaborator

@jmeridth jmeridth commented Mar 8, 2026

Pull Request

Proposed Changes

What

Replace pip-based dependency management with uv across the entire project: pyproject.toml and uv.lock replace requirements.txt and requirements-test.txt, all CI workflows use astral-sh/setup-uv, Makefile commands prefixed with uv run, and Dockerfile uses uv for production installs.

Why

uv provides significantly faster dependency resolution and installation, deterministic lockfile-based builds, and a single pyproject.toml as the source of truth for all dependencies. This aligns with the approach already adopted by the contributors repo.

Notes

  • CI matrix expanded to Python 3.11-3.14
  • New update-uv-lock.yml workflow handles Dependabot PR lockfile sync
  • Docker image copies uv binary from ghcr.io/astral-sh/uv:0.10.9
  • Added .codespellrc to ignore "astroid" (pylint dependency)
  • Added .venv to .jscpd.json ignore list
  • test_markdown_writer.py reformatted by black (no logic changes)

Readiness Checklist

Author/Contributor

  • If documentation is needed for this change, has that been included in this pull request
  • run make lint and fix any issues that you have introduced
  • run make test and ensure you have test coverage for the lines you are introducing

@jmeridth jmeridth self-assigned this Mar 8, 2026
@jmeridth jmeridth requested a review from zkoppert as a code owner March 8, 2026 05:32
@jmeridth
build: migrate from pip to uv for dependency management
bdfa1be 
## What

Replace pip-based dependency management with uv across the entire project:
pyproject.toml and uv.lock replace requirements.txt and requirements-test.txt,
all CI workflows use astral-sh/setup-uv, Makefile commands prefixed with uv run,
and Dockerfile uses uv for production installs.

## Why

uv provides significantly faster dependency resolution and installation,
deterministic lockfile-based builds, and a single pyproject.toml as the
source of truth for all dependencies. This aligns with the approach
already adopted by the contributors repo.

## Notes

- CI matrix expanded to Python 3.11-3.14
- New update-uv-lock.yml workflow handles Dependabot PR lockfile sync
- Docker image copies uv binary from ghcr.io/astral-sh/uv:0.10.9
- Added .codespellrc to ignore "astroid" (pylint dependency)
- Added .venv to .jscpd.json ignore list
- test_markdown_writer.py reformatted by black (no logic changes)

Signed-off-by: jmeridth <jmeridth@gmail.com>
@jmeridth jmeridth marked this pull request as draft March 9, 2026 00:35
@jmeridth
Copy link
Collaborator Author

jmeridth commented Mar 9, 2026

Converted to draft until we figure out permissions for update-uv-lock workflow so actions are triggered. Saw actions not trigger in this PR

@jmeridth
chore(deps): bump astral-sh/setup-uv from 5.4.1 to 7.3.1
43773c1 
## What

Updated the astral-sh/setup-uv GitHub Action from v5.4.1
(0c5e2b8115b80b4c7c5ddf6ffdd634974642d182) to v7.3.1
(5a095e7a2014a4212f075830d4f7277575a9d098) across all workflow files.

## Why

Aligns with the same dependency bump applied in the contributors repo
(PR #420) to keep all github-community-projects repos on a consistent
setup-uv version.

## Notes

- This is a major version bump (v5 → v7); review the setup-uv release notes for any breaking changes in action inputs or behavior
- The v7.3.1 release adds support for running in containers like debian:testing/unstable

Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth added 2 commits March 10, 2026 00:41
@jmeridth
build: replace GITHUB_TOKEN with octo-sts token federation in update-…
30a5875 
…uv-lock workflow

## What

Use octo-sts OIDC-federated token instead of GITHUB_TOKEN in the
update-uv-lock workflow, with a corresponding trust policy.

## Why

Commits made with GITHUB_TOKEN do not trigger subsequent workflow runs,
so Dependabot PRs with uv.lock updates were not getting CI checks on the
lockfile commit.

## Notes

- Trust policy scoped to pull_request events with job_workflow_ref matching update-uv-lock.yml
- Requires octo-sts app installed on the org (already present)

Signed-off-by: jmeridth <jmeridth@gmail.com>
@jmeridth
fix: ospo-reusable-workflows path
5a7e140 
Signed-off-by: jmeridth <jmeridth@gmail.com>
@jmeridth jmeridth marked this pull request as ready for review March 10, 2026 05:55
@jmeridth
ci: trigger CI re-run
9b1dbe0 
Signed-off-by: jmeridth <jmeridth@gmail.com>
@jmeridth jmeridth merged commit 618c8c1 into main Mar 10, 2026
35 checks passed
@jmeridth jmeridth deleted the jm_move_to_uv branch March 10, 2026 06:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zkoppert zkoppert Awaiting requested review from zkoppert zkoppert is a code owner

Assignees

@jmeridth jmeridth

Labels

automation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jmeridth