Skip to content

[Chore] Remove Rye. Fully migrate to UV #116

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 12 commits into
base: main
Choose a base branch
from
Draft

[Chore] Remove Rye. Fully migrate to UV #116

wants to merge 12 commits into from

Conversation

@prassanna-ravishankar
Copy link
Member

@prassanna-ravishankar prassanna-ravishankar commented Sep 24, 2025
edited
Loading

Summary

Complete migration from Rye to UV package management with streamlined development workflow and CI/CD modernization.

Changes

Package Management:

  • Migrated from Rye to UV for all dependency management
  • Consolidated dev dependencies into [dependency-groups] format
  • Removed duplicate lock files (requirements*.lock)

GitHub Workflows:

  • Updated all workflows to use setup-uv@v6
  • Simplified CI configuration
  • Replaced wrapper scripts with direct UV commands
  • Removed redundant bin/ directory

Development Workflow:

  • Added Taskipy for task management with composition hooks
  • Integrated pre-commit configuration
  • Cleaned up scripts directory
  • Updated documentation (CONTRIBUTING.md, CLAUDE.md)

Key Commands:

  • uv run task bootstrap - Setup environment
  • uv run task format - Format code and docs (with hooks)
  • uv run task lint - Run all checks (with hooks)
  • uv run task test - Run tests with mock server

Breaking Changes

Developers need to:

  • Install UV instead of Rye
  • Use uv run task X instead of ./scripts/X for basic commands
  • Run uv run task setup-pre-commit to install hooks

Complex scripts (scripts/test, scripts/mock) preserved unchanged.

@socket-security
Copy link

socket-security bot commented Sep 24, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedpsutil@​7.0.0 ⏵ 6.1.172 +1100100100100
Updateddebugpy@​1.8.16 ⏵ 1.8.1774 +110010010090
Addedddtrace@​3.15.07410010010080
Updatedlitellm@​1.75.7 ⏵ 1.77.575 +1100100100100
Addedmypy@​1.18.282100100100100
Updatedfsspec@​2025.7.0 ⏵ 2025.9.089 +1100100100100
Updatedpytest@​8.4.1 ⏵ 8.4.290 +1100100100100
Updatedtemporalio@​1.15.0 ⏵ 1.18.1100 +2010090 -10100100
Addedexecnet@​2.1.191100100100100
Updatedhf-xet@​1.1.7 ⏵ 1.1.1010010093100100
Addedpre-commit@​4.3.093100100100100
Addeddistlib@​0.4.093100100100100
Addedidentify@​2.6.1410010010010070
Addednox@​2025.5.197100100100100
Addedpyright@​1.1.39997100100100100
Updatedanyio@​4.10.0 ⏵ 4.11.097 +1100100100100
Addedargcomplete@​3.6.297100100100100
Updatedpycparser@​2.22 ⏵ 2.2397 +1100100100100
Addeddatadog@​0.52.197100100100100
Updateduvicorn@​0.35.0 ⏵ 0.37.098 +1100100100100
Updatedmcp@​1.13.0 ⏵ 1.15.099100100100100
Updatedjsonschema@​4.25.0 ⏵ 4.25.199 +1100100100100
Updatedtyper@​0.16.0 ⏵ 0.16.199 +1100100100100
Updatedparso@​0.8.4 ⏵ 0.8.599 +1100100100100
Addedlegacy-cgi@​2.6.3100100100100100
Updatedtyping-extensions@​4.14.1 ⏵ 4.15.0100 +1100100100100
Updatedprotobuf@​5.29.5 ⏵ 6.32.1100 +1100100100100
Updatedregex@​2025.7.34 ⏵ 2025.9.18100 +1100100100100
Updatedpydantic@​2.11.7 ⏵ 2.11.9100100100100100
Updatedruff@​0.12.9 ⏵ 0.13.2100100100100100
Addedtaskipy@​1.14.1100100100100100
Addedtime-machine@​2.19.0100100100100100
Updatedpyyaml@​6.0.2 ⏵ 6.0.3100100100100100
See 24 more rows in the dashboard

View full report

semgrep-app[bot]
semgrep-app bot reviewed Sep 25, 2025
View reviewed changes
.github/actions/setup-uv/action.yml
Comment on lines +23 to +30
run: |
if [ "${{ inputs.uv-version }}" = "latest" ]; then
curl -LsSf https://astral.sh/uv/install.sh | sh
else
curl -LsSf https://astral.sh/uv/${{ inputs.uv-version }}/install.sh | sh
fi
echo "$HOME/.local/bin" >> $GITHUB_PATH

Copy link

@semgrep-app semgrep-app bot Sep 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:
Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by run-shell-injection.

You can view more details about this finding in the Semgrep AppSec Platform.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@semgrep-app semgrep-app[bot] semgrep-app[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@prassanna-ravishankar