Skip to content

Use uv audit#184

Open
evandowning wants to merge 9 commits into
masterfrom
remove-pip-audit
Open

Use uv audit#184
evandowning wants to merge 9 commits into
masterfrom
remove-pip-audit

Conversation

@evandowning

@evandowning evandowning commented Jun 26, 2026

Copy link
Copy Markdown
Collaborator

Since we use uv now, we don't need to use pip-audit. Instead, we can use uv audit.

@evandowning evandowning self-assigned this Jun 26, 2026
evandowning and others added 5 commits June 26, 2026 09:27
Add a `sync` Makefile target that installs the exact versions pinned in
uv.lock (`uv sync --frozen`) instead of re-resolving from pyproject.toml.

Point the README development setup and the tests, lint, integration, and
pip-audit workflows at `make sync` so CI and local setup reproduce the
locked dependency set.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Without a `[build-system]` table, uv locked it-depends as a virtual
project (`source = { virtual = "." }`) and `uv sync` did not install the
package itself, breaking `import it_depends` under `make sync`/`make test`.
`uv pip install -e .` had masked this via setuptools' legacy fallback.

Declare the setuptools backend and relock so the project resolves as an
editable install.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
`--locked` asserts uv.lock is in sync with pyproject.toml and aborts with
an error if they have drifted, rather than trusting the lockfile blindly
(`--frozen`) or silently regenerating it. Apply to `make sync` and the uv
audit workflow so CI fails loudly when the lockfile is stale.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
uv audit reads pyproject.toml + uv.lock directly and does not need the
project installed, so the apt system-dependency step and `make dev` build
step were dead weight. Remove them, rename the stale `pip-audit` job id to
`uv-audit`, fix the label comment, and pass --python-version so the matrix
audits each Python version instead of running four identical jobs.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@evandowning evandowning added the audit Runs auditing label Jun 26, 2026
@evandowning evandowning requested a review from ESultanik June 26, 2026 14:39
@evandowning evandowning marked this pull request as ready for review June 26, 2026 14:39
evandowning and others added 3 commits June 26, 2026 11:02
Add `uv python install ${{ matrix.python }}` (matching tests and
integration workflows) so uv runs the audit on the managed interpreter
for each matrix version, instead of the runner's system Python. Drop the
redundant --python-version flag, which now defaults to that interpreter.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

audit Runs auditing

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant