build: switch from pip to uv for dependency management

jmeridth · jmeridth · commit d7e6bffb8e8c · 2026-03-07T21:31:16.000-06:00
## What

Replace pip-based dependency management with uv across the project,
consolidating requirements.txt and requirements-test.txt into
pyproject.toml with a generated uv.lock. Add a workflow to keep
uv.lock in sync on Dependabot PRs.

## Why

uv provides faster installs, deterministic lockfile resolution, and
a simpler single-tool workflow for dependency and virtualenv management.

## Notes

- Dockerfile now copies uv binary from ghcr.io/astral-sh/uv:latest and
  uses uv sync --frozen --no-dev instead of pip install
- CI workflows use astral-sh/setup-uv with caching enabled
- test_contributors.py reformatted by black (with-statement style change)
- Dependabot will update pyproject.toml but does not natively understand
  uv.lock, so update-uv-lock.yml auto-commits the regenerated lockfile
  back to Dependabot PR branches
- If branch protection requires signed commits, the update-uv-lock
  workflow may need a GitHub App token instead of GITHUB_TOKEN
- Update CI matrix to include python 3.13 and 3.14

Signed-off-by: jmeridth &lt;jmeridth@gmail.com&gt;
diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml
@@ -30,11 +30,13 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Set up Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - name: Install uv
+        uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182 # v5.4.1
         with:
-          python-version: 3.12
+          enable-cache: true
+
+      - name: Set up Python
+        run: uv python install 3.14
 
       - name: Install dependencies
-        run: |
-          pip install -r requirements.txt -r requirements-test.txt
+        run: uv sync
diff --git a/.github/workflows/python-ci.yml b/.github/workflows/python-ci.yml
@@ -18,19 +18,19 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: [3.11, 3.12]
+        python-version: [3.11, 3.12, 3.13, 3.14]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - name: Install uv
+        uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182 # v5.4.1
         with:
-          python-version: ${{ matrix.python-version }}
+          enable-cache: true
+      - name: Set up Python ${{ matrix.python-version }}
+        run: uv python install ${{ matrix.python-version }}
       - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install -r requirements.txt -r requirements-test.txt
+        run: uv sync
       - name: Lint with flake8 and pylint
         run: |
           make lint
diff --git a/.github/workflows/update-uv-lock.yml b/.github/workflows/update-uv-lock.yml
@@ -0,0 +1,35 @@
+---
+name: Update uv.lock
+
+on:
+  pull_request:
+    paths:
+      - pyproject.toml
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update-lock:
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ github.head_ref }}
+          persist-credentials: true
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182 # v5.4.1
+
+      - name: Update uv.lock
+        run: uv lock
+
+      - name: Commit updated lockfile
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add uv.lock
+          git diff --cached --quiet || git commit -s -m "chore(deps): update uv.lock"
+          git push
diff --git a/Dockerfile b/Dockerfile
@@ -14,9 +14,11 @@ LABEL com.github.actions.name="contributors" \
     org.opencontainers.image.description="GitHub Action that given an organization or repository, produces information about the contributors over the specified time period."
 
 WORKDIR /action/workspace
-COPY requirements.txt *.py /action/workspace/
+COPY pyproject.toml uv.lock *.py /action/workspace/
 
-RUN python3 -m pip install --no-cache-dir --no-deps -r requirements.txt \
+COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
+
+RUN uv sync --frozen --no-dev --no-editable \
     && apt-get -y update \
     && apt-get -y install --no-install-recommends git=1:2.47.3-0+deb13u1 \
     && rm -rf /var/lib/apt/lists/*
@@ -26,4 +28,4 @@ HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
   CMD python3 -c "import os,sys; sys.exit(0 if os.path.exists('/action/workspace/contributors.py') else 1)"
 
 CMD ["/action/workspace/contributors.py"]
-ENTRYPOINT ["python3", "-u"]
+ENTRYPOINT ["uv", "run"]
diff --git a/Makefile b/Makefile
@@ -1,6 +1,6 @@
 .PHONY: test
 test:
-	pytest -v --cov=. --cov-config=.coveragerc --cov-fail-under=80 --cov-report term-missing
+	uv run pytest -v --cov=. --cov-config=.coveragerc --cov-fail-under=80 --cov-report term-missing
 
 .PHONY: clean
 clean:
@@ -9,10 +9,10 @@ clean:
 .PHONY: lint
 lint:
 	# stop the build if there are Python syntax errors or undefined names
-	flake8 . --config=.github/linters/.flake8 --count --select=E9,F63,F7,F82 --show-source
+	uv run flake8 . --config=.github/linters/.flake8 --count --select=E9,F63,F7,F82 --show-source
 	# exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
-	flake8 . --config=.github/linters/.flake8 --count --exit-zero --max-complexity=15 --max-line-length=150
-	isort --settings-file=.github/linters/.isort.cfg .
-	pylint --rcfile=.github/linters/.python-lint --fail-under=9.0 *.py
-	mypy --config-file=.github/linters/.mypy.ini *.py
-	black .
+	uv run flake8 . --config=.github/linters/.flake8 --count --exit-zero --max-complexity=15 --max-line-length=150
+	uv run isort --settings-file=.github/linters/.isort.cfg .
+	uv run pylint --rcfile=.github/linters/.python-lint --fail-under=9.0 *.py
+	uv run mypy --config-file=.github/linters/.mypy.ini *.py
+	uv run black .
diff --git a/README.md b/README.md
@@ -266,11 +266,12 @@ The job summary contains the same markdown content that is written to the config
 ## Local usage without Docker
 
 1. Make sure you have at least Python3.11 installed
+1. Install [uv](https://docs.astral.sh/uv/getting-started/installation/)
 1. Copy `.env-example` to `.env`
 1. Fill out the `.env` file with a _token_ from a user that has access to the organization to scan (listed below). Tokens should have at least read:org access for organization scanning and read:repository for repository scanning.
 1. Fill out the `.env` file with the configuration parameters you want to use
-1. `pip3 install -r requirements.txt`
-1. Run `python3 ./contributors.py`, which will output everything in the terminal
+1. `uv sync`
+1. Run `uv run python3 ./contributors.py`, which will output everything in the terminal
 
 ## License
 
diff --git a/pyproject.toml b/pyproject.toml
@@ -0,0 +1,22 @@
+[project]
+name = "contributors"
+version = "2.0.0"
+description = "GitHub Action that produces information about contributors over a specified time period."
+requires-python = ">=3.11"
+dependencies = [
+    "github3-py==4.0.1",
+    "python-dotenv==1.2.1",
+    "requests==2.32.5",
+]
+
+[dependency-groups]
+dev = [
+    "black==26.1.0",
+    "flake8==7.3.0",
+    "mypy==1.19.1",
+    "mypy-extensions==1.1.0",
+    "pylint==4.0.5",
+    "pytest==9.0.2",
+    "pytest-cov==7.0.0",
+    "types-requests==2.32.4.20260107",
+]
diff --git a/requirements-test.txt b/requirements-test.txt
diff --git a/requirements.txt b/requirements.txt
diff --git a/test_contributors.py b/test_contributors.py
@@ -345,20 +345,21 @@ def test_main_sets_new_contributor_flag(self):
             "",
         )
 
-        with patch.object(
-            contributors_module.env, "get_env_vars"
-        ) as mock_get_env_vars, patch.object(
-            contributors_module.auth, "auth_to_github"
-        ) as mock_auth_to_github, patch.object(
-            contributors_module, "get_all_contributors"
-        ) as mock_get_all_contributors, patch.object(
-            contributors_module.contributor_stats,
-            "is_new_contributor",
-            return_value=True,
-        ) as mock_is_new, patch.object(
-            contributors_module.markdown, "write_to_markdown"
-        ), patch.object(
-            contributors_module.json_writer, "write_to_json"
+        with (
+            patch.object(contributors_module.env, "get_env_vars") as mock_get_env_vars,
+            patch.object(
+                contributors_module.auth, "auth_to_github"
+            ) as mock_auth_to_github,
+            patch.object(
+                contributors_module, "get_all_contributors"
+            ) as mock_get_all_contributors,
+            patch.object(
+                contributors_module.contributor_stats,
+                "is_new_contributor",
+                return_value=True,
+            ) as mock_is_new,
+            patch.object(contributors_module.markdown, "write_to_markdown"),
+            patch.object(contributors_module.json_writer, "write_to_json"),
         ):
             mock_get_env_vars.return_value = (
                 "org",
@@ -403,18 +404,19 @@ def test_main_fetches_sponsor_info_when_enabled(self):
             "https://github.com/sponsors/user1",
         )
 
-        with patch.object(
-            contributors_module.env, "get_env_vars"
-        ) as mock_get_env_vars, patch.object(
-            contributors_module.auth, "auth_to_github"
-        ) as mock_auth_to_github, patch.object(
-            contributors_module, "get_all_contributors"
-        ) as mock_get_all_contributors, patch.object(
-            contributors_module.contributor_stats, "get_sponsor_information"
-        ) as mock_get_sponsor_information, patch.object(
-            contributors_module.markdown, "write_to_markdown"
-        ), patch.object(
-            contributors_module.json_writer, "write_to_json"
+        with (
+            patch.object(contributors_module.env, "get_env_vars") as mock_get_env_vars,
+            patch.object(
+                contributors_module.auth, "auth_to_github"
+            ) as mock_auth_to_github,
+            patch.object(
+                contributors_module, "get_all_contributors"
+            ) as mock_get_all_contributors,
+            patch.object(
+                contributors_module.contributor_stats, "get_sponsor_information"
+            ) as mock_get_sponsor_information,
+            patch.object(contributors_module.markdown, "write_to_markdown"),
+            patch.object(contributors_module.json_writer, "write_to_json"),
         ):
             mock_get_env_vars.return_value = (
                 "org",
diff --git a/uv.lock b/uv.lock
