build: migrate from pip to uv for dependency management

[jmeridth]

Pull Request

Proposed Changes

What

Replace pip-based dependency management with uv across the entire project. pyproject.toml and uv.lock replace requirements.txt and requirements-test.txt, all CI workflows use astral-sh/setup-uv, Makefile commands prefixed with uv run, and Dockerfile uses uv for production installs.

Why

uv provides significantly faster dependency resolution and installation, deterministic lockfile-based builds, and a single pyproject.toml as the source of truth for all dependencies. This aligns with the approach already adopted by the issue-metrics and other repos in the org.

Notes

• Docker image copies uv binary from ghcr.io/astral-sh/uv:0.10.9 via multi-stage COPY
• Dockerfile ENTRYPOINT changed from python3 -u to uv run — verify this works correctly in the GitHub Action runtime
• New update-uv-lock.yml workflow uses octo-sts for Dependabot PR lockfile sync — requires the chainguard STS policy to be registered in the org
• PYTHONUNBUFFERED=1 env var replaces the -u flag previously passed to python3
• Only direct dependencies listed in pyproject.toml; transitive deps handled by uv.lock

Readiness Checklist

Author/Contributor

• If documentation is needed for this change, has that been included in this pull request
• run make lint and fix any issues that you have introduced
• run make test and ensure you have test coverage for the lines you are introducing

[zkoppert]

Looks great! Couple things to look at

• Line 419 in README.md still references old pip-based installation.

New update-uv-lock.yml workflow uses octo-sts for Dependabot PR lockfile sync — requires the chainguard STS policy to be registered in the org

• isn't the chainguard STS policy already registered in the org or is that a todo? still learning how this works.
• Is there a way to pin the version of uv that we are using? or maybe it is but I missed it?
• The README local testing section should mention uv installation
• Tested out the docker and everything worked except my memory of how to work docker. no changes needed in the code there.
• This can be a later thing but uv caching would be cool. I don't think our actions take that long but a cool trick to speed things up. https://docs.astral.sh/uv/guides/integration/github/#caching for later reading.

[jmeridth]

Looks great! Couple things to look at

• Line 419 in README.md still references old pip-based installation.

New update-uv-lock.yml workflow uses octo-sts for Dependabot PR lockfile sync — requires the chainguard STS policy to be registered in the org

• isn't the chainguard STS policy already registered in the org or is that a todo? still learning how this works.
• Is there a way to pin the version of uv that we are using? or maybe it is but I missed it?
• The README local testing section should mention uv installation
• Tested out the docker and everything worked except my memory of how to work docker. no changes needed in the code there.
• This can be a later thing but uv caching would be cool. I don't think our actions take that long but a cool trick to speed things up. https://docs.astral.sh/uv/guides/integration/github/#caching for later reading.

• README - fixing
• the app is registered in the org, but each repo needs to create its own trust policies in the .github/chainguard folder (trust policies == sts policy files)
• uv is pinned to 0.10.9 in the Dockerfile, I'll pin in the workflows to match
• using enable-cache feature of setup-uv action

[zkoppert]

🚢