From a7b411320fe3644177df68265c3a2b1167cc440a Mon Sep 17 00:00:00 2001 From: Marshall Krassenstein Date: Mon, 30 Mar 2026 16:49:45 -0400 Subject: [PATCH 1/3] chore: migrate to uv with supply-chain guardrails MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Add missing deps to pyproject.toml (flask-socketio, simple-websocket, requests, cryptography); swap mlflow[genai] for mlflow-tracing - Add [tool.uv] exclude-newer = "7 days" to block packages less than a week old (supply-chain protection) - Add [tool.uv.sources] git overrides for requests + cryptography (Databricks PyPI proxy workaround) - Gitignore uv.lock — hashes are proxy-specific, not portable for customers - Add compile step to dependency-audit.yml to warn when requirements.txt drifts from pyproject.toml - Add update-lockfile.yml to auto-regenerate requirements.lock whenever Dependabot merges a requirements.txt bump Co-authored-by: Marshall Krassenstein --- .github/workflows/dependency-audit.yml | 11 +++++++ .github/workflows/update-lockfile.yml | 40 ++++++++++++++++++++++++++ .gitignore | 3 ++ pyproject.toml | 18 +++++++++++- 4 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/update-lockfile.yml diff --git a/.github/workflows/dependency-audit.yml b/.github/workflows/dependency-audit.yml index b152db0..afe085e 100644 --- a/.github/workflows/dependency-audit.yml +++ b/.github/workflows/dependency-audit.yml @@ -30,6 +30,17 @@ jobs: - name: Install audit tools run: pip install pip-audit==2.9.0 uv==0.7.12 + - name: Compile requirements.txt from pyproject.toml + run: | + # Keep requirements.txt in sync with pyproject.toml so Dependabot can scan it. + # Note: [tool.uv.sources] git overrides are not resolved by pip compile — + # requests and cryptography fall back to their PyPI versions here, which is + # intentional for Dependabot's purposes. + uv pip compile pyproject.toml -o /tmp/requirements.compiled.txt + if ! diff -q requirements.txt /tmp/requirements.compiled.txt > /dev/null 2>&1; then + echo "::warning::requirements.txt is out of date with pyproject.toml. Run: uv pip compile pyproject.toml -o requirements.txt" + fi + - name: Audit pinned dependencies run: | if [ -f requirements.lock ]; then diff --git a/.github/workflows/update-lockfile.yml b/.github/workflows/update-lockfile.yml new file mode 100644 index 0000000..ef656d5 --- /dev/null +++ b/.github/workflows/update-lockfile.yml @@ -0,0 +1,40 @@ +name: Update Lockfile + +on: + push: + branches: [main] + paths: + - "requirements.txt" + +jobs: + update-lockfile: + runs-on: ubuntu-latest + permissions: + contents: write + + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Set up Python + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + with: + python-version: "3.11" + + - name: Install uv + run: pip install uv==0.7.12 + + - name: Regenerate requirements.lock + run: uv pip compile requirements.txt -o requirements.lock --generate-hashes + + - name: Commit updated lockfile + run: | + git config user.name "github-actions[bot]" + git config user.email "github-actions[bot]@users.noreply.github.com" + if git diff --quiet requirements.lock; then + echo "requirements.lock is already up to date, nothing to commit" + else + git add requirements.lock + git commit -m "chore: regenerate requirements.lock after requirements.txt update" + git push + fi diff --git a/.gitignore b/.gitignore index 33ee1c8..f9acd43 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,6 @@ outstanding-todos.md # Uploaded files (clipboard paste images) uploads/ + +# uv lockfile — not portable across PyPI proxies, generate locally with `uv lock` +uv.lock diff --git a/pyproject.toml b/pyproject.toml index c60f459..06e4dbb 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -5,8 +5,24 @@ description = "CoDA - Coding Agents on Databricks Apps" requires-python = ">=3.10" dependencies = [ "flask>=2.0", + "flask-socketio>=5.0", + "simple-websocket>=1.0", "claude-agent-sdk", "databricks-sdk>=0.20.0", - "mlflow[genai]>=3.4", + "mlflow-tracing>=3.4", "opentelemetry-exporter-otlp-proto-grpc", + "requests", + "cryptography", ] + +[tool.uv] +# Exclude packages uploaded to PyPI more recently than ~30 days ago. +# This gives the community time to catch supply-chain issues before they land here. +# Bump this date when you intentionally need a newer release. +exclude-newer = "7 days" + +[tool.uv.sources] +# Direct GitHub installs — workaround for Databricks internal PyPI proxy gaps. +# Remove these once the proxy has current versions. +requests = { git = "https://github.com/psf/requests", rev = "v2.33.0" } +cryptography = { git = "https://github.com/pyca/cryptography", rev = "46.0.6" } From 30997c06d88df40fa23ce605fb6b316f30c2cd81 Mon Sep 17 00:00:00 2001 From: Marshall Krassenstein Date: Mon, 30 Mar 2026 16:56:29 -0400 Subject: [PATCH 2/3] fix: use astral-sh/setup-uv action instead of pinned pip install uv==0.7.12 predates relative duration support in exclude-newer ("7 days"). Switching to the official action ensures we always get a current uv version. Co-authored-by: Marshall Krassenstein --- .github/workflows/dependency-audit.yml | 5 ++++- .github/workflows/update-lockfile.yml | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependency-audit.yml b/.github/workflows/dependency-audit.yml index afe085e..9f62ff3 100644 --- a/.github/workflows/dependency-audit.yml +++ b/.github/workflows/dependency-audit.yml @@ -27,8 +27,11 @@ jobs: with: python-version: "3.11" + - name: Install uv + uses: astral-sh/setup-uv@v5 + - name: Install audit tools - run: pip install pip-audit==2.9.0 uv==0.7.12 + run: pip install pip-audit==2.9.0 - name: Compile requirements.txt from pyproject.toml run: | diff --git a/.github/workflows/update-lockfile.yml b/.github/workflows/update-lockfile.yml index ef656d5..f96549e 100644 --- a/.github/workflows/update-lockfile.yml +++ b/.github/workflows/update-lockfile.yml @@ -22,7 +22,7 @@ jobs: python-version: "3.11" - name: Install uv - run: pip install uv==0.7.12 + uses: astral-sh/setup-uv@v5 - name: Regenerate requirements.lock run: uv pip compile requirements.txt -o requirements.lock --generate-hashes From dc54f9ac452672211ab93e134b738ecf4ba38b77 Mon Sep 17 00:00:00 2001 From: Marshall Krassenstein Date: Wed, 1 Apr 2026 07:30:47 -0400 Subject: [PATCH 3/3] fix: switch cryptography from git source to PyPI 46.0.6 Co-authored-by: Marshall Krassenstein --- pyproject.toml | 1 - requirements.lock | 2 +- requirements.txt | 2 +- 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 06e4dbb..2ec0ad2 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -25,4 +25,3 @@ exclude-newer = "7 days" # Direct GitHub installs — workaround for Databricks internal PyPI proxy gaps. # Remove these once the proxy has current versions. requests = { git = "https://github.com/psf/requests", rev = "v2.33.0" } -cryptography = { git = "https://github.com/pyca/cryptography", rev = "46.0.6" } diff --git a/requirements.lock b/requirements.lock index d408823..9d5bd67 100644 --- a/requirements.lock +++ b/requirements.lock @@ -256,7 +256,7 @@ click==8.3.1 \ # flask # flask-socketio # uvicorn -cryptography @ git+https://github.com/pyca/cryptography@91d728897bdad30cd5c79a2b23e207f1f050d587 +cryptography==46.0.6 # via # -r requirements.txt # pyjwt diff --git a/requirements.txt b/requirements.txt index 8fdb2f7..f488270 100644 --- a/requirements.txt +++ b/requirements.txt @@ -6,4 +6,4 @@ databricks-sdk==0.102.0 mlflow-tracing==3.10.1 opentelemetry-exporter-otlp-proto-grpc==1.40.0 requests @ git+https://github.com/psf/requests@v2.33.0 -cryptography @ git+https://github.com/pyca/cryptography@46.0.6 +cryptography==46.0.6