build: migrate from pip to uv for dependency management (#445)

jmeridth · web-flow · commit 0708c6e1e423 · 2026-03-10T01:36:05.000-05:00
* build: migrate from pip to uv for dependency management ## What Replace pip-based dependency management with uv across the entire project: pyproject.toml and uv.lock replace requirements.txt and requirements-test.txt, all CI workflows use astral-sh/setup-uv, Makefile commands prefixed with uv run, and Dockerfile uses uv for production installs. ## Why uv provides significantly faster dependency resolution and installation, deterministic lockfile-based builds, and a single pyproject.toml as the source of truth for all dependencies. This aligns with the approach already adopted by the contributors and cleanowners repos. ## Notes - CI matrix expanded to Python 3.11-3.14 - New update-uv-lock.yml workflow handles Dependabot PR lockfile sync - Docker image copies uv binary from ghcr.io/astral-sh/uv:0.10.9 - Added .codespellrc to ignore "astroid" (pylint dependency) - Added .venv to .jscpd.json ignore list Signed-off-by: jmeridth <jmeridth@gmail.com> * chore(deps): bump astral-sh/setup-uv from 5.4.1 to 7.3.1 ## What Updated the astral-sh/setup-uv GitHub Action from v5.4.1 (0c5e2b8115b80b4c7c5ddf6ffdd634974642d182) to v7.3.1 (5a095e7a2014a4212f075830d4f7277575a9d098) across all workflow files. ## Why Aligns with the same dependency bump applied in the contributors repo (PR #420) to keep all github-community-projects repos on a consistent setup-uv version. ## Notes - This is a major version bump (v5 → v7); review the setup-uv release notes for any breaking changes in action inputs or behavior - The v7.3.1 release adds support for running in containers like debian:testing/unstable Signed-off-by: jmeridth <jmeridth@gmail.com> * build: replace GITHUB_TOKEN with octo-sts token federation in update-uv-lock workflow ## What Use octo-sts OIDC-federated token instead of GITHUB_TOKEN in the update-uv-lock workflow, with a corresponding trust policy. ## Why Commits made with GITHUB_TOKEN do not trigger subsequent workflow runs, so Dependabot PRs with uv.lock updates were not getting CI checks on the lockfile commit. ## Notes - Trust policy scoped to pull_request events with job_workflow_ref matching update-uv-lock.yml - Requires octo-sts app installed on the org (already present) Signed-off-by: jmeridth <jmeridth@gmail.com> * fix: ospo-reusable-workflows path Signed-off-by: jmeridth <jmeridth@gmail.com> --------- Signed-off-by: jmeridth <jmeridth@gmail.com>
diff --git a/.github/chainguard/update-uv-lock.sts.yaml b/.github/chainguard/update-uv-lock.sts.yaml
@@ -0,0 +1,7 @@
+issuer: https://token.actions.githubusercontent.com
+subject_pattern: "repo:github-community-projects/stale-repos:pull_request"
+claim_pattern:
+  job_workflow_ref: "github-community-projects/stale-repos/.github/workflows/update-uv-lock.yml@.*"
+
+permissions:
+  contents: write
diff --git a/.github/linters/.codespellrc b/.github/linters/.codespellrc
@@ -0,0 +1,2 @@
+[codespell]
+ignore-words-list = astroid
diff --git a/.github/linters/.jscpd.json b/.github/linters/.jscpd.json
@@ -1,5 +1,5 @@
 {
   "threshold": 25,
-  "ignore": ["test*"],
+  "ignore": ["test*", "**/.venv/**"],
   "absolute": true
 }
diff --git a/.github/workflows/auto-labeler.yml b/.github/workflows/auto-labeler.yml
@@ -11,7 +11,7 @@ jobs:
     permissions:
       contents: read
       pull-requests: write
-    uses: github/ospo-reusable-workflows/.github/workflows/auto-labeler.yaml@3b691dff6b68489c8548e1295d125c93c9c29a4e
+    uses: github-community-projects/ospo-reusable-workflows/.github/workflows/auto-labeler.yaml@3b691dff6b68489c8548e1295d125c93c9c29a4e
     with:
       config-name: release-drafter.yml
     secrets:
diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml
@@ -30,11 +30,11 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Set up Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: 3.12
+      - name: Install uv
+        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
+
+      - name: Install Python
+        run: uv python install 3.14
 
       - name: Install dependencies
-        run: |
-          pip install -r requirements.txt -r requirements-test.txt
+        run: uv sync --frozen --python 3.14
diff --git a/.github/workflows/linter.yaml b/.github/workflows/linter.yaml
@@ -24,14 +24,10 @@ jobs:
           # list of changed files within `super-linter`
           fetch-depth: 0
           persist-credentials: false
-      - name: Setup Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: "3.12"
+      - name: Install uv
+        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
       - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install -r requirements.txt -r requirements-test.txt
+        run: uv sync --frozen
       - name: Lint Code Base
         uses: super-linter/super-linter@61abc07d755095a68f4987d1c2c3d1d64408f1f9 # v8.5.0
         env:
diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml
@@ -12,6 +12,6 @@ jobs:
       contents: read
       pull-requests: read
       statuses: write
-    uses: github/ospo-reusable-workflows/.github/workflows/pr-title.yaml@3b691dff6b68489c8548e1295d125c93c9c29a4e
+    uses: github-community-projects/ospo-reusable-workflows/.github/workflows/pr-title.yaml@3b691dff6b68489c8548e1295d125c93c9c29a4e
     secrets:
       github-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
@@ -17,19 +17,17 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: [3.11, 3.12, 3.13]
+        python-version: [3.11, 3.12, 3.13, 3.14]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: ${{ matrix.python-version }}
+      - name: Install uv
+        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
+      - name: Install Python ${{ matrix.python-version }}
+        run: uv python install ${{ matrix.python-version }}
       - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install -r requirements.txt -r requirements-test.txt
+        run: uv sync --frozen --python ${{ matrix.python-version }}
       - name: Lint with flake8 and pylint
         run: |
           make lint
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -12,7 +12,7 @@ jobs:
     permissions:
       contents: write
       pull-requests: read
-    uses: github/ospo-reusable-workflows/.github/workflows/release.yaml@3b691dff6b68489c8548e1295d125c93c9c29a4e
+    uses: github-community-projects/ospo-reusable-workflows/.github/workflows/release.yaml@3b691dff6b68489c8548e1295d125c93c9c29a4e
     with:
       publish: true
       release-config-name: release-drafter.yml
@@ -25,7 +25,7 @@ jobs:
       packages: write
       id-token: write
       attestations: write
-    uses: github/ospo-reusable-workflows/.github/workflows/release-image.yaml@3b691dff6b68489c8548e1295d125c93c9c29a4e
+    uses: github-community-projects/ospo-reusable-workflows/.github/workflows/release-image.yaml@3b691dff6b68489c8548e1295d125c93c9c29a4e
     with:
       image-name: ${{ github.repository_owner }}/stale_repos
       full-tag: ${{ needs.release.outputs.full-tag }}
@@ -40,7 +40,7 @@ jobs:
     permissions:
       contents: read
       discussions: write
-    uses: github/ospo-reusable-workflows/.github/workflows/release-discussion.yaml@3b691dff6b68489c8548e1295d125c93c9c29a4e
+    uses: github-community-projects/ospo-reusable-workflows/.github/workflows/release-discussion.yaml@3b691dff6b68489c8548e1295d125c93c9c29a4e
     with:
       full-tag: ${{ needs.release.outputs.full-tag }}
       body: ${{ needs.release.outputs.body }}
diff --git a/.github/workflows/update-uv-lock.yml b/.github/workflows/update-uv-lock.yml
@@ -0,0 +1,42 @@
+---
+name: Update uv.lock
+
+on:
+  pull_request:
+    paths:
+      - pyproject.toml
+
+permissions:
+  id-token: write
+
+jobs:
+  update-lock:
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get GitHub App token via octo-sts
+        uses: octo-sts/action@f603d3be9d8dd9871a265776e625a27b00effe05 # v1.1.1
+        id: octo-sts
+        with:
+          scope: github-community-projects/stale-repos
+          identity: update-uv-lock
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ github.head_ref }}
+          persist-credentials: true # Use the workflow temporary token from octo-sts to allow pushing changes back to the dependabot branch
+          token: ${{ steps.octo-sts.outputs.token }}
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
+
+      - name: Update uv.lock
+        run: uv lock
+
+      - name: Commit and push updated lockfile
+        run: |
+          git config user.name "octo-sts[bot]"
+          git config user.email "801323+octo-sts[bot]@users.noreply.github.com"
+          git add uv.lock
+          git diff --cached --quiet || git commit -s -m "chore(deps): update uv.lock"
+          git push
diff --git a/Dockerfile b/Dockerfile
@@ -14,9 +14,11 @@ LABEL com.github.actions.name="stale-repos" \
     org.opencontainers.image.description="Find stale repositories in a GitHub organization."
 
 WORKDIR /action/workspace
-COPY requirements.txt *.py /action/workspace/
+COPY pyproject.toml uv.lock *.py /action/workspace/
 
-RUN python3 -m pip install --no-cache-dir --no-deps -r requirements.txt \
+COPY --from=ghcr.io/astral-sh/uv:0.10.9@sha256:10902f58a1606787602f303954cea099626a4adb02acbac4c69920fe9d278f82 /uv /uvx /bin/
+
+RUN uv sync --frozen --no-dev --no-editable \
     && apt-get -y update \
     && apt-get -y install --no-install-recommends git=1:2.47.3-0+deb13u1 \
     && rm -rf /var/lib/apt/lists/*
@@ -25,5 +27,6 @@ RUN python3 -m pip install --no-cache-dir --no-deps -r requirements.txt \
 HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
   CMD python3 -c "import os,sys; sys.exit(0 if os.path.exists('/action/workspace/stale_repos.py') else 1)"
 
+ENV PYTHONUNBUFFERED=1
 CMD ["/action/workspace/stale_repos.py"]
-ENTRYPOINT ["python3", "-u"]
+ENTRYPOINT ["uv", "run"]
diff --git a/Makefile b/Makefile
@@ -1,6 +1,6 @@
 .PHONY: test
 test:
-	pytest -v --cov=. --cov-config=.coveragerc --cov-fail-under=80 --cov-report term-missing
+	uv run pytest -v --cov=. --cov-config=.coveragerc --cov-fail-under=80 --cov-report term-missing
 
 .PHONY: clean
 clean:
@@ -9,10 +9,10 @@ clean:
 .PHONY: lint
 lint:
 	# stop the build if there are Python syntax errors or undefined names
-	flake8 . --config=.github/linters/.flake8 --count --select=E9,F63,F7,F82 --show-source
+	uv run flake8 . --config=.github/linters/.flake8 --count --select=E9,F63,F7,F82 --show-source
 	# exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
-	flake8 . --config=.github/linters/.flake8 --count --exit-zero --max-complexity=15 --max-line-length=150
-	isort --settings-file=.github/linters/.isort.cfg .
-	pylint --rcfile=.github/linters/.python-lint --fail-under=9.0 *.py
-	mypy --config-file=.github/linters/.mypy.ini *.py
-	black .
+	uv run flake8 . --config=.github/linters/.flake8 --count --exit-zero --max-complexity=15 --max-line-length=150
+	uv run isort --settings-file=.github/linters/.isort.cfg .
+	uv run pylint --rcfile=.github/linters/.python-lint --fail-under=9.0 *.py
+	uv run mypy --config-file=.github/linters/.mypy.ini *.py
+	uv run black .
diff --git a/README.md b/README.md
@@ -305,19 +305,21 @@ jobs:
 ## Local usage without Docker
 
 1. Have Python v3.11 or greater installed
+1. [Install uv](https://docs.astral.sh/uv/getting-started/installation/)
 1. Copy `.env-example` to `.env`
 1. Fill out the `.env` file with a _token_ from a user that has access to the organization to scan (listed below). Tokens should have admin:org or read:org access.
 1. Fill out the `.env` file with the desired _inactive_days_ value. This should be a whole positive number representing the amount of inactivity that you want for flagging stale repos.
 1. (Optional) Fill out the `.env` file with the [repository topics](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics) _exempt_topics_ that you want to filter out from the stale repos report. This should be a comma separated list of topics.
 1. (Optional) Fill out the `.env` file with the exact _organization_ that you want to search in
 1. (Optional) Fill out the `.env` file with the exact _URL_ of the GitHub Enterprise that you want to search in. Keep empty if you want to search in the public `github.com`.
-1. `pip install -r requirements.txt`
-1. Run `python3 ./stale_repos.py`, which will output a list of repositories and the length of their inactivity
+1. `uv sync`
+1. Run `uv run python3 ./stale_repos.py`, which will output a list of repositories and the length of their inactivity
 
 ## Local testing without Docker
 
 1. Have Python v3.11 or greater installed
-1. `pip install -r requirements.txt -r requirements-test.txt`
+1. [Install uv](https://docs.astral.sh/uv/getting-started/installation/)
+1. `uv sync`
 1. `make lint`
 1. `make test`
 
diff --git a/pyproject.toml b/pyproject.toml
@@ -0,0 +1,24 @@
+[project]
+name = "stale-repos"
+version = "1.0.0"
+description = "GitHub Action that finds stale repositories in a GitHub organization."
+requires-python = ">=3.11"
+dependencies = [
+    "github3-py==4.0.1",
+    "python-dateutil==2.9.0.post0",
+    "python-dotenv==1.2.1",
+]
+
+[dependency-groups]
+dev = [
+    "black==26.1.0",
+    "flake8==7.3.0",
+    "isort==7.0.0",
+    "mypy==1.19.1",
+    "mypy-extensions==1.1.0",
+    "pylint==4.0.4",
+    "pytest==9.0.2",
+    "pytest-cov==7.0.0",
+    "types-python-dateutil==2.9.0.20260124",
+    "types-requests==2.32.4.20260107",
+]
diff --git a/requirements-test.txt b/requirements-test.txt
diff --git a/requirements.txt b/requirements.txt
diff --git a/uv.lock b/uv.lock

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+[codespell]`
	`2`	`+ignore-words-list = astroid`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`{`
`2`	`2`	`"threshold": 25,`
`3`		`- "ignore": ["test*"],`
	`3`	`+ "ignore": ["test", "/.venv/*"],`
`4`	`4`	`"absolute": true`
`5`	`5`	`}`