build: migrate from pip to uv for dependency management#125
Conversation
There was a problem hiding this comment.
Pull request overview
Migrates the project’s Python dependency management and execution flows from pip/requirements*.txt to uv, aligning local development, CI, and container builds around pyproject.toml + uv.lock.
Changes:
- Introduces
pyproject.tomlanduv.lock, removingrequirements.txtandrequirements-test.txt. - Updates Makefile targets and CI workflows to use
uv(uv sync,uv run,astral-sh/setup-uv). - Switches Docker build/install to
uv syncand adjusts runtime invocation.
Reviewed changes
Copilot reviewed 9 out of 11 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
uv.lock |
Adds locked, reproducible dependency graph for uv. |
pyproject.toml |
Defines project + dev dependency groups as the new source of truth. |
requirements.txt |
Removed in favor of pyproject.toml/uv.lock. |
requirements-test.txt |
Removed in favor of pyproject.toml dev dependency group. |
README.md |
Updates dev setup instructions to use uv sync. |
Makefile |
Prefixes lint/test commands with uv run. |
Dockerfile |
Uses uv for production dependency install and changes entrypoint/runtime execution. |
.github/workflows/python-package.yml |
Reworks CI job to use uv and expands Python version matrix. |
.github/workflows/linter.yaml |
Switches dependency installation from pip to uv. |
.github/workflows/update-uv-lock.yml |
Adds automation to refresh uv.lock on Dependabot pyproject.toml PRs. |
.github/linters/.codespellrc |
Adds codespell ignore list to avoid flagging astroid. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jmeridth
force-pushed
the
build/migrate-to-uv
branch
from
4a77923 to
5707c1b
Compare
jmeridth
force-pushed
the
build/migrate-to-uv
branch
from
5707c1b to
88de1a4
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 12 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
## What Replace pip-based dependency management with uv across the entire project: pyproject.toml and uv.lock replace requirements.txt and requirements-test.txt, all CI workflows use astral-sh/setup-uv, Makefile commands prefixed with uv run, and Dockerfile uses uv for production installs. ## Why uv provides significantly faster dependency resolution and installation, deterministic lockfile-based builds, and a single pyproject.toml as the source of truth for all dependencies. This aligns with the approach already adopted by the contributors and cleanowners repos. ## Notes - CI matrix expanded to Python 3.11-3.14 - New update-uv-lock.yml workflow handles Dependabot PR lockfile sync - Docker image copies uv binary from ghcr.io/astral-sh/uv:0.10.9 - Added .codespellrc to ignore "astroid" (pylint dependency) - Added .venv to .jscpd.json ignore list Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth
force-pushed
the
build/migrate-to-uv
branch
from
88de1a4 to
c736615
Compare
|
Converted to draft until we figure out permissions for |
## What Updated the astral-sh/setup-uv GitHub Action from v5.4.1 (0c5e2b8115b80b4c7c5ddf6ffdd634974642d182) to v7.3.1 (5a095e7a2014a4212f075830d4f7277575a9d098) across all workflow files. ## Why Aligns with the same dependency bump applied in the contributors repo (PR #420) to keep all github-community-projects repos on a consistent setup-uv version. ## Notes - This is a major version bump (v5 → v7); review the setup-uv release notes for any breaking changes in action inputs or behavior - The v7.3.1 release adds support for running in containers like debian:testing/unstable Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth
force-pushed
the
build/migrate-to-uv
branch
from
1cab0e9 to
7d87ee1
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 12 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…uv-lock workflow ## What Use octo-sts OIDC-federated token instead of GITHUB_TOKEN in the update-uv-lock workflow, with a corresponding trust policy. ## Why Commits made with GITHUB_TOKEN do not trigger subsequent workflow runs, so Dependabot PRs with uv.lock updates were not getting CI checks on the lockfile commit. ## Notes - Trust policy scoped to pull_request events with job_workflow_ref matching update-uv-lock.yml - Requires octo-sts app installed on the org (already present) Signed-off-by: jmeridth <jmeridth@gmail.com>
Signed-off-by: jmeridth <jmeridth@gmail.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 14 out of 16 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| with: | ||
| scope: github-community-projects/measure-innersource | ||
| identity: update-uv-lock |
There was a problem hiding this comment.
The octo-sts scope is hard-coded to a specific owner/repo, which makes the workflow brittle if the repo is renamed or if this workflow is reused in forks. Prefer using the runtime context (e.g., ${{ github.repository }}) so the scope stays correct automatically.
| RUN uv sync --frozen --no-dev --no-editable \ | ||
| && apt-get -y update \ | ||
| && apt-get -y install --no-install-recommends git=1:2.47.3-0+deb13u1 \ |
There was a problem hiding this comment.
uv sync --no-editable will try to install the workspace/project in non-editable mode (wheel build). This repo doesn’t appear to be a buildable Python package (no package directory / build backend config), so the Docker build may fail here. If you only need dependencies, use a “don’t install project” option (e.g., --no-install-project) or remove --no-editable and rely on editable workspace behavior.
What
Replace pip-based dependency management with uv across the entire project:
pyproject.toml and uv.lock replace requirements.txt and requirements-test.txt,
all CI workflows use astral-sh/setup-uv, Makefile commands prefixed with uv run,
and Dockerfile uses uv for production installs.
Why
uv provides significantly faster dependency resolution and installation,
deterministic lockfile-based builds, and a single pyproject.toml as the
source of truth for all dependencies. This aligns with the approach
already adopted by the contributors and cleanowners repos.
Notes
Readiness Checklist
Author/Contributor
make lintand fix any issues that you have introducedmake testand ensure you have test coverage for the lines you are introducing