IN-1561- Migrate to uv and align with 2026-04-10 spec

.github/pull-request-template.md

@@ -3,7 +3,6 @@ Describe the overall purpose of the PR changes and any useful background context
 
 ### How can a reviewer manually see the effects of these changes?
 Explain how to see the proposed changes in the application if possible.
-
 Delete this section if it isn't applicable to the PR.
 
 ### Includes new or updated dependencies?
@@ -16,4 +15,7 @@ YES | NO
 - Include links to Jira Software and/or Jira Service Management tickets here.
 
 ### Code review
-* Code review best practices are documented [here](https://mitlibraries.github.io/guides/collaboration/code_review.html) and you are encouraged to have a constructive dialogue with your reviewers about their preferences and expectations.
+* Code review best practices are documented
+[here](https://mitlibraries.github.io/guides/collaboration/code_review.html)
+and you are encouraged to have a constructive dialogue with your reviewers
+about their preferences and expectations.

.github/workflows/ci.yml

@@ -1,7 +1,11 @@
 name: CI
-on: push
+permissions: read-all
+on:
+  pull_request:
+    paths-ignore:
+      - '.github/**'
 jobs:
   test:
-    uses: mitlibraries/.github/.github/workflows/python-shared-test.yml@main
+    uses: mitlibraries/.github/.github/workflows/python-uv-shared-test.yml@main
   lint:
-    uses: mitlibraries/.github/.github/workflows/python-shared-lint.yml@main
+    uses: mitlibraries/.github/.github/workflows/python-uv-shared-lint.yml@main

.github/workflows/dev-build.yml

@@ -1,8 +1,4 @@
-### This is the Terraform-generated dev-build.yml workflow for the transmogrifier-dev app repository ###
-### If this is a Lambda repo, uncomment the FUNCTION line at the end of the document     ###
-### If the container requires any additional pre-build commands, uncomment and edit      ###
-### the PREBUILD line at the end of the document.                                        ###
-name: Dev Container Build and Deploy
+name: Dev Image Build and Deploy
 on:
   workflow_dispatch:
   pull_request:
@@ -11,14 +7,17 @@ on:
     paths-ignore:
       - '.github/**'
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
-  deploy:
-    name: Dev Container Deploy
-    uses: mitlibraries/.github/.github/workflows/ecr-shared-deploy-dev.yml@main
+
+  build-push:
+    name: Dev Build and Push
+    uses: mitlibraries/.github/.github/workflows/ecr-multi-arch-deploy-dev.yml@main
     secrets: inherit
     with:
-      AWS_REGION: "us-east-1"
-      GHA_ROLE: "transmogrifier-gha-dev"
-      ECR: "transmogrifier-dev"
-      # FUNCTION: ""
-      # PREBUILD: 
+      AWS_REGION: us-east-1
+      GHA_ROLE: transmogrifier-gha-dev
+      ECR: transmogrifier-dev

.github/workflows/prod-promote.yml

@@ -1,21 +1,22 @@
-### This is the Terraform-generated prod-promote.yml workflow for the transmogrifier-prod repository. ###
-### If this is a Lambda repo, uncomment the FUNCTION line at the end of the document.         ###
-name: Prod Container Promote
+name: Prod Image Promote
 on:
   workflow_dispatch:
   release:
     types: [published]
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
-  deploy:
-    name: Prod Container Promote
-    uses: mitlibraries/.github/.github/workflows/ecr-shared-promote-prod.yml@main
+
+  promote:
+    name: Prod promote
+    uses: mitlibraries/.github/.github/workflows/ecr-multi-arch-promote-prod.yml@main
     secrets: inherit
     with:
-      AWS_REGION: "us-east-1"
+      AWS_REGION: us-east-1
       GHA_ROLE_STAGE: transmogrifier-gha-stage
       GHA_ROLE_PROD: transmogrifier-gha-prod
-      ECR_STAGE: "transmogrifier-stage"
-      ECR_PROD: "transmogrifier-prod"
-      # FUNCTION: ""
-
+      ECR_STAGE: transmogrifier-stage
+      ECR_PROD: transmogrifier-prod

.github/workflows/stage-build.yml

@@ -1,8 +1,4 @@
-### This is the Terraform-generated dev-build.yml workflow for the transmogrifier-stage app repository ###
-### If this is a Lambda repo, uncomment the FUNCTION line at the end of the document     ###
-### If the container requires any additional pre-build commands, uncomment and edit      ###
-### the PREBUILD line at the end of the document.                                        ###
-name: Stage Container Build and Deploy
+name: Stage Image Build and Deploy
 on:
   workflow_dispatch:
   push:
@@ -11,14 +7,17 @@ on:
     paths-ignore:
       - '.github/**'
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
-  deploy:
-    name: Stage Container Deploy
-    uses: mitlibraries/.github/.github/workflows/ecr-shared-deploy-stage.yml@main
+
+  build-push:
+    name: Stage Build and Push
+    uses: mitlibraries/.github/.github/workflows/ecr-multi-arch-deploy-stage.yml@main
     secrets: inherit
     with:
-      AWS_REGION: "us-east-1"
-      GHA_ROLE: "transmogrifier-gha-stage"
-      ECR: "transmogrifier-stage"
-      # FUNCTION: ""
-      # PREBUILD: 
+      AWS_REGION: us-east-1
+      GHA_ROLE: transmogrifier-gha-stage
+      ECR: transmogrifier-stage

.gitignore

@@ -89,6 +89,7 @@ ipython_config.py
 
 # asdf
 .tool-versions
+.arch_tag
 
 # pipenv
 #   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.

.pre-commit-config.yaml

@@ -1,29 +1,30 @@
 default_language_version:
-  python: python3.12 # set for project python version
+  python: python3.13
+
+default_stages:
+  - pre-push
+
 repos:
   - repo: local
     hooks:
-      - id: black-apply
-        name: black-apply
-        entry: pipenv run black
+      - id: ruff-format
+        name: ruff-format
+        entry: uv run ruff format --diff
         language: system
         pass_filenames: true
         types: ["python"]
+
       - id: mypy
         name: mypy
-        entry: pipenv run mypy
+        entry: uv run mypy
         language: system
         pass_filenames: true
         types: ["python"]
-        exclude: "tests/"
-      - id: ruff-apply
-        name: ruff-apply
-        entry: pipenv run ruff check --fix
+        exclude: "(tests/|output/|migrations/)"
+
+      - id: ruff-check
+        name: ruff-check
+        entry: uv run ruff check
         language: system
         pass_filenames: true
         types: ["python"]
-      - id: pip-audit
-        name: pip-audit
-        entry: pipenv run pip-audit --ignore-vuln GHSA-4xh5-x5gv-qwph
-        language: system
-        pass_filenames: false

.python-version

@@ -1 +1 @@
-3.12
+3.13

Dockerfile

@@ -1,12 +1,19 @@
-FROM python:3.12-slim as build
-WORKDIR /app
-COPY . .
+FROM python:3.13-slim
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends git ca-certificates && \
+    rm -rf /var/lib/apt/lists/*
 
-RUN pip install --no-cache-dir --upgrade pip pipenv
+COPY --from=ghcr.io/astral-sh/uv:latest /uv /bin/uv
+ENV UV_SYSTEM_PYTHON=1
+
+WORKDIR /app
 
-RUN apt-get update && apt-get upgrade -y && apt-get install -y git
+COPY pyproject.toml uv.lock* ./
+COPY transmogrifier ./transmogrifier
+COPY config ./config
 
-COPY Pipfile* /
-RUN pipenv install
+RUN uv pip install --system .
 
-ENTRYPOINT ["pipenv", "run", "transform"]
+ENTRYPOINT ["transform"]
+CMD []