SDK-87: Migrate to uv for development environments & fix vulnerabilities#208
Conversation
…Python development standards This does mean though that `uv` is now the only recommended development install workflow
All of the old `requirements.txt` files is just such a waste of time to maintain I've updated all of the GitHub Actions workflows to use `uv` and the `.pre-commit-config.yaml` The DevContainer Dockerfile is also now using `uv`
…t.toml` and not `uv.lock` The `pyproject.toml` is what affects our downstream users as opposed to developers, and we want to fix thing sfor them not just developers of the project
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 71924389fa
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Greptile Overview
|
| Filename | Overview |
|---|---|
| pyproject.toml | Migrated from requirements files to dependency-groups and bumped versions to fix vulnerabilities |
| .github/workflows/vulnerability-scan.yml | Added uv setup and proper conditionals to skip steps on PRs |
| .github/workflows/pytest-sanity.yaml | Migrated to uv with correct Windows PowerShell activation script |
| dev.Dockerfile | Switched to uv base image and simplified to use uv sync |
| .pre-commit-config.yaml | Updated uv-pre-commit hooks to 0.9.29 to align with project requirements |
| .github/workflows/lint.yaml | Replaced pip-based setup with uv sync for both ruff and basedpyright jobs |
| .github/workflows/deploy-to-pypi.yaml | Simplified to use uv sync for dependency installation before building |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
…vulnerabilities # Conflicts: # DEV_README.md
|
@greptile Please re-review |
|
@codex review |
|
@cursor review |
|
Baz please review this |
|
Codex Review: Didn't find any major issues. Bravo. ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
![baz-reviewer[bot]](https://avatars.githubusercontent.com/in/933528?s=60&v=4){kind=small}
…as` to ensure that they are tested for vulnerabilities
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
…ally scanning `.venv`
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
2 participants
Note
Medium Risk
Touches CI/release pipelines and dependency resolution, so failures could impact builds, publishing, and security scanning despite minimal runtime code changes.
Overview
Migrates the repo away from compiled
requirements/*.txtfiles touv-managed dependency groups inpyproject.toml, including newdeployand expandeddev/docsgroups, plus dependency bumps to address vulnerabilities.Updates most GitHub Actions workflows,
dev.Dockerfile,.envrc, and pre-commit hooks to create venvs and install/sync dependencies viauv(including Windows PowerShell support), adjusts caching to key offuv.lock, and changes the vulnerability scan to runpip-auditagainst the synced.venv.Adds Codex environment/rules files to permit
uv run pip-auditand documents the newuv-first dev workflow inAGENTS.mdandDEV_README.md.Written by Cursor Bugbot for commit 062512a. This will update automatically on new commits. Configure here.