feat: add PyPI resource and pyproject autodiscovery plugins (#8155)

* feat: add PyPI resource and pyproject autodiscovery plugins

Add Python ecosystem support to updatecli with two new plugins:

- pypi resource: queries PyPI JSON API for package versions,
  with PEP 440 to semver normalization (a/b/rc pre-releases),
  private registry support (Bearer token), and yanked version filtering.

- pyproject autodiscovery: discovers pyproject.toml + uv.lock pairs,
  parses PEP 508 dependencies, generates manifests using pypi source
  and uv add shell target. Named pyproject (alias python/uv) for
  multi-PM extensibility following the npm pattern.

Signed-off-by: Loïs Postula <lois@postu.la>

* fix: cursor comments

---------

Signed-off-by: Loïs Postula <lois@postu.la>

Author: loispostula

.github/workflows/go.yaml

@@ -55,6 +55,10 @@ jobs:
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: "25.8.0"
+      - name: Install uv
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
+        with:
+          version: "0.11.1"
       - name: Install GoReleaser
         uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
         with:

e2e/updatecli.d/success.d/autodiscovery/pyproject/pyproject.versionfilter.yaml

@@ -0,0 +1,18 @@
+name: "Pyproject autodiscovery with version filter using git scm"
+scms:
+  default:
+    kind: git
+    spec:
+      url: https://github.com/astral-sh/uv-fastapi-example.git
+      branch: "main"
+
+autodiscovery:
+  scmid: default
+  crawlers:
+    pyproject:
+      versionfilter:
+        kind: semver
+        pattern: minoronly
+      only:
+        - packages:
+            "fastapi": ""

e2e/updatecli.d/success.d/autodiscovery/pyproject/pyproject.yaml

@@ -0,0 +1,15 @@
+name: "Pyproject autodiscovery using git scm"
+scms:
+  default:
+    kind: git
+    spec:
+      url: https://github.com/astral-sh/uv-fastapi-example.git
+      branch: "main"
+
+autodiscovery:
+  scmid: default
+  crawlers:
+    pyproject:
+      only:
+        - packages:
+            "fastapi": ""

pkg/core/pipeline/autodiscovery/main.go

@@ -31,6 +31,7 @@ import (
 	"github.com/updatecli/updatecli/pkg/plugins/autodiscovery/npm"
 	"github.com/updatecli/updatecli/pkg/plugins/autodiscovery/plugin"
 	"github.com/updatecli/updatecli/pkg/plugins/autodiscovery/precommit"
+	"github.com/updatecli/updatecli/pkg/plugins/autodiscovery/pyproject"
 	"github.com/updatecli/updatecli/pkg/plugins/autodiscovery/terraform"
 	"github.com/updatecli/updatecli/pkg/plugins/autodiscovery/terragrunt"
 	"github.com/updatecli/updatecli/pkg/plugins/autodiscovery/updatecli"
@@ -234,6 +235,13 @@ var crawlerMap = map[string]struct {
 		},
 		spec: precommit.Spec{},
 	},
+	"pyproject": {
+		newFunc: func(spec any, rootDir string, scmID string, actionID, pluginName string) (Crawler, error) {
+			return pyproject.New(spec, rootDir, scmID, actionID)
+		},
+		spec:  pyproject.Spec{},
+		alias: []string{"python/uv"},
+	},
 	"prow": {
 		newFunc: func(spec any, rootDir string, scmID string, actionID, pluginName string) (Crawler, error) {
 			return kubernetes.New(spec, rootDir, scmID, actionID, kubernetes.FlavorProw)

pkg/core/pipeline/resource/main.go

@@ -35,6 +35,7 @@ import (
 	"github.com/updatecli/updatecli/pkg/plugins/resources/json"
 	"github.com/updatecli/updatecli/pkg/plugins/resources/maven"
 	"github.com/updatecli/updatecli/pkg/plugins/resources/npm"
+	"github.com/updatecli/updatecli/pkg/plugins/resources/pypi"
 	"github.com/updatecli/updatecli/pkg/plugins/resources/shell"
 	stashBranch "github.com/updatecli/updatecli/pkg/plugins/resources/stash/branch"
 	stashTag "github.com/updatecli/updatecli/pkg/plugins/resources/stash/tag"
@@ -208,6 +209,10 @@ func New(rs ResourceConfig) (resource Resource, err error) {
 
 		return npm.New(rs.Spec)
 
+	case "pypi":
+
+		return pypi.New(rs.Spec)
+
 	case "shell":
 
 		return shell.New(rs.Spec)
@@ -309,6 +314,7 @@ func GetResourceMapping() map[string]interface{} {
 		"json":               &json.Spec{},
 		"maven":              &maven.Spec{},
 		"npm":                &npm.Spec{},
+		"pypi":               &pypi.Spec{},
 		"shell":              &shell.Spec{},
 		"stash/branch":       &stashBranch.Spec{},
 		"stash/tag":          &stashTag.Spec{},

pkg/plugins/autodiscovery/pyproject/dependencies.go

@@ -0,0 +1,230 @@
+package pyproject
+
+import (
+	"bytes"
+	"fmt"
+	"path"
+	"path/filepath"
+	"sort"
+	"text/template"
+
+	"github.com/BurntSushi/toml"
+	"github.com/sirupsen/logrus"
+	"github.com/updatecli/updatecli/pkg/plugins/utils/version"
+)
+
+// pyprojectTOML mirrors the subset of pyproject.toml we care about.
+type pyprojectTOML struct {
+	Project struct {
+		Name                 string              `toml:"name"`
+		Dependencies         []string            `toml:"dependencies"`
+		OptionalDependencies map[string][]string `toml:"optional-dependencies"`
+	} `toml:"project"`
+}
+
+// loadPyprojectData reads and unmarshals a pyproject.toml file.
+func loadPyprojectData(filePath string) (pyprojectTOML, error) {
+	var data pyprojectTOML
+	if _, err := toml.DecodeFile(filePath, &data); err != nil {
+		return data, fmt.Errorf("parsing %q: %w", filePath, err)
+	}
+	return data, nil
+}
+
+// discoverDependencyManifests is the main entry point called by DiscoverManifests.
+func (p Pyproject) discoverDependencyManifests() ([][]byte, error) {
+	var manifests [][]byte
+
+	searchFromDir := p.rootDir
+	// spec.RootDir relative paths are joined onto rootDir; absolute ones were resolved in New().
+	if p.spec.RootDir != "" && !path.IsAbs(p.spec.RootDir) {
+		searchFromDir = filepath.Join(p.rootDir, p.spec.RootDir)
+	}
+
+	foundFiles, err := findPyprojectFiles(searchFromDir)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, foundFile := range foundFiles {
+		logrus.Debugf("parsing file %q", foundFile)
+
+		dir := filepath.Dir(foundFile)
+
+		lockSupport, skip := detectLockFileSupport(dir, p.uvAvailable)
+		if skip {
+			continue
+		}
+
+		data, err := loadPyprojectData(foundFile)
+		if err != nil {
+			logrus.Debugln(err)
+			continue
+		}
+
+		relativeFile, err := filepath.Rel(p.rootDir, foundFile)
+		if err != nil {
+			logrus.Debugln(err)
+			continue
+		}
+
+		workdir, err := filepath.Rel(p.rootDir, dir)
+		if err != nil {
+			logrus.Debugln(err)
+			continue
+		}
+
+		projectName := data.Project.Name
+
+		// Process [project.dependencies] — the main dependency group.
+		mainDeps := make([]string, len(data.Project.Dependencies))
+		copy(mainDeps, data.Project.Dependencies)
+		sort.Strings(mainDeps)
+
+		manifests = append(manifests, p.processDependencies(mainDeps, "", relativeFile, lockSupport, projectName, workdir)...)
+
+		// Process each [project.optional-dependencies] group in deterministic order.
+		groups := make([]string, 0, len(data.Project.OptionalDependencies))
+		for g := range data.Project.OptionalDependencies {
+			groups = append(groups, g)
+		}
+		sort.Strings(groups)
+
+		for _, group := range groups {
+			groupDeps := make([]string, len(data.Project.OptionalDependencies[group]))
+			copy(groupDeps, data.Project.OptionalDependencies[group])
+			sort.Strings(groupDeps)
+
+			manifests = append(manifests, p.processDependencies(groupDeps, group, relativeFile, lockSupport, projectName, workdir)...)
+		}
+	}
+
+	logrus.Printf("%v manifests identified", len(manifests))
+
+	return manifests, nil
+}
+
+// processDependencies generates manifests for a list of PEP 508 dependency strings.
+// group is the optional-dependency group name, or "" for main dependencies.
+func (p Pyproject) processDependencies(
+	deps []string,
+	group string,
+	relativeFile string,
+	lockSupport lockFileSupport,
+	projectName string,
+	workdir string,
+) [][]byte {
+	var manifests [][]byte
+
+	tmpl, err := template.New("manifest").Parse(manifestTemplate)
+	if err != nil {
+		logrus.Errorln(err)
+		return manifests
+	}
+
+	for _, depStr := range deps {
+		dep, err := parsePEP508(depStr)
+		if err != nil {
+			logrus.Warningf("skipping dependency %q from %q: %s", depStr, relativeFile, err)
+			continue
+		}
+
+		if len(p.spec.Ignore) > 0 && p.spec.Ignore.isMatchingRules(p.rootDir, relativeFile, dep.Name, dep.Version) {
+			logrus.Debugf("ignoring %q from %q as matching ignore rule(s)", dep.Name, relativeFile)
+			continue
+		}
+
+		if len(p.spec.Only) > 0 && !p.spec.Only.isMatchingRules(p.rootDir, relativeFile, dep.Name, dep.Version) {
+			logrus.Debugf("ignoring %q from %q as not matching only rule(s)", dep.Name, relativeFile)
+			continue
+		}
+
+		params := p.buildTemplateParams(dep, group, relativeFile, lockSupport, projectName, workdir)
+
+		var buf bytes.Buffer
+		if err := tmpl.Execute(&buf, params); err != nil {
+			logrus.Debugln(err)
+			continue
+		}
+
+		manifests = append(manifests, buf.Bytes())
+	}
+
+	return manifests
+}
+
+// buildTemplateParams constructs the manifestTemplateParams for a single dependency.
+func (p Pyproject) buildTemplateParams(
+	dep pythonDependency,
+	group string,
+	relativeFile string,
+	lockSupport lockFileSupport,
+	projectName string,
+	workdir string,
+) manifestTemplateParams {
+	// Build a human-readable manifest name that includes the optional group when set.
+	var manifestName string
+	if group == "" {
+		manifestName = fmt.Sprintf("deps(pypi): bump %q for %q project", dep.Name, projectName)
+	} else {
+		manifestName = fmt.Sprintf("deps(pypi): bump %q [%s] for %q project", dep.Name, group, projectName)
+	}
+
+	// Determine version filter.
+	//
+	// Priority:
+	//   1. User-specified VersionFilter from spec.
+	//   2. Constraint derived from the dependency itself (e.g. ">=2.28").
+	//   3. Wildcard "*" when no version information is present.
+	sourceVersionFilterKind := p.versionFilter.Kind
+	sourceVersionFilterPattern := p.versionFilter.Pattern
+	sourceVersionFilterRegex := p.versionFilter.Regex
+
+	if !p.spec.VersionFilter.IsZero() && dep.Version != "" {
+		var err error
+		sourceVersionFilterPattern, err = p.versionFilter.GreaterThanPattern(dep.Version)
+		if err != nil {
+			logrus.Debugf("building version filter pattern for %q: %s", dep.Name, err)
+			sourceVersionFilterPattern = p.versionFilter.Pattern
+		}
+	}
+
+	if p.spec.VersionFilter.IsZero() {
+		if dep.Constraint != "" {
+			sourceVersionFilterKind = version.PEP440VERSIONKIND
+			sourceVersionFilterPattern = dep.Constraint
+		} else {
+			sourceVersionFilterKind = version.PEP440VERSIONKIND
+			sourceVersionFilterPattern = "*"
+		}
+	}
+
+	// uv add flag for optional dependency groups.
+	// Trailing space is intentional — the template concatenates this directly before the quoted package spec.
+	var uvAddGroupFlag string
+	if group != "" {
+		uvAddGroupFlag = "--optional " + group + " "
+	}
+
+	relLockFile := filepath.Join(workdir, "uv.lock")
+
+	return manifestTemplateParams{
+		ManifestName:               manifestName,
+		ActionID:                   p.actionID,
+		SourceID:                   dep.Name,
+		SourceName:                 fmt.Sprintf("Get latest %q package version", dep.Name),
+		SourceVersionFilterKind:    sourceVersionFilterKind,
+		SourceVersionFilterPattern: sourceVersionFilterPattern,
+		SourceVersionFilterRegex:   sourceVersionFilterRegex,
+		DependencyName:             dep.Name,
+		IndexURL:                   p.spec.IndexURL,
+		TargetID:                   dep.Name,
+		TargetName:                 fmt.Sprintf("deps(pypi): bump %q to {{ source %q }}", dep.Name, dep.Name),
+		ScmID:                      p.scmID,
+		UvEnabled:                  lockSupport.uv,
+		UvAddGroupFlag:             uvAddGroupFlag,
+		PyprojectFile:              relativeFile,
+		LockFile:                   relLockFile,
+		Workdir:                    workdir,
+	}
+}