build: switch from pip to uv for dependency management (#416)

* build: switch from pip to uv for dependency management

## What

Replace pip-based dependency management with uv across the project,
consolidating requirements.txt and requirements-test.txt into
pyproject.toml with a generated uv.lock. Add a workflow to keep
uv.lock in sync on Dependabot PRs.

## Why

uv provides faster installs, deterministic lockfile resolution, and
a simpler single-tool workflow for dependency and virtualenv management.

## Notes

- Dockerfile now copies uv binary from ghcr.io/astral-sh/uv:latest and
  uses uv sync --frozen --no-dev instead of pip install
- CI workflows use astral-sh/setup-uv with caching enabled
- test_contributors.py reformatted by black (with-statement style change)
- Dependabot will update pyproject.toml but does not natively understand
  uv.lock, so update-uv-lock.yml auto-commits the regenerated lockfile
  back to Dependabot PR branches
- If branch protection requires signed commits, the update-uv-lock
  workflow may need a GitHub App token instead of GITHUB_TOKEN
- Update CI matrix to include python 3.13 and 3.14

Signed-off-by: jmeridth <jmeridth@gmail.com>

* fix: address PR review feedback for uv migration

## What

Pin the uv Docker image to a versioned digest, restore unbuffered
Python output in the container, and update the super-linter workflow
to use uv instead of the deleted requirements files.

## Why

The review identified three issues: supply-chain risk from using a
mutable :latest tag, loss of unbuffered stdout/stderr behavior needed
for GitHub Actions log streaming, and the super-linter workflow still
referencing the removed requirements.txt files.

## Notes

- uv image pinned to 0.10.9@sha256:10902f58... — will need Dependabot
  or manual updates to rotate
- PYTHONUNBUFFERED=1 replaces the previous python3 -u entrypoint flag

Signed-off-by: jmeridth <jmeridth@gmail.com>

* fix: address super-linter CI failures

## What

Fix zizmor bot-conditions audit and codespell false positive on uv.lock.

## Why

The zizmor audit flagged github.actor as spoofable since it refers to the
last actor to modify the PR, not the creator. Codespell flagged "astroid"
(a real Python package) in uv.lock as a misspelling of "asteroid".

## Notes

- Replaced github.actor with github.event.pull_request.user.login which
  refers to the PR creator and cannot be spoofed by later commits
- Added .codespellrc to ignore-words-list for "astroid"

Signed-off-by: jmeridth <jmeridth@gmail.com>

* fix: exclude .venv from jscpd duplicate detection

## What

Add .venv to jscpd ignore list in the linter configuration.

## Why

The uv sync step creates a .venv in the workspace during CI. jscpd was
scanning vendored C files inside mypyc and reporting 50.58% duplication
over the 50% threshold, failing the super-linter check.

## Notes

- This only became an issue after switching to uv, which creates .venv
  in the workspace rather than installing into the system Python

Signed-off-by: jmeridth <jmeridth@gmail.com>

---------

Signed-off-by: jmeridth <jmeridth@gmail.com>

Author: jmeridth

.github/linters/.codespellrc

@@ -0,0 +1,2 @@
+[codespell]
+ignore-words-list = astroid

.github/linters/.jscpd.json

@@ -1,5 +1,5 @@
 {
   "threshold": 50,
-  "ignore": ["test*"],
+  "ignore": ["test*", "**/.venv/**"],
   "absolute": true
 }

.github/workflows/copilot-setup-steps.yml

@@ -30,11 +30,13 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Set up Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - name: Install uv
+        uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182 # v5.4.1
         with:
-          python-version: 3.12
+          enable-cache: true
+
+      - name: Set up Python
+        run: uv python install 3.14
 
       - name: Install dependencies
-        run: |
-          pip install -r requirements.txt -r requirements-test.txt
+        run: uv sync

.github/workflows/python-ci.yml

@@ -18,19 +18,19 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: [3.11, 3.12]
+        python-version: [3.11, 3.12, 3.13, 3.14]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - name: Install uv
+        uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182 # v5.4.1
         with:
-          python-version: ${{ matrix.python-version }}
+          enable-cache: true
+      - name: Set up Python ${{ matrix.python-version }}
+        run: uv python install ${{ matrix.python-version }}
       - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install -r requirements.txt -r requirements-test.txt
+        run: uv sync
       - name: Lint with flake8 and pylint
         run: |
           make lint

.github/workflows/super-linter.yaml

@@ -22,10 +22,12 @@ jobs:
         with:
           fetch-depth: 0
           persist-credentials: false
+      - name: Install uv
+        uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182 # v5.4.1
+        with:
+          enable-cache: true
       - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install -r requirements.txt -r requirements-test.txt
+        run: uv sync
       - name: Lint Code Base
         uses: super-linter/super-linter@61abc07d755095a68f4987d1c2c3d1d64408f1f9 # v8.5.0
         env:

.github/workflows/update-uv-lock.yml

@@ -0,0 +1,35 @@
+---
+name: Update uv.lock
+
+on:
+  pull_request:
+    paths:
+      - pyproject.toml
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update-lock:
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ github.head_ref }}
+          persist-credentials: true
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182 # v5.4.1
+
+      - name: Update uv.lock
+        run: uv lock
+
+      - name: Commit updated lockfile
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add uv.lock
+          git diff --cached --quiet || git commit -s -m "chore(deps): update uv.lock"
+          git push

Dockerfile

@@ -14,9 +14,11 @@ LABEL com.github.actions.name="contributors" \
     org.opencontainers.image.description="GitHub Action that given an organization or repository, produces information about the contributors over the specified time period."
 
 WORKDIR /action/workspace
-COPY requirements.txt *.py /action/workspace/
+COPY pyproject.toml uv.lock *.py /action/workspace/
 
-RUN python3 -m pip install --no-cache-dir --no-deps -r requirements.txt \
+COPY --from=ghcr.io/astral-sh/uv:0.10.9@sha256:10902f58a1606787602f303954cea099626a4adb02acbac4c69920fe9d278f82 /uv /uvx /bin/
+
+RUN uv sync --frozen --no-dev --no-editable \
     && apt-get -y update \
     && apt-get -y install --no-install-recommends git=1:2.47.3-0+deb13u1 \
     && rm -rf /var/lib/apt/lists/*
@@ -25,5 +27,7 @@ RUN python3 -m pip install --no-cache-dir --no-deps -r requirements.txt \
 HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
   CMD python3 -c "import os,sys; sys.exit(0 if os.path.exists('/action/workspace/contributors.py') else 1)"
 
+ENV PYTHONUNBUFFERED=1
+
 CMD ["/action/workspace/contributors.py"]
-ENTRYPOINT ["python3", "-u"]
+ENTRYPOINT ["uv", "run"]

Makefile

@@ -1,6 +1,6 @@
 .PHONY: test
 test:
-	pytest -v --cov=. --cov-config=.coveragerc --cov-fail-under=80 --cov-report term-missing
+	uv run pytest -v --cov=. --cov-config=.coveragerc --cov-fail-under=80 --cov-report term-missing
 
 .PHONY: clean
 clean:
@@ -9,10 +9,10 @@ clean:
 .PHONY: lint
 lint:
 	# stop the build if there are Python syntax errors or undefined names
-	flake8 . --config=.github/linters/.flake8 --count --select=E9,F63,F7,F82 --show-source
+	uv run flake8 . --config=.github/linters/.flake8 --count --select=E9,F63,F7,F82 --show-source
 	# exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
-	flake8 . --config=.github/linters/.flake8 --count --exit-zero --max-complexity=15 --max-line-length=150
-	isort --settings-file=.github/linters/.isort.cfg .
-	pylint --rcfile=.github/linters/.python-lint --fail-under=9.0 *.py
-	mypy --config-file=.github/linters/.mypy.ini *.py
-	black .
+	uv run flake8 . --config=.github/linters/.flake8 --count --exit-zero --max-complexity=15 --max-line-length=150
+	uv run isort --settings-file=.github/linters/.isort.cfg .
+	uv run pylint --rcfile=.github/linters/.python-lint --fail-under=9.0 *.py
+	uv run mypy --config-file=.github/linters/.mypy.ini *.py
+	uv run black .

README.md

@@ -266,11 +266,12 @@ The job summary contains the same markdown content that is written to the config
 ## Local usage without Docker
 
 1. Make sure you have at least Python3.11 installed
+1. Install [uv](https://docs.astral.sh/uv/getting-started/installation/)
 1. Copy `.env-example` to `.env`
 1. Fill out the `.env` file with a _token_ from a user that has access to the organization to scan (listed below). Tokens should have at least read:org access for organization scanning and read:repository for repository scanning.
 1. Fill out the `.env` file with the configuration parameters you want to use
-1. `pip3 install -r requirements.txt`
-1. Run `python3 ./contributors.py`, which will output everything in the terminal
+1. `uv sync`
+1. Run `uv run python3 ./contributors.py`, which will output everything in the terminal
 
 ## License
 

pyproject.toml

@@ -0,0 +1,22 @@
+[project]
+name = "contributors"
+version = "2.0.0"
+description = "GitHub Action that produces information about contributors over a specified time period."
+requires-python = ">=3.11"
+dependencies = [
+    "github3-py==4.0.1",
+    "python-dotenv==1.2.1",
+    "requests==2.32.5",
+]
+
+[dependency-groups]
+dev = [
+    "black==26.1.0",
+    "flake8==7.3.0",
+    "mypy==1.19.1",
+    "mypy-extensions==1.1.0",
+    "pylint==4.0.5",
+    "pytest==9.0.2",
+    "pytest-cov==7.0.0",
+    "types-requests==2.32.4.20260107",
+]