build: pin uv version and add linter concurrency#495
Conversation
## What Replace pip-based dependency management with uv across the entire project: pyproject.toml and uv.lock replace requirements.txt and requirements-test.txt, all CI workflows use astral-sh/setup-uv, Makefile commands prefixed with uv run, and Dockerfile uses uv for production installs. ## Why uv provides significantly faster dependency resolution and installation, deterministic lockfile-based builds, and a single pyproject.toml as the source of truth for all dependencies. This aligns with the approach already adopted by the contributors and cleanowners repos. ## Notes - CI matrix expanded to Python 3.11-3.14 - New update-uv-lock.yml workflow handles Dependabot PR lockfile sync - Docker image copies uv binary from ghcr.io/astral-sh/uv:0.10.9 - Added .codespellrc to ignore "astroid" (pylint dependency) - Added .venv to .jscpd.json ignore list Signed-off-by: jmeridth <jmeridth@gmail.com>
## What Updated the astral-sh/setup-uv GitHub Action from v5.4.1 (0c5e2b8115b80b4c7c5ddf6ffdd634974642d182) to v7.3.1 (5a095e7a2014a4212f075830d4f7277575a9d098) across all workflow files. ## Why Aligns with the same dependency bump applied in the contributors repo (PR #420) to keep all github-community-projects repos on a consistent setup-uv version. ## Notes - This is a major version bump (v5 → v7); review the setup-uv release notes for any breaking changes in action inputs or behavior - The v7.3.1 release adds support for running in containers like debian:testing/unstable Signed-off-by: jmeridth <jmeridth@gmail.com>
…uv-lock workflow ## What Use octo-sts OIDC-federated token instead of GITHUB_TOKEN in the update-uv-lock workflow, with a corresponding trust policy. ## Why Commits made with GITHUB_TOKEN do not trigger subsequent workflow runs, so Dependabot PRs with uv.lock updates were not getting CI checks on the lockfile commit. ## Notes - Trust policy scoped to pull_request events with job_workflow_ref matching update-uv-lock.yml - Requires octo-sts app installed on the org (already present) Signed-off-by: jmeridth <jmeridth@gmail.com>
Signed-off-by: jmeridth <jmeridth@gmail.com>
## What Pin astral-sh/setup-uv to version 0.10.9 with caching enabled across all CI workflows, and add a concurrency group to the linter workflow to cancel in-progress runs on the same branch. ## Why Pinning the uv version prevents unexpected breakage from new uv releases while enable-cache speeds up CI runs. The concurrency group avoids wasting CI minutes on outdated linter runs when new commits are pushed. ## Notes - The version pin means dependabot won't auto-update uv — manual bumps will be needed when upgrading. - Caching is now enabled on update-uv-lock.yml too; verify this doesn't interfere with lock file regeneration. Signed-off-by: jmeridth <jmeridth@gmail.com>
There was a problem hiding this comment.
Pull request overview
This PR updates the project’s build/CI dependency management to use uv with a pinned uv version, adds workflow concurrency for the linter, and updates CI/Docker to install dependencies via uv sync using pyproject.toml + uv.lock.
Changes:
- Add
pyproject.toml+uv.lockand removerequirements*.txt, switching local/CI installs touv syncand executions touv run. - Pin
astral-sh/setup-uvto uv0.10.9with caching enabled across workflows; add concurrency cancellation to the linter workflow. - Update Docker image build to install deps via
uv syncand run the action usinguv.
Reviewed changes
Copilot reviewed 15 out of 18 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
uv.lock |
Adds a uv lockfile for reproducible dependency installs. |
pyproject.toml |
Defines runtime + dev dependencies for uv-managed installs. |
requirements.txt |
Removed in favor of pyproject.toml + uv.lock. |
requirements-test.txt |
Removed in favor of pyproject.toml dependency group(s). |
Makefile |
Runs lint/test tooling via uv run. |
README.md |
Updates local usage instructions to use uv. |
Dockerfile |
Switches container build/runtime to uv-based dependency install and execution. |
.github/workflows/python-ci.yml |
Uses setup-uv + uv python install + uv sync across a broader Python matrix. |
.github/workflows/super-linter.yaml |
Adds concurrency and switches install step to uv sync. |
.github/workflows/update-uv-lock.yml |
Adds a Dependabot-only workflow to regenerate/push uv.lock using pinned uv + caching. |
.github/chainguard/update-uv-lock.sts.yaml |
Adds STS policy for the lockfile update workflow. |
.github/workflows/release.yml |
Updates reusable workflow references to a different org namespace. |
.github/workflows/pr-title.yml |
Updates reusable workflow reference org namespace. |
.github/workflows/auto-labeler.yml |
Updates reusable workflow reference org namespace. |
.github/workflows/copilot-setup-steps.yml |
Uses uv for setup and installs dependencies via uv sync. |
.github/linters/.jscpd.json |
Updates ignore patterns (including .venv). |
.github/linters/.codespellrc |
Adds codespell configuration (ignore word list). |
.gitignore |
Ignores local Claude config artifacts. |
| CMD python3 -c "import os,sys; sys.exit(0 if os.path.exists('/action/workspace/evergreen.py') else 1)" | ||
|
|
||
| ENV PYTHONUNBUFFERED=1 | ||
| CMD ["/action/workspace/evergreen.py"] |
There was a problem hiding this comment.
Docker entrypoint/cmd will try to execute /action/workspace/evergreen.py as a binary (uv run /action/workspace/evergreen.py), but evergreen.py has no shebang and isn’t executable, so the action container is likely to fail at runtime. Update the Dockerfile so the entrypoint runs Python explicitly (e.g., have the entrypoint include python and keep the script path in CMD), or make the script executable with a shebang if you intend to execute it directly.
| CMD ["/action/workspace/evergreen.py"] | |
| CMD ["python3", "/action/workspace/evergreen.py"] |
| [project] | ||
| name = "evergreen" | ||
| version = "1.0.0" | ||
| description = "GitHub Action that enables Dependabot for all repositories in a GitHub organization." | ||
| requires-python = ">=3.11" | ||
| dependencies = [ | ||
| "github3-py==4.0.1", | ||
| "python-dotenv==1.2.1", | ||
| "requests==2.32.5", | ||
| "ruamel-yaml==0.19.1", | ||
| ] |
There was a problem hiding this comment.
The PR description/title focuses on pinning the setup-uv version and adding linter concurrency, but this change set also introduces a full migration to pyproject.toml/uv.lock and removes requirements*.txt. Either update the PR description to match the broader scope or split the dependency-management migration into a separate PR to keep review/rollback risk smaller.
| - name: Install dependencies | ||
| run: | | ||
| pip install -r requirements.txt -r requirements-test.txt | ||
| uv sync --frozen |
There was a problem hiding this comment.
This workflow previously pinned a specific Python version via actions/setup-python, but now uv sync --frozen will use whatever Python happens to be on ubuntu-latest at the time the job runs. That can introduce nondeterministic CI failures as ubuntu-latest changes. Consider explicitly installing/pinning Python (e.g., via uv python install <version>) and passing --python <version> to uv sync here as well.
| uv sync --frozen | |
| uv python install 3.12 | |
| uv sync --frozen --python 3.12 |
What
Pin astral-sh/setup-uv to version 0.10.9 with caching enabled across all CI workflows, and add a concurrency group to the linter workflow to cancel in-progress runs on the same branch.
Why
Pinning the uv version prevents unexpected breakage from new uv releases while enable-cache speeds up CI runs. The concurrency group avoids wasting CI minutes on outdated linter runs when new commits are pushed.
Notes