SDK-87: Migrate to uv for development environments & fix vulnerabilities

.codex/environments/environment.toml

@@ -0,0 +1,6 @@
+# THIS IS AUTOGENERATED. DO NOT EDIT MANUALLY
+version = 1
+name = "hirundo-python-sdk"
+
+[setup]
+script = "uv sync --group dev && source .venv/bin/activate"

.codex/rules/pip-audit.rules

@@ -0,0 +1,13 @@
+prefix_rule(
+    pattern = ["UV_CACHE_DIR=/tmp/uv-cache", "uv", "run", "pip-audit"],
+    decision = "allow",
+    justification = "pip-audit is allowed to run",
+    match = [
+        "'UV_CACHE_DIR=/tmp/uv-cache' uv run pip-audit",
+    ],
+    not_match = [
+        "uv run abc",
+        "uv run pip-audit",
+        "uvx pip-audit",
+    ],
+)

.envrc

@@ -1,2 +1,2 @@
 watch_file uv.lock
-uv sync --group dev && source .venv/bin/activate
+uv sync --all-groups && source .venv/bin/activate

.github/workflows/cleanup-test-artifacts.yaml

@@ -13,18 +13,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - name: Set up Python
-        uses: actions/setup-python@v6
+      - name: Set up uv
+        uses: astral-sh/setup-uv@v7
         with:
           python-version: '3.11'
-          cache: 'pip'
-      - name: Set up uv 0.9.6
-        uses: astral-sh/setup-uv@v3
-        with:
-          version: '0.9.6'
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip
           uv venv
           uv sync --extra polars
       - name: Run cleanup script

.github/workflows/create-release.yaml

@@ -27,20 +27,17 @@ jobs:
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.ref }}
-      - name: Set up Python
-        uses: actions/setup-python@v6
-        with:
-          cache: 'pip'
-      - name: Install uv
+      - name: Set up uv
         uses: astral-sh/setup-uv@v7
+        with:
+          python-version: '3.11'
       - name: Bump version with `bumpver` then push tag
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
-          python -m pip install --upgrade pip
-          python -m venv .venv
+          uv venv
           source .venv/bin/activate
-          pip install bumpver
+          uv pip install bumpver
           git config user.name "GitHub Actions [release-bot]"
           git config user.email "github-actions@hirundo.io"
           git checkout -b release-${{ github.event.inputs.version }}

.github/workflows/deploy-docker-image.yaml

@@ -21,15 +21,14 @@ permissions:
 jobs:
   build-and-push:
       if: (startsWith(github.ref, 'refs/tags/v') && contains(github.ref, '+on-prem')) || github.event_name == 'pull_request'
-      runs-on: ubuntu-latest
+      runs-on: ubuntu-latest-small-docker
 
       steps:
       - name: Checkout repository
         uses: actions/checkout@v3
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:
-          install: true
           platforms: linux/amd64
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
@@ -43,7 +42,7 @@ jobs:
         uses: actions/cache@v4
         with:
           path: opt-uv
-          key: opt-uv-${{ hashFiles('requirements/*') }}
+          key: opt-uv-${{ hashFiles('uv.lock') }}
       - name: inject uv cache into docker
         # v1 was composed of two actions: "inject" and "extract".
         # v2 is unified to a single action.

.github/workflows/deploy-to-pypi.yaml

@@ -22,10 +22,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.base.ref }}
-      - name: Set up Python
-        uses: actions/setup-python@v6
-        with:
-          cache: 'pip'
+      - uses: astral-sh/setup-uv@v7
       - name: Push tag with release
         env:
           GH_TOKEN: ${{ github.token }}
@@ -44,11 +41,9 @@ jobs:
           git push origin ${{ github.event.pull_request.title }}
       - name: Install dependencies & build package
         run: |
-          python -m pip install --upgrade pip
-          python -m venv .venv
+          uv venv
           source .venv/bin/activate
-          pip install -r requirements/dev.txt
-          pip install build twine
+          uv sync --only-group deploy --no-install-project
           python -m build
       - name: Publish package distributions to TestPyPI (with act)
         env:

.github/workflows/lint.yaml

@@ -19,15 +19,13 @@ jobs:
         python-version: ["3.10", "3.11", "3.12", "3.13"]
     steps:
       - uses: actions/checkout@v3
-      - uses: actions/setup-python@v6
+      - uses: astral-sh/setup-uv@v7
         with:
-          cache: 'pip'
           python-version: ${{ matrix.python-version }}
       - run: |
-          python -m pip install --upgrade pip
-          python -m venv .venv
+          uv venv
           source .venv/bin/activate
-          pip install -r requirements/dev.txt -r requirements/pandas.txt -r requirements/polars.txt -r requirements/transformers.txt
+          uv sync --group dev
       - run: echo "$PWD/.venv/bin" >> $GITHUB_PATH
       - uses: astral-sh/ruff-action@v3
       - run: ruff check
@@ -42,14 +40,12 @@ jobs:
         python-version: ["3.10", "3.11", "3.12", "3.13"]
     steps:
       - uses: actions/checkout@v3
-      - uses: actions/setup-python@v6
+      - uses: astral-sh/setup-uv@v7
         with:
-          cache: 'pip'
           python-version: ${{ matrix.python-version }}
       - run: |
-          python -m pip install --upgrade pip
-          python -m venv .venv
+          uv venv
           source .venv/bin/activate
-          pip install -r requirements/dev.txt -r requirements/pandas.txt -r requirements/polars.txt -r requirements/transformers.txt
+          uv sync --group dev
       - run: echo "$PWD/.venv/bin" >> $GITHUB_PATH
       - run: basedpyright

.github/workflows/pytest-full.yaml

@@ -28,16 +28,12 @@ jobs:
             env: RUN_COCO_OD_GCP_SANITY_DATA_QA
     steps:
       - uses: actions/checkout@v4
-      - name: Set up Python
-        uses: actions/setup-python@v6
-        with:
-          cache: 'pip'
+      - uses: astral-sh/setup-uv@v7
       - name: Install dependencies on Linux and macOS
         run: |
-          python -m pip install --upgrade pip
-          python -m venv .venv
+          uv venv
           source .venv/bin/activate
-          pip install -r requirements/dev.txt -r requirements/polars.txt -r requirements/transformers.txt
+          uv sync --group dev
       - name: Run PyTest
         run: .venv/bin/pytest tests/${{ matrix.data-qa-test['test'] }}
         env:

.github/workflows/pytest-sanity.yaml

@@ -2,7 +2,7 @@ name: Run sanity tests with PyTest
 
 on:
   pull_request:
-    types: [opened, synchronize]
+    types: [opened, synchronize, reopened, assigned]
   push:
     branches:
       - "main"
@@ -46,24 +46,22 @@ jobs:
           fi
       - name: Set up Python
         if: github.event_name != 'pull_request' && steps.changes.outputs.non_workflow == 'true'
-        uses: actions/setup-python@v6
+        uses: astral-sh/setup-uv@v7
         with:
           python-version: ${{ matrix.python-version }}
-          cache: 'pip'
       - name: Install dependencies on Linux and macOS
         if: github.event_name != 'pull_request' && runner.os != 'Windows' && steps.changes.outputs.non_workflow == 'true'
         run: |
-          python -m pip install --upgrade pip
-          python -m venv .venv
+          uv venv
           source .venv/bin/activate
-          pip install -r requirements/dev.txt -r requirements/polars.txt -r requirements/transformers.txt
+          uv sync --group dev
       - name: Run commands on Windows
         if: github.event_name != 'pull_request' && runner.os == 'Windows' && steps.changes.outputs.non_workflow == 'true'
+        shell: pwsh
         run: |
-          python -m pip install --upgrade 'pip>=24.1.2'
-          python -m venv .venv
-          .venv\Scripts\activate
-          python -m pip install -r requirements\dev.txt -r requirements\polars.txt -r requirements\transformers.txt
+          uv venv
+          & .\.venv\Scripts\Activate.ps1
+          uv sync --group dev
       - name: Run PyTest on Linux and macOS
         if: github.event_name != 'pull_request' && runner.os != 'Windows' && steps.changes.outputs.non_workflow == 'true'
         run: .venv/bin/pytest

.github/workflows/update-docs.yaml

@@ -32,18 +32,15 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0 # Fetch all history for all tags and branches
-      - uses: actions/setup-python@v6
-        with:
-          cache: 'pip'
+      - uses: astral-sh/setup-uv@v7
       - name: Install dependencies
         timeout-minutes: 5
         env:
           SLEEP: 15
         run: |
-          python -m pip install --upgrade pip
-          python -m venv .venv
+          uv venv
           source .venv/bin/activate
-          pip install -r requirements/docs.txt
+          uv sync --only-group docs --no-install-project
           # Extract version from hirundo/__init__.py with error handling
           if [ -f "hirundo/__init__.py" ]; then
             export VERSION=$(python -c "import re; content=open('hirundo/__init__.py').read(); match=re.search(r'__version__ = [\"\'](.*?)[\"\']', content); print(match.group(1) if match else 'unknown')" 2>/dev/null || echo 'unknown')
@@ -56,7 +53,7 @@ jobs:
             exit 1
           fi
 
-          until pip install --no-cache-dir "hirundo==${VERSION}"; do
+          until uv pip install --no-cache-dir "hirundo==${VERSION}"; do
             echo "Can't find the version you mentioned, waiting $SLEEP seconds and retrying"
             sleep $SLEEP
             echo "finish waiting. retrying..."

.github/workflows/vulnerability-scan.yml

@@ -1,7 +1,7 @@
 name: Vulnerability scan
 on:
   pull_request:
-    types: [opened, synchronize]
+    types: [opened, synchronize, reopened, assigned]
   merge_group:
     types: [checks_requested]
   push:
@@ -16,15 +16,6 @@ concurrency:
 
 jobs:
   vulnerability-scan:
-    strategy:
-      matrix:
-        requirements:
-          - requirements/requirements.txt
-          - requirements/dev.txt
-          - requirements/docs.txt
-          - requirements/pandas.txt
-          - requirements/polars.txt
-          - requirements/transformers.txt
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -34,7 +25,14 @@ jobs:
       - name: No-op on pull_request
         if: github.event_name == 'pull_request'
         run: echo "Skipping vulnerability scan on PR; marking job success."
+      - uses: astral-sh/setup-uv@v7
+        if: github.event_name != 'pull_request'
+      - if: github.event_name != 'pull_request'
+        run: |
+          uv venv
+          source .venv/bin/activate
+          uv sync --resolution lowest-direct --all-groups --all-extras
       - uses: pypa/gh-action-pip-audit@v1.1.0
         if: github.event_name != 'pull_request'
         with:
-          inputs: ${{ matrix.requirements }}
+          virtual-environment: .venv

.pre-commit-config.yaml

@@ -16,63 +16,17 @@ repos:
       - id: ruff-format
   - repo: local
     hooks:
-    - id: basedpyright
-      name: basedpyright
-      entry: basedpyright
-      language: python
-      types: [python]
-      pass_filenames: false
-      additional_dependencies: [basedpyright==1.37.1]
-    - id: pip-compile
-      name: compile requirements/requirements.txt
-      entry: uv
-      args: ["pip", "compile", "-o", "requirements/requirements.txt"]
-      language: python
-      always_run: false
-      files: pyproject.toml$
-      additional_dependencies: [uv]
-    - id: pip-compile-dev
-      name: compile requirements/dev.txt
-      entry: uv
-      args: ["pip", "compile", "--extra", "dev", "-o", "requirements/dev.txt", "-c", "requirements/requirements.txt"]
-      language: python
-      always_run: false
-      files: pyproject.toml$
-      additional_dependencies: [uv]
-    - id: pip-compile-pandas
-      name: compile requirements/pandas.txt
-      entry: uv
-      args: ["pip", "compile", "--extra", "pandas", "-o", "requirements/pandas.txt", "-c", "requirements/requirements.txt"]
-      language: python
-      files: pyproject.toml$
-      additional_dependencies: [uv]
-    - id: pip-compile-polars
-      name: compile requirements/polars.txt
-      entry: uv
-      args: ["pip", "compile", "--extra", "polars", "-o", "requirements/polars.txt", "-c", "requirements/requirements.txt"]
-      language: python
-      files: pyproject.toml$
-      additional_dependencies: [uv]
-    - id: pip-compile-docs
-      name: compile requirements/docs.txt
-      entry: uv
-      args: ["pip", "compile", "--extra", "docs", "-o", "requirements/docs.txt", "-c", "requirements/requirements.txt"]
-      language: python
-      always_run: false
-      files: pyproject.toml$
-      additional_dependencies: [uv]
-    - id: pip-compile-transformers
-      name: compile requirements/transformers.txt
-      entry: uv
-      args: ["pip", "compile", "--extra", "transformers", "-o", "requirements/transformers.txt", "-c", "requirements/requirements.txt"]
-      language: python
-      always_run: false
-      files: pyproject.toml$
-      additional_dependencies: [uv]
+      - id: basedpyright
+        name: basedpyright
+        entry: basedpyright
+        language: python
+        types: [python]
+        pass_filenames: false
+        additional_dependencies: [basedpyright==1.37.1]
   - repo: https://github.com/astral-sh/uv-pre-commit
     # uv version.
-    rev: 0.9.6
+    rev: 0.9.29
     hooks:
       - id: uv-lock
       - id: uv-sync
-        args: ["--group", "dev"]
+        args: ["--all-groups"]