github-community-projects · jmeridth · Mar 8, 2026 · Mar 9, 2026 · Mar 10, 2026 · Mar 10, 2026
@@ -0,0 +1,7 @@
+issuer: https://token.actions.githubusercontent.com
+subject_pattern: "repo:github-community-projects/evergreen:pull_request"
+claim_pattern:
+  job_workflow_ref: "github-community-projects/evergreen/.github/workflows/update-uv-lock.yml@.*"
+
+permissions:
+  contents: write
@@ -0,0 +1,2 @@
+[codespell]
+ignore-words-list = astroid
@@ -1,5 +1,5 @@
 {
   "threshold": 25,
-  "ignore": ["/github/workspace/test*"],
+  "ignore": ["test*", "**/.venv/**"],
   "absolute": true
 }
@@ -11,7 +11,7 @@ jobs:
     permissions:
       contents: read
       pull-requests: write
-    uses: github/ospo-reusable-workflows/.github/workflows/auto-labeler.yaml@3b691dff6b68489c8548e1295d125c93c9c29a4e
+    uses: github-community-projects/ospo-reusable-workflows/.github/workflows/auto-labeler.yaml@3b691dff6b68489c8548e1295d125c93c9c29a4e
     with:
       config-name: release-drafter.yml
     secrets:

@@ -30,11 +30,15 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Set up Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - name: Install uv
+        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
         with:
-          python-version: 3.12
+          version: "0.10.9"
+          enable-cache: true
+
+      - name: Set up Python
+        run: uv python install 3.14
 
       - name: Install dependencies
         run: |
-          pip install -r requirements.txt -r requirements-test.txt
+          uv sync --frozen --python 3.14
@@ -12,6 +12,6 @@ jobs:
       contents: read
       pull-requests: read
       statuses: write
-    uses: github/ospo-reusable-workflows/.github/workflows/pr-title.yaml@3b691dff6b68489c8548e1295d125c93c9c29a4e
+    uses: github-community-projects/ospo-reusable-workflows/.github/workflows/pr-title.yaml@3b691dff6b68489c8548e1295d125c93c9c29a4e
     secrets:
       github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -18,18 +18,21 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: [3.11, 3.12]
+        python-version: [3.11, 3.12, 3.13, 3.14]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - name: Install uv
+        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
         with:
-          python-version: ${{ matrix.python-version }}
+          version: "0.10.9"
+          enable-cache: true
+      - name: Set up Python ${{ matrix.python-version }}
+        run: uv python install ${{ matrix.python-version }}
       - name: Install dependencies
         run: |
-          pip install -r requirements.txt -r requirements-test.txt
+          uv sync --frozen --python ${{ matrix.python-version }}
       - name: Lint with flake8 and pylint
         run: |
           make lint

@@ -12,7 +12,7 @@ jobs:
     permissions:
       contents: write
       pull-requests: read
-    uses: github/ospo-reusable-workflows/.github/workflows/release.yaml@3b691dff6b68489c8548e1295d125c93c9c29a4e
+    uses: github-community-projects/ospo-reusable-workflows/.github/workflows/release.yaml@3b691dff6b68489c8548e1295d125c93c9c29a4e
     with:
       publish: true
       release-config-name: release-drafter.yml
@@ -25,7 +25,7 @@ jobs:
       packages: write
       id-token: write
       attestations: write
-    uses: github/ospo-reusable-workflows/.github/workflows/release-image.yaml@3b691dff6b68489c8548e1295d125c93c9c29a4e
+    uses: github-community-projects/ospo-reusable-workflows/.github/workflows/release-image.yaml@3b691dff6b68489c8548e1295d125c93c9c29a4e
     with:
       image-name: ${{ github.repository }}
       full-tag: ${{ needs.release.outputs.full-tag }}
@@ -40,7 +40,7 @@ jobs:
     permissions:
       contents: read
       discussions: write
-    uses: github/ospo-reusable-workflows/.github/workflows/release-discussion.yaml@3b691dff6b68489c8548e1295d125c93c9c29a4e
+    uses: github-community-projects/ospo-reusable-workflows/.github/workflows/release-discussion.yaml@3b691dff6b68489c8548e1295d125c93c9c29a4e
     with:
       full-tag: ${{ needs.release.outputs.full-tag }}
       body: ${{ needs.release.outputs.body }}

@@ -5,6 +5,10 @@ on:
   pull_request:
     branches: [main]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
@@ -23,13 +27,14 @@ jobs:
         with:
           fetch-depth: 0
           persist-credentials: false
-      - name: Setup Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - name: Install uv
+        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
         with:
-          python-version: "3.12"
+          version: "0.10.9"
+          enable-cache: true
       - name: Install dependencies
         run: |
-          pip install -r requirements.txt -r requirements-test.txt
+          uv sync --frozen
-          uv sync --frozen
+          uv python install 3.12
+          uv sync --frozen --python 3.12
-          uv sync --frozen
+          uv python install 3.12
+          uv sync --frozen --python 3.12
       - name: Lint Code Base
         uses: super-linter/super-linter@61abc07d755095a68f4987d1c2c3d1d64408f1f9 # v8.5.0
         env:

@@ -0,0 +1,45 @@
+---
+name: Update uv.lock
+
+on:
+  pull_request:
+    paths:
+      - pyproject.toml
+
+permissions:
+  id-token: write
+
+jobs:
+  update-lock:
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get GitHub App token via octo-sts
+        uses: octo-sts/action@f603d3be9d8dd9871a265776e625a27b00effe05 # v1.1.1
+        id: octo-sts
+        with:
+          scope: github-community-projects/evergreen
+          identity: update-uv-lock
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ github.head_ref }}
+          persist-credentials: true # Use the workflow temporary token from octo-sts to allow pushing changes back to the dependabot branch
+          token: ${{ steps.octo-sts.outputs.token }}
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
+        with:
+          version: "0.10.9"
+          enable-cache: true
+
+      - name: Update uv.lock
+        run: uv lock
+
+      - name: Commit and push updated lockfile
+        run: |
+          git config user.name "octo-sts[bot]"
+          git config user.email "801323+octo-sts[bot]@users.noreply.github.com"
+          git add uv.lock
+          git diff --cached --quiet || git commit -s -m "chore(deps): update uv.lock"
+          git push
@@ -158,5 +158,8 @@ devenv.local.nix
 devenv.*
 .devenv*
 
+# Claude
+**/.claude/*.local.*
+
 # Local testing files
 dependabot-output.yaml
@@ -5,9 +5,11 @@ FROM python:3.14.0-slim@sha256:0aecac02dc3d4c5dbb024b753af084cafe41f5416e02193f1
 LABEL org.opencontainers.image.source https://github.com/github-community-projects/evergreen
 
 WORKDIR /action/workspace
-COPY requirements.txt *.py /action/workspace/
+COPY pyproject.toml uv.lock *.py /action/workspace/
 
-RUN python3 -m pip install --no-cache-dir --no-deps -r requirements.txt \
+COPY --from=ghcr.io/astral-sh/uv:0.10.9@sha256:10902f58a1606787602f303954cea099626a4adb02acbac4c69920fe9d278f82 /uv /uvx /bin/
+
+RUN uv sync --frozen --no-dev --no-editable \
     && apt-get -y update \
     && apt-get -y install --no-install-recommends git=1:2.47.3-0+deb13u1 \
     && rm -rf /var/lib/apt/lists/*
@@ -16,5 +18,6 @@ RUN python3 -m pip install --no-cache-dir --no-deps -r requirements.txt \
 HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
   CMD python3 -c "import os,sys; sys.exit(0 if os.path.exists('/action/workspace/evergreen.py') else 1)"
 
+ENV PYTHONUNBUFFERED=1
 CMD ["/action/workspace/evergreen.py"]
-CMD ["/action/workspace/evergreen.py"]
+CMD ["python3", "/action/workspace/evergreen.py"]
-CMD ["/action/workspace/evergreen.py"]
+CMD ["python3", "/action/workspace/evergreen.py"]
-ENTRYPOINT ["python3", "-u"]
+ENTRYPOINT ["uv", "run"]
@@ -1,6 +1,6 @@
 .PHONY: test
 test:
-	pytest -v --cov=. --cov-config=.coveragerc --cov-fail-under=80 --cov-report term-missing
+	uv run pytest -v --cov=. --cov-config=.coveragerc --cov-fail-under=80 --cov-report term-missing
 
 .PHONY: clean
 clean:
@@ -9,10 +9,10 @@ clean:
 .PHONY: lint
 lint:
 	# stop the build if there are Python syntax errors or undefined names
-	flake8 . --config=.github/linters/.flake8 --count --select=E9,F63,F7,F82 --show-source
+	uv run flake8 . --config=.github/linters/.flake8 --count --select=E9,F63,F7,F82 --show-source
 	# exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
-	flake8 . --config=.github/linters/.flake8 --count --exit-zero --max-complexity=15 --max-line-length=150
-	isort --settings-file=.github/linters/.isort.cfg .
-	pylint --rcfile=.github/linters/.python-lint --fail-under=9.0 *.py
-	mypy --config-file=.github/linters/.mypy.ini *.py
-	black .
+	uv run flake8 . --config=.github/linters/.flake8 --count --exit-zero --max-complexity=15 --max-line-length=150
+	uv run isort --settings-file=.github/linters/.isort.cfg .
+	uv run pylint --rcfile=.github/linters/.python-lint --fail-under=9.0 *.py
+	uv run mypy --config-file=.github/linters/.mypy.ini *.py
+	uv run black .
@@ -348,11 +348,12 @@ jobs:
 ## Local usage without Docker
 
 1. Make sure you have at least Python3.11 installed
+1. Install [uv](https://docs.astral.sh/uv/getting-started/installation/)
 1. Copy `.env-example` to `.env`
 1. Fill out the `.env` file with a _token_ from a user that has access to the organization to scan (listed below). Tokens should have at least write:org access for organization scanning and write:repository for repository scanning.
 1. Fill out the `.env` file with the configuration parameters you want to use
-1. `pip3 install -r requirements.txt`
-1. Run `python3 ./evergreen.py`, which will output everything in the terminal
+1. `uv sync`
+1. Run `uv run python3 ./evergreen.py`, which will output everything in the terminal
 
 ## License
 

@@ -0,0 +1,25 @@
+[project]
+name = "evergreen"
+version = "1.0.0"
+description = "GitHub Action that enables Dependabot for all repositories in a GitHub organization."
+requires-python = ">=3.11"
+dependencies = [
+    "github3-py==4.0.1",
+    "python-dotenv==1.2.1",
+    "requests==2.32.5",
+    "ruamel-yaml==0.19.1",
+]
+
+[dependency-groups]
+dev = [
+    "black==26.1.0",
+    "flake8==7.3.0",
+    "isort==7.0.0",
+    "mypy==1.19.1",
+    "mypy-extensions==1.1.0",
+    "pylint==4.0.5",
+    "pytest==9.0.2",
+    "pytest-cov==7.0.0",
+    "types-PyYAML==6.0.12.20250915",
+    "types-requests==2.32.4.20260107",
+]