build: migrate codespell and gitlint from pip to uvx

[cblecker]

What this PR does / why we need it:

Migrates codespell and gitlint from pip install --target to uvx, which runs Python tools in ephemeral, cached environments.

Before: pip install created local *_dist/ directories under hack/tools/bin/, required shuffling binaries around, and could conflict with system Python.

After: uvx handles tool installation transparently with zero side effects. No local dist directories, no pip invocations.

Changes:

• Add UVX ?= uvx variable (overridable)
• Replace $(CODESPELL) / $(GITLINT) invocations with $(UVX) codespell== / $(UVX) gitlint-core==
• Remove codespell and gitlint installation prerequisites and build targets
• Remove ./hack/tools/bin/codespell_dist from the codespell skip list (no longer exists)

Which issue(s) this PR fixes:

Special notes for your reviewer:

• The PyPI package providing the gitlint CLI via uvx is gitlint-core, not gitlint
• Version pins are preserved (codespell==2.4.1, gitlint-core==0.19.1)
• UVX variable is overridable (UVX ?= uvx) for CI environments

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

Chores

• Refactored tool management for code verification and linting to use explicit version handling, improving consistency across development environments
• Removed local tool installation steps that were previously required in the build process, reducing initial setup complexity for developers
• Enhanced baseline detection mechanism for local development linting workflows, providing improved accuracy when determining merge points

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Please specify an area label

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Walkthrough

The Makefile is refactored to use UVX as a universal tool invoker for external utilities (codespell, gitlint) instead of direct command calls. Legacy tool build targets are removed, and merge-base computation for non-PR scenarios is expanded to consider additional remote branches.

Changes

Cohort / File(s)

Summary

UVX Integration and Tool Management Makefile

Introduces UVX variable and replaces direct codespell/gitlint invocations with UVX-wrapped calls using explicit version constraints (CODESPELL_VER, GITLINT_VER). Removes legacy codespell and gitlint build targets. Updates verify-codespell and run-gitlint to call tools via UVX. Extends merge-base computation in non-PR path to include origin/main and origin/master branches for enhanced baseline determination in local development.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: migrating codespell and gitlint tooling from pip-based installation to uvx execution.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	The custom check for stable and deterministic test names is not applicable to this PR. The PR only modifies the Makefile for build tooling configuration, with no changes to any test files or test title declarations.
Test Structure And Quality	✅ Passed	The custom check for test structure and quality is inapplicable since this PR only modifies the Makefile for build tooling migration and contains no test file changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: cblecker
Once this PR has been reviewed and has the lgtm label, please assign sjenning for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Makefile`:
- Around line 382-383: The Makefile target verify-codespell currently uses an
invalid UVX version specifier "(UVX) codespell==$(CODESPELL_VER)"; update the
invocation in the verify-codespell recipe to use a valid UVX pinning form —
either call UVX with the direct command form $(UVX) codespell@$(CODESPELL_VER)
or use the PEP 508 form $(UVX) --from 'codespell==$(CODESPELL_VER)' codespell —
referencing the verify-codespell target and the UVX and CODESPELL_VER variables
when making the change.

---

ℹ️ Review info

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 40d6470 and 326bb87.

📒 Files selected for processing (1)

• Makefile

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

uvx version specifier syntax @ == documentation

💡 Result:

In uvx (alias of uv tool run), @ and == apply in different places:

• command@<version> (uvx shorthand) = exact tool version only
  Use this when the command name itself includes a pinned version, e.g. uvx ruff@0.6.0 check. The docs note this form and that @ is for an exact version (and @latest is also supported). [2]

• --from / --with use standard Python dependency specifiers (PEP 508), e.g. ==, ranges, extras
  Examples:

  • uvx --from 'ruff==0.3.0' ruff check
  • uvx --from 'ruff>0.2.0,<0.3.0' ruff check
  • uvx --from 'mypy[faster-cache,reports]==1.13.0' mypy ...
    This is standard “dependency specifier” syntax (name[extras] ==1.2.3, >=, <, !=, etc.). [2][3]

• CLI reference confirms command may include <package>@<version> (for the command token), and uvx behavior matches uv tool run. [1]

If you’re trying something like --with "pkg@1.2.3", that typically won’t parse as a version pin—use --with "pkg==1.2.3" instead. (This mismatch is also discussed in uv’s issue tracker.) [4]

Sources: uv CLI reference [1], uv “Using tools” guide [2], uv dependency specifiers (PEP 508) docs [3], GitHub issue discussion [4].

---

Fix uvx version specifier syntax.

uvx version pinning uses either @ for the direct command form (e.g., uvx codespell@2.4.1) or PEP 508 specifiers with the --from flag (e.g., uvx --from 'codespell==2.4.1' codespell). The current form $(UVX) codespell==$(CODESPELL_VER) mixes both approaches and will not work. Use either $(UVX) codespell@$(CODESPELL_VER) or $(UVX) --from 'codespell==$(CODESPELL_VER)' codespell.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Makefile` around lines 382 - 383, The Makefile target verify-codespell
currently uses an invalid UVX version specifier "(UVX)
codespell==$(CODESPELL_VER)"; update the invocation in the verify-codespell
recipe to use a valid UVX pinning form — either call UVX with the direct command
form $(UVX) codespell@$(CODESPELL_VER) or use the PEP 508 form $(UVX) --from
'codespell==$(CODESPELL_VER)' codespell — referencing the verify-codespell
target and the UVX and CODESPELL_VER variables when making the change.

[bryan-cox]

Verify is failing

/bin/sh: line 1: uvx: command not found

[cblecker]

@bryan-cox This would need openshift/release#75848 as a pre-requisite

[openshift-bot]

Stale PRs are closed after 21d of inactivity.

If this PR is still relevant, comment to refresh it or remove the stale label.
Mark the PR as fresh by commenting /remove-lifecycle stale.

If this PR is safe to close now please do so with /close.

/lifecycle stale

[openshift-bot]

Stale PRs rot after 14d of inactivity.

Mark the PR as fresh by commenting /remove-lifecycle rotten.
Rotten PRs close after an additional 7d of inactivity.

If this PR is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[cblecker]

/remove-lifecycle rotten

[openshift-ci]

@cblecker: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/verify	326bb87	link	true	/test verify
ci/prow/security	326bb87	link	true	/test security

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[hypershift-jira-solve-ci]

I have all the evidence. Here is the report:

Test Failure Analysis Complete

Job Information

• Prow Job: pull-ci-openshift-hypershift-main-security
• Build ID: 2053890090182119424
• Job Type: presubmit
• State: failure
• Cluster: build01
• PR: build: migrate codespell and gitlint from pip to uvx #7829 — build: migrate codespell and gitlint from pip to uvx (by @cblecker)
• Start Time: 2026-05-11T17:28:51Z
• Completion Time: 2026-05-11T17:29:18Z (27 seconds — failed during clone)

Test Failure Analysis

Error

Auto-merging Makefile
CONFLICT (content): Merge conflict in Makefile
Automatic merge failed; fix conflicts and then commit the result.
# Error: exit status 1

Summary

The job failed during the Prow clone/merge phase — before any test code ran. Prow could not merge PR #7829's head commit (326bb87) onto the current main branch (8f279f9) because both sides modified the same lines in the Makefile. PR #7829 (created Feb 28) deletes the pip-based codespell and gitlint install sections and replaces them with uvx calls, while a later commit on main (e425c8cc, merged Apr 17) modified those same deleted lines to change pip to python3 -m pip. The branch needs a rebase onto current main to resolve the conflict.

Root Cause

The PR branch is stale — it was created on Feb 28, 2026 and has not been rebased since. A conflicting commit (e425c8cc70d3 — "fix: use python3 -m pip instead of bare pip in Makefile") was merged to main on Apr 17, 2026, approximately 7 weeks after the PR was opened.

Both changes target the codespell and gitlint build targets at the bottom of the Makefile:

• PR build: migrate codespell and gitlint from pip to uvx #7829 completely deletes the codespell and gitlint pip-install rule sections (lines using pip install --target=...) and replaces them with inline uvx codespell==... / uvx gitlint-core==... calls, eliminating the need for local pip installs entirely.

• Commit e425c8cc on main modifies those same lines, changing pip install to python3 -m pip install to fix bare pip usage when no virtualenv is active. It also adds a new pyyaml install section and verify-docs-nav target.

Git cannot auto-resolve this because one side modified lines that the other side deleted — a classic modify/delete conflict. This is purely a source control issue, not a product or test bug.

Recommendations

1. Rebase PR build: migrate codespell and gitlint from pip to uvx #7829 onto current main: The PR author (@cblecker) needs to rebase the branch worktree-wiggly-orbiting-pumpkin onto current main and resolve the merge conflict in Makefile. The resolution is straightforward — keep the uvx-based approach from the PR and discard the now-obsolete python3 -m pip sections.

2. Handle the new pyyaml/verify-docs-nav target: Commit e425c8cc also added a pyyaml install section and verify-docs-nav target that uses python3 -m pip to install pyyaml. During rebase, decide whether to also migrate this target to uvx, or keep it as-is since PR build: migrate codespell and gitlint from pip to uvx #7829 only addresses codespell and gitlint.

3. Re-trigger CI after the rebase and force-push to the PR branch.

Evidence

Evidence	Detail
Failure phase	Prow clone/merge (before any test execution)
Failure type	Git merge conflict — CONFLICT (content): Merge conflict in Makefile
PR created	2026-02-28
Conflicting commit	e425c8cc70d3 — "fix: use python3 -m pip instead of bare pip in Makefile" (merged 2026-04-17)
Conflicting area	Makefile — codespell/gitlint pip install rule sections (lines ~600–632)
PR changes	Deletes pip-based codespell and gitlint install targets, replaces with uvx calls
Main changes	Modifies same deleted lines: pip install → python3 -m pip install
Conflict type	Modify/delete — one branch modified lines the other branch deleted
Job runtime	27 seconds (failed immediately during clone)
Base SHA	8f279f9ce6f4 (main, 2026-05-11) — includes the conflicting commit
PR head SHA	326bb873188 — does not include the conflicting commit

---

[cblecker]

/close
Closing in favour of #8508

[openshift-ci]

@cblecker: Closed this PR.

Details

In response to this:

/close
Closing in favour of #8508

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.