build: pin uv version and add linter concurrency#446
Closed
Conversation
## What Replace pip-based dependency management with uv across the entire project: pyproject.toml and uv.lock replace requirements.txt and requirements-test.txt, all CI workflows use astral-sh/setup-uv, Makefile commands prefixed with uv run, and Dockerfile uses uv for production installs. ## Why uv provides significantly faster dependency resolution and installation, deterministic lockfile-based builds, and a single pyproject.toml as the source of truth for all dependencies. This aligns with the approach already adopted by the contributors and cleanowners repos. ## Notes - CI matrix expanded to Python 3.11-3.14 - New update-uv-lock.yml workflow handles Dependabot PR lockfile sync - Docker image copies uv binary from ghcr.io/astral-sh/uv:0.10.9 - Added .codespellrc to ignore "astroid" (pylint dependency) - Added .venv to .jscpd.json ignore list Signed-off-by: jmeridth <[email protected]>
## What Updated the astral-sh/setup-uv GitHub Action from v5.4.1 (0c5e2b8115b80b4c7c5ddf6ffdd634974642d182) to v7.3.1 (5a095e7a2014a4212f075830d4f7277575a9d098) across all workflow files. ## Why Aligns with the same dependency bump applied in the contributors repo (PR #420) to keep all github-community-projects repos on a consistent setup-uv version. ## Notes - This is a major version bump (v5 → v7); review the setup-uv release notes for any breaking changes in action inputs or behavior - The v7.3.1 release adds support for running in containers like debian:testing/unstable Signed-off-by: jmeridth <[email protected]>
…uv-lock workflow ## What Use octo-sts OIDC-federated token instead of GITHUB_TOKEN in the update-uv-lock workflow, with a corresponding trust policy. ## Why Commits made with GITHUB_TOKEN do not trigger subsequent workflow runs, so Dependabot PRs with uv.lock updates were not getting CI checks on the lockfile commit. ## Notes - Trust policy scoped to pull_request events with job_workflow_ref matching update-uv-lock.yml - Requires octo-sts app installed on the org (already present) Signed-off-by: jmeridth <[email protected]>
Signed-off-by: jmeridth <[email protected]>
## What Pin astral-sh/setup-uv to version 0.10.9 with caching enabled across all CI workflows, and add a concurrency group to the linter workflow to cancel in-progress runs on the same branch. ## Why Pinning the uv version prevents unexpected breakage from new uv releases while enable-cache speeds up CI runs. The concurrency group avoids wasting CI minutes on outdated linter runs when new commits are pushed. ## Notes - The version pin means dependabot won't auto-update uv — manual bumps will be needed when upgrading. - Caching is now enabled on update-uv-lock.yml too; verify this doesn't interfere with lock file regeneration. Signed-off-by: jmeridth <[email protected]>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the repo’s CI/build tooling to standardize on uv with a pinned uv version and caching, and adds workflow concurrency to reduce redundant linter runs.
Changes:
- Migrate dependency management from
requirements*.txttopyproject.toml+uv.lock, and update local dev commands to useuv sync/uv run. - Pin
uvto0.10.9with caching across CI workflows; addconcurrencyto the linter workflow to cancel in-progress runs. - Update the Docker build to use
uv syncand run the action viauv.
Reviewed changes
Copilot reviewed 15 out of 17 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
uv.lock |
Adds a lockfile for reproducible uv installs. |
requirements.txt |
Removes pip-compiled requirements in favor of uv project deps. |
requirements-test.txt |
Removes test requirements in favor of uv dev dependency group. |
pyproject.toml |
Introduces PEP 621 project metadata + uv dependency groups. |
README.md |
Updates local usage/testing instructions to use uv. |
Makefile |
Runs lint/test tools via uv run instead of direct binaries. |
Dockerfile |
Switches container build/runtime to uv sync / uv run. |
.github/workflows/update-uv-lock.yml |
New workflow to auto-regenerate uv.lock for Dependabot PRs. |
.github/workflows/python-package.yml |
Installs uv, enables cache, syncs deps from lockfile, expands matrix to 3.14. |
.github/workflows/linter.yaml |
Adds concurrency + switches dependency install step to uv. |
.github/workflows/copilot-setup-steps.yml |
Uses uv to provision Python/deps for Copilot agent setup. |
.github/workflows/release.yml |
Updates reusable workflow repo references. |
.github/workflows/pr-title.yml |
Updates reusable workflow repo reference. |
.github/workflows/auto-labeler.yml |
Updates reusable workflow repo reference. |
.github/linters/.jscpd.json |
Ignores .venv to reduce false positives after uv adoption. |
.github/linters/.codespellrc |
Adds codespell config to ignore “astroid”. |
.github/chainguard/update-uv-lock.sts.yaml |
Adds sts config for the Dependabot lockfile update workflow. |
| CMD python3 -c "import os,sys; sys.exit(0 if os.path.exists('/action/workspace/stale_repos.py') else 1)" | ||
|
|
||
| ENV PYTHONUNBUFFERED=1 | ||
| CMD ["/action/workspace/stale_repos.py"] |
There was a problem hiding this comment.
ENTRYPOINT ["uv", "run"] with CMD ["/action/workspace/stale_repos.py"] relies on the script being executable (and on /usr/bin/env python resolving correctly). If stale_repos.py isn’t marked executable in the image, the container will fail to start. Consider invoking the interpreter explicitly (e.g., make the entrypoint run python3 via uv run, or make CMD include python3), instead of executing the .py file directly.
Suggested change
| CMD ["/action/workspace/stale_repos.py"] | |
| CMD ["python3", "/action/workspace/stale_repos.py"] |
Comment on lines
+1
to
+10
| [project] | ||
| name = "stale-repos" | ||
| version = "1.0.0" | ||
| description = "GitHub Action that finds stale repositories in a GitHub organization." | ||
| requires-python = ">=3.11" | ||
| dependencies = [ | ||
| "github3-py==4.0.1", | ||
| "python-dateutil==2.9.0.post0", | ||
| "python-dotenv==1.2.1", | ||
| ] |
There was a problem hiding this comment.
The PR description/title focus on pinning the uv version and adding linter concurrency, but this PR also introduces a full dependency-management migration (adds pyproject.toml/uv.lock, deletes requirements*.txt, updates the Docker build/entrypoint, expands the test matrix to 3.14, and updates reusable workflow references). Please update the PR description/title (or split into separate PRs) so reviewers and release notes reflect the full scope of changes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Pin astral-sh/setup-uv to version 0.10.9 with caching enabled across all CI workflows, and add a concurrency group to the linter workflow to cancel in-progress runs on the same branch.
Why
Pinning the uv version prevents unexpected breakage from new uv releases while enable-cache speeds up CI runs. The concurrency group avoids wasting CI minutes on outdated linter runs when new commits are pushed.
Notes