Skip to content

[CI] Add uv package ecosystem to dependabot#3002

Merged
jiayuasu merged 1 commit into
apache:masterfrom
jbampton:add-uv-ecosystem-dependabot
May 28, 2026
Merged

[CI] Add uv package ecosystem to dependabot#3002
jiayuasu merged 1 commit into
apache:masterfrom
jbampton:add-uv-ecosystem-dependabot

Conversation

@jbampton
Copy link
Copy Markdown
Member

@jbampton jbampton commented May 27, 2026
edited
Loading

https://docs.github.com/en/code-security/reference/supply-chain-security/supported-ecosystems-and-repositories

Did you read the Contributor Guide?

Is this PR related to a ticket?

  • No:
    • this is a CI update. The PR name follows the format [CI] my subject

What changes were proposed in this PR?

Add the uv.lock file to Git

  • Reproducibility: It pins every dependency to an exact version and content hash, eliminating the "it works on my machine" problem.
  • Deterministic CI/CD: You can use uv sync --locked in your automated pipelines to guarantee the environment is identical to the one you tested locally.
  • Cross-Platform Resolution: By default, uv.lock is designed to be universal and platform-agnostic, making it safe to share across different operating systems.
  • Security: Tools like Dependabot can scan the lockfile to detect vulnerable dependencies.

How was this patch tested?

Did this PR include necessary documentation updates?

  • No, this PR does not affect any public API so no need to change the documentation.

@jbampton jbampton requested a review from jiayuasu as a code owner May 27, 2026 15:05
@jbampton jbampton marked this pull request as draft May 27, 2026 15:17
@jbampton
[CI] Add uv package ecosystem to dependabot
72095fd 
https://docs.github.com/en/code-security/reference/supply-chain-security/supported-ecosystems-and-repositories

Add the `uv.lock` file to Git

*   **Reproducibility**: It pins every dependency to an exact version and content hash, eliminating the "it works on my machine" problem.
*   **Deterministic CI/CD**: You can use `uv sync --locked` in your automated pipelines to guarantee the environment is identical to the one you tested locally.
*   **Cross-Platform Resolution**: By default, `uv.lock` is designed to be universal and platform-agnostic, making it safe to share across different operating systems.
*   **Security**: Tools like Dependabot can scan the lockfile to detect vulnerable dependencies.
@jbampton jbampton force-pushed the add-uv-ecosystem-dependabot branch from 138b1dc to 72095fd Compare May 27, 2026 15:28
@jbampton jbampton added the dependencies Pull requests that update a dependency file label May 27, 2026
@jbampton jbampton marked this pull request as ready for review May 27, 2026 15:46
@jbampton jbampton added the root label May 27, 2026
@jbampton jbampton added this to the sedona-1.9.1 milestone May 27, 2026
@jiayuasu jiayuasu merged commit 3d9e5f6 into apache:master May 28, 2026
12 checks passed
@jbampton jbampton deleted the add-uv-ecosystem-dependabot branch May 28, 2026 06:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jiayuasu jiayuasu jiayuasu approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file root

Projects

None yet

Milestone

sedona-1.9.1

Development

Successfully merging this pull request may close these issues.

2 participants

@jbampton @jiayuasu