Use uv audit#184
Open
evandowning wants to merge 9 commits into
Open
Conversation
Add a `sync` Makefile target that installs the exact versions pinned in uv.lock (`uv sync --frozen`) instead of re-resolving from pyproject.toml. Point the README development setup and the tests, lint, integration, and pip-audit workflows at `make sync` so CI and local setup reproduce the locked dependency set. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Without a `[build-system]` table, uv locked it-depends as a virtual
project (`source = { virtual = "." }`) and `uv sync` did not install the
package itself, breaking `import it_depends` under `make sync`/`make test`.
`uv pip install -e .` had masked this via setuptools' legacy fallback.
Declare the setuptools backend and relock so the project resolves as an
editable install.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
`--locked` asserts uv.lock is in sync with pyproject.toml and aborts with an error if they have drifted, rather than trusting the lockfile blindly (`--frozen`) or silently regenerating it. Apply to `make sync` and the uv audit workflow so CI fails loudly when the lockfile is stale. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
uv audit reads pyproject.toml + uv.lock directly and does not need the project installed, so the apt system-dependency step and `make dev` build step were dead weight. Remove them, rename the stale `pip-audit` job id to `uv-audit`, fix the label comment, and pass --python-version so the matrix audits each Python version instead of running four identical jobs. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Add `uv python install ${{ matrix.python }}` (matching tests and
integration workflows) so uv runs the audit on the managed interpreter
for each matrix version, instead of the runner's system Python. Drop the
redundant --python-version flag, which now defaults to that interpreter.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Since we use
uvnow, we don't need to use pip-audit. Instead, we can use uv audit.