chore: migrate tooling from Poetry to uv and modernize pre-commit

[williaby]

Summary

Single PR addressing three open tooling issues. The project standard is now uv (not Poetry) and ruff (not black/flake8/isort), and this PR aligns the repo with that standard.

Issue 1 — Migrate CI workflow to uv (Closes #136)

• Renamed .github/workflows/prepare-poetry.yml → .github/workflows/prepare-uv.yml.
• Uses astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b (v8.1.0, SHA-pinned) for both Python install and uv setup, with enable-cache: true + cache-dependency-glob: uv.lock replacing the manual Poetry cache step.
• google-github-actions/auth step preserved unchanged.
• uv sync --all-extras --frozen replaces poetry install.
• uv export --only-group dev --no-hashes --format requirements-txt replaces poetry export.
• Index credentials moved to UV_INDEX_URL / UV_EXTRA_INDEX_URL env vars.
• Updated 15 caller workflows to reference ./.github/workflows/prepare-uv.yml.

Issue 2 — Pre-commit hooks via ruff, not black/flake8/isort (References #82, redirected to ruff)

• Rewrote .pre-commit-config.yaml with:
  • ruff (linting, replaces flake8 + isort) with --fix --exit-non-zero-on-fix
  • ruff-format (formatting, replaces black)
  • basedpyright (type checking)
  • detect-secrets (secret scanning) with existing .secrets.baseline
  • trailing-whitespace, end-of-file-fixer from pre-commit-hooks
• All 4 external rev: fields are pinned to full 40-character SHAs (ruff-pre-commit v0.15.13, basedpyright-pre-commit-mirror 1.39.4, detect-secrets v1.5.0, pre-commit-hooks v6.0.0).
• No black, flake8, or isort hooks added — ruff covers all three.
• Local Nox-driven hooks switched from poetry run to uv run.

Issue 3 — pyproject.toml on uv/PEP 621 conventions (References #96, redirected to uv)

• Migrated [tool.poetry] → PEP 621 [project] (with dependencies list using PEP 508 specifiers).
• Migrated [tool.poetry.group.dev.dependencies] → [dependency-groups].dev.
• Added [tool.uv] and [[tool.uv.index]] entries for Assured OSS + PyPI.
• Build backend changed from poetry-core → hatchling (with [tool.hatch.build.targets.wheel] packages = ["src/ledgerbase"]).
• Added [tool.basedpyright] configuration.
• Deleted poetry.lock and poetry.toml — uv.lock is generated on first uv sync.

Out of scope

Downstream workflow steps in weekly-check.yml, security-*.yml, etc. still invoke poetry run nox -s … inside their own jobs. Those are independent of the prepare-* reusable workflow and weren't part of the three issues; they'd need a separate PR to migrate to uv run.

Test plan

• uv sync succeeds locally and generates uv.lock
• uv export --only-group dev --no-hashes --format requirements-txt produces a valid requirements file
• pre-commit run --all-files passes (ruff, ruff-format, basedpyright, detect-secrets, file hygiene)
• CI run of any workflow that calls prepare-uv.yml (e.g. release.yml, sbom.yml) completes the prepare job successfully

---

Generated by Claude Code

Summary by CodeRabbit

• Chores
  • Migrated from Poetry to uv for Python package management and dependency resolution.
  • Updated project configuration to use PEP 621 standard and hatchling build backend.
  • Refreshed development tooling setup with updated pre-commit hooks, linting, and type checking configurations.
  • Regenerated dependency lock files to align with new package manager toolchain.

[coderabbitai]

Warning

Rate limit exceeded

@williaby has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 1 minute and 18 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d0d16f12-cb16-47f1-93da-358e7ab12f68

📥 Commits

Reviewing files that changed from the base of the PR and between f7c9e18 and ba9805a.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (18)

• .github/workflows/gh-pages.yml
• .github/workflows/license.yml
• .github/workflows/prepare-uv.yml
• .github/workflows/release.yml
• .github/workflows/sbom.yml
• .github/workflows/security-pip-audit.yml
• .github/workflows/security-semgrep.yml
• .github/workflows/security-snyk.yml
• .github/workflows/security-trivy.yml
• .github/workflows/templates/generate-matrix.yml
• .github/workflows/templates/lint-matrix.yml
• .github/workflows/templates/nox-template-matrix.yml
• .github/workflows/templates/nox-template.yml
• .github/workflows/templates/python-template-pip.yml
• .github/workflows/templates/test-matrix.yml
• .github/workflows/weekly-check.yml
• dev-requirements.txt
• pyproject.toml

📝 Walkthrough

Walkthrough

Migrates the project from Poetry to uv by introducing a new prepare-uv.yml CI workflow, converting pyproject.toml to PEP 621 with hatchling backend, updating pre-commit hooks to use ruff and basedpyright, and rewiring 16 CI workflows to reference the uv-based setup.

Changes

Poetry to uv Dependency Management Migration

Layer / File(s)	Summary
Create uv Dependency Setup Workflow .github/workflows/prepare-uv.yml	New reusable workflow installs uv v8.1.0, authenticates to Google Artifact Registry via GCP service account JSON secret, runs uv sync --all-extras --frozen, and exports dev requirements to dev-requirements.txt. Replaces the removed prepare-poetry.yml.
Migrate Project Configuration from Poetry to uv pyproject.toml, dev-requirements.txt	Converts pyproject.toml from Poetry configuration to PEP 621 format with uv dependency groups and hatchling build backend. Ruff lint rules updated to select = ["ALL"] with revised ignores. New tool sections for basedpyright, semantic-release, sqlfluff, and codespell. Poetry-specific package sources removed. dev-requirements.txt regenerated via uv export without prior Python version environment markers.
Update Pre-commit Hooks Configuration .pre-commit-config.yaml	Replaces Poetry-driven local hooks with external hooks (ruff-pre-commit including ruff and ruff-format, basedpyright, detect-secrets) and Nox-driven system hooks (bandit, semgrep, vulture, shellcheck, codespell, pip-audit with pip-audit on pre-push). Removes Mypy and legacy security hooks. Updates forbidden-commit hook messages for .env.prod and .plain.json.
Rewire All CI Workflows to prepare-uv .github/workflows/gh-pages.yml, .github/workflows/license.yml, .github/workflows/release.yml, .github/workflows/sbom.yml, .github/workflows/security-*.yml, .github/workflows/templates/generate-matrix.yml, .github/workflows/templates/lint-matrix.yml, .github/workflows/templates/nox-template*.yml, .github/workflows/templates/python-template-pip.yml, .github/workflows/templates/test-matrix.yml, .github/workflows/weekly-check.yml	All 16 CI workflows and templates updated to call ./.github/workflows/prepare-uv.yml instead of the prior Poetry-based prepare-poetry.yml. Step display names changed to "Prepare uv & Assured OSS".

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 From Poetry's pen to uv's swift wing,
We've swapped the old setup for something lean,
Workflows now hum with Ruff in their ring,
Hatchling builds projects so clean!
Pre-commit checks dance the modern way—
Basedpyright and Nox brightened the day! 🚀

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	❓ Inconclusive	While pre-commit modernization (ruff, basedpyright, detect-secrets) and pyproject.toml migration are reasonable companion changes, they extend beyond the narrowly-scoped issue #136 which focuses solely on prepare-poetry.yml → prepare-uv.yml CI migration.	Clarify scope boundaries: confirm whether pre-commit tooling updates and pyproject.toml PEP 621 conversion are intentional enhancements linked to issue #136 or separate refactoring efforts.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: migrate tooling from Poetry to uv and modernize pre-commit' accurately and concisely summarizes the main changes: replacing Poetry with uv and updating pre-commit configuration.
Linked Issues check	✅ Passed	The PR successfully implements all core requirements from issue #136: replaces Poetry with uv via astral-sh/setup-uv, updates caching paths, replaces poetry install/export with uv sync/export, updates all 15 caller workflows, and migrates pyproject.toml to PEP 621.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/migrate-poetry-to-uv-wfO4m

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

FIPS Compatibility Check: PASSED

Metric	Count
Errors	0
Warnings	0
Info	0

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	psycopg@​3.3.4
	semgrep@​1.139.0
	safety@​3.7.0
	yamllint@​1.37.1
	pathspec@​0.12.1
	pygithub@​1.59.1
	mypy@​1.19.1
	cryptography@​48.0.0 ⏵ 44.0.3	+1	-16
	sphinx@​8.2.3
	pytest@​8.4.2
	pre-commit@​4.6.0
	sentry-sdk@​2.60.0
	nox@​2026.4.10
	python-semantic-release@​9.21.0
	pip-audit@​2.9.0
	sarif-tools@​3.0.5
	twine@​5.1.1
	sphinxcontrib-plantuml@​0.31
	sqlfluff@​3.5.0
	python-dotenv@​1.2.2
	basedpyright@​1.39.4
	sphinxcontrib-spelling@​7.7.0
	packaging@​23.2
	requests@​2.34.2
	pip-licenses@​4.5.1
	python-dateutil@​2.9.0.post0
	readthedocs-sphinx-search@​0.3.2
	sphinx-copybutton@​0.5.2
	pydantic@​2.9.2
	vulture@​2.16
	pytest-cov@​6.3.0
	sphinx-autodoc-typehints@​3.5.2
See 7 more rows in the dashboard

View full report

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

[github-actions]

FIPS Compatibility Check: PASSED

Metric	Count
Errors	0
Warnings	0
Info	0

[github-actions]

FIPS Compatibility Check: PASSED

Metric	Count
Errors	0
Warnings	0
Info	0

[Copilot]

Pull request overview

Migrates LedgerBase’s Python tooling from Poetry-centric configuration to an uv + PEP 621 setup, and modernizes pre-commit to use ruff/ruff-format plus basedpyright, while updating CI workflows to call a new prepare-uv reusable workflow.

Changes:

• Replace Poetry-managed project metadata/dependencies in pyproject.toml with PEP 621 + uv conventions and switch build backend to Hatchling.
• Rewrite .pre-commit-config.yaml to use ruff/ruff-format, basedpyright, detect-secrets, and update local hooks to use uv run.
• Add .github/workflows/prepare-uv.yml, delete prepare-poetry.yml, and update multiple workflows/templates to reference the new reusable workflow.

Reviewed changes

Copilot reviewed 21 out of 23 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
pyproject.toml	Migrates project metadata/deps to PEP 621 + uv; adds hatchling + basedpyright config.
poetry.toml	Removes Poetry-specific configuration.
.pre-commit-config.yaml	Updates hooks to ruff/ruff-format, basedpyright, detect-secrets; moves local hooks to uv run.
.github/workflows/prepare-uv.yml	New reusable workflow for setting up uv + Assured OSS and exporting dev requirements.
.github/workflows/prepare-poetry.yml	Removes the old Poetry-based reusable workflow.
.github/workflows/weekly-check.yml	Points the “prepare” job at prepare-uv.yml.
.github/workflows/templates/test-matrix.yml	Updates the “prepare” job to use prepare-uv.yml.
.github/workflows/templates/python-template-pip.yml	Updates the “prepare” job to use prepare-uv.yml.
.github/workflows/templates/nox-template.yml	Updates the “prepare” job to use prepare-uv.yml.
.github/workflows/templates/nox-template-matrix.yml	Updates the “prepare” job to use prepare-uv.yml.
.github/workflows/templates/lint-matrix.yml	Updates the “prepare” job to use prepare-uv.yml.
.github/workflows/templates/generate-matrix.yml	Updates the “prepare” job to use prepare-uv.yml.
.github/workflows/security-trivy.yml	Updates the “prepare” job to use prepare-uv.yml.
.github/workflows/security-snyk.yml	Updates the “prepare” job to use prepare-uv.yml.
.github/workflows/security-semgrep.yml	Updates the “prepare” job to use prepare-uv.yml.
.github/workflows/security-pip-audit.yml	Updates the “prepare” job to use prepare-uv.yml.
.github/workflows/sbom.yml	Updates the “prepare” job to use prepare-uv.yml.
.github/workflows/release.yml	Updates the “prepare” job to use prepare-uv.yml.
.github/workflows/license.yml	Updates the “prepare” job to use prepare-uv.yml.
.github/workflows/gh-pages.yml	Updates the “prepare” job to use prepare-uv.yml.

Comments suppressed due to low confidence (16)

pyproject.toml:113

• Ruff is configured with target-version = "py312" while the project declares requires-python = ">=3.11,<4.0" and basedpyright is set to 3.11. Align Ruff’s target version with the minimum supported Python version to avoid permitting 3.12-only syntax/features.

[tool.ruff]
target-version = "py312"
line-length    = 88
fix            = true
show-fixes     = true

.github/workflows/weekly-check.yml:46

• This workflow now calls prepare-uv.yml, but the subsequent jobs still run poetry run … without installing Poetry (and the prepare job environment can’t be reused across jobs). Update the jobs that run Python tooling to set up uv/Python and run commands via uv run … (or explicitly install Poetry in each job).

  prepare:
    name: Prepare uv & Assured OSS
    uses: ./.github/workflows/prepare-uv.yml
    with:
      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}
    secrets:
      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}

.github/workflows/templates/test-matrix.yml:20

• This reusable workflow now depends on prepare-uv.yml, but the test job still runs poetry run … without installing Poetry/setting up a Python environment. Since jobs don’t share the prepare environment, the test job should set up uv/Python and use uv run nox … (or install Poetry in that job).

jobs:
  prepare:
    name: Prepare uv & Assured OSS
    uses: ./.github/workflows/prepare-uv.yml
    with:
      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}
    secrets:
      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}

.github/workflows/templates/python-template-pip.yml:33

• This template now uses prepare-uv.yml, but the task job still runs poetry run … without installing Poetry. Because the prepare job’s environment isn’t shared, the task job needs its own uv/Python setup and should execute via uv run … (or explicitly install Poetry).

jobs:
  prepare:
    name: Prepare uv & Assured OSS
    uses: ./.github/workflows/prepare-uv.yml
    with:
      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}
    secrets:
      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}

.github/workflows/templates/nox-template.yml:37

• This template now calls prepare-uv.yml, but the nox-single job still uses poetry run nox … without installing Poetry. Since the prepare job doesn’t provision tools for other jobs, update the job to set up uv/Python and use uv run nox … (or install Poetry in nox-single).

jobs:
  prepare:
    name: Prepare uv & Assured OSS
    uses: ./.github/workflows/prepare-uv.yml
    with:
      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}
    secrets:
      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}

.github/workflows/templates/nox-template-matrix.yml:39

• This template now calls prepare-uv.yml, but the nox-matrix job still uses poetry run nox … without installing Poetry. Since jobs don’t share the prepare environment, update nox-matrix to set up uv/Python and run uv run nox … (or install Poetry in that job).

jobs:
  prepare:
    name: Prepare uv & Assured OSS
    uses: ./.github/workflows/prepare-uv.yml
    with:
      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}
    secrets:
      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}

.github/workflows/templates/lint-matrix.yml:20

• This template now depends on prepare-uv.yml, but the lint-matrix job still runs poetry run nox … without installing Poetry. Because the prepare job environment can’t be reused across jobs, add uv/Python setup to lint-matrix and run sessions via uv run nox … (or install Poetry there).

jobs:
  prepare:
    name: Prepare uv & Assured OSS
    uses: ./.github/workflows/prepare-uv.yml
    with:
      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}
    secrets:
      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}

.github/workflows/templates/generate-matrix.yml:20

• This template now depends on prepare-uv.yml, but the generate job still runs poetry run nox … without installing Poetry. Since the prepare job doesn’t affect other jobs, the generate job should set up uv/Python and use uv run nox … (or install Poetry in that job).

jobs:
  prepare:
    name: Prepare uv & Assured OSS
    uses: ./.github/workflows/prepare-uv.yml
    with:
      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}
    secrets:
      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}

.github/workflows/release.yml:36

• This workflow now calls prepare-uv.yml, but the release job still executes poetry run … without installing Poetry/setting up Python. Since the prepare job environment isn’t shared, the release job needs its own tool setup (preferably setup-uv + uv run …) or an explicit Poetry install step.

jobs:
  prepare:
    name: Prepare uv & Assured OSS
    uses: ./.github/workflows/prepare-uv.yml
    with:
      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}
    secrets:
      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}

.github/workflows/sbom.yml:37

• This workflow now calls prepare-uv.yml, but the sbom job still runs poetry run … without installing Poetry/setting up Python. Because the prepare job environment can’t be reused across jobs, add per-job setup (e.g., setup-uv + uv sync/uv run) or install Poetry in the sbom job.

  # 1. Prepare uv & Assured OSS environment (with caching)
  prepare:
    uses: ./.github/workflows/prepare-uv.yml
    with:
      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}
    secrets:
      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}

.github/workflows/license.yml:42

• This workflow now calls prepare-uv.yml, but subsequent jobs still run poetry run … without installing Poetry/setting up Python. Since prepare runs in a separate job, add uv/Python setup to the jobs that run Nox (or install Poetry in those jobs).

jobs:
  prepare:
    name: Prepare uv & Assured OSS
    uses: ./.github/workflows/prepare-uv.yml
    with:
      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}
    secrets:
      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}

.github/workflows/gh-pages.yml:31

• This workflow now calls prepare-uv.yml, but the docs job still runs poetry run … without installing Poetry/setting up Python. Because the prepare job environment isn’t shared, the docs job should set up uv/Python and run via uv run nox … (or install Poetry in the docs job).

jobs:
  prepare:
    name: Prepare uv & Assured OSS
    uses: ./.github/workflows/prepare-uv.yml
    with:
      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}
    secrets:
      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}

.github/workflows/security-trivy.yml:40

• This workflow now calls prepare-uv.yml, but the trivy job still runs poetry run nox … without installing Poetry/setting up Python. Since the prepare job is isolated, add setup-uv/Python (and dependency sync) to the trivy job and run via uv run nox … (or install Poetry there).

jobs:
  prepare:
    name: Prepare uv & Assured OSS
    uses: ./.github/workflows/prepare-uv.yml
    with:
      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}
    secrets:
      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}

.github/workflows/security-snyk.yml:44

• This workflow now calls prepare-uv.yml, but the snyk_scan job still uses poetry run … without installing Poetry/setting up Python. Since prepare is a separate job, snyk_scan needs its own Python toolchain setup (prefer setup-uv + uv run nox …) or an explicit Poetry install step.

jobs:
  prepare:
    name: Prepare uv & Assured OSS
    uses: ./.github/workflows/prepare-uv.yml
    with:
      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}
    secrets:
      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}

.github/workflows/security-semgrep.yml:45

• This workflow now calls prepare-uv.yml, but the semgrep job still runs poetry run nox … without installing Poetry/setting up Python. Because the prepare job environment isn’t shared, add uv/Python setup to the semgrep job and run via uv run nox … (or install Poetry there).

jobs:
  prepare:
    name: Prepare uv & Assured OSS
    uses: ./.github/workflows/prepare-uv.yml
    with:
      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}
    secrets:
      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}

.github/workflows/security-pip-audit.yml:42

• This workflow now calls prepare-uv.yml, but the pip_audit_report job still runs poetry run … without installing Poetry/setting up Python. Since prepare runs in a separate job, add per-job setup (prefer setup-uv + uv run pip-audit/uv run sarif …) or install Poetry in pip_audit_report.

jobs:
  prepare:
    uses: ./.github/workflows/prepare-uv.yml
    with:
      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}
    secrets:
      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/gh-pages.yml (1)

26-31: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Drop with.GCP_SA_JSON; pass it only via secrets.

prepare-uv.yml defines GCP_SA_JSON under workflow_call.secrets, so providing it via with violates the reusable workflow contract and will be ignored.

Suggested fix

   prepare:
     name: Prepare uv & Assured OSS
     uses: ./.github/workflows/prepare-uv.yml
-    with:
-      GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}
     secrets:
       GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/gh-pages.yml around lines 26 - 31, Remove the unsupported
with.GCP_SA_JSON input and only pass the secret via the reusable workflow's
secrets mapping: delete the with: GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }} line
(the "with" block entry) and keep the secrets: GCP_SA_JSON: ${{
secrets.GCP_SA_JSON }} mapping so prepare-uv.yml (the reusable workflow)
receives GCP_SA_JSON via workflow_call.secrets as intended.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/prepare-uv.yml:
- Around line 1-16: Remove the YAML front-matter block containing metadata keys
like title, category, usage, behavior, inputs, outputs, dependencies, author,
last_modified, changelog, and tags from the top of
.github/workflows/prepare-uv.yml so the file begins with the actual GitHub
Actions workflow definition; keep the existing workflow starting at the "name:"
and "on:" keys (and any subsequent jobs/steps such as uv setup and artifact
registry auth) and ensure no unknown top-level keys remain before "name:".

In @.github/workflows/templates/test-matrix.yml:
- Around line 15-16: The workflow still calls Poetry via "poetry run" even
though the job uses the prepare-uv.yml setup; open the test-matrix.yml and
replace the remaining "poetry run" invocations (the commands referenced in the
job steps) with "uv run" (or add an explicit Poetry install step if you intend
to keep Poetry), ensuring the step names that currently call "poetry run" are
updated to use "uv run" so they run under uv's environment created by
prepare-uv.yml.

In @.github/workflows/weekly-check.yml:
- Around line 41-42: Update the CI workflow to replace all uses of poetry with
uv: change every invocation like "poetry run <tool>" to "uv run <tool>" in the
weekly-check.yml job definitions (targets include commands invoking nox and
aikido-local-scanner). Specifically update the commands that call nox sessions
verify_assured, aikido-weekly-scan, aikido-usage-report, lint_other, vulture,
and lint_rst and the aikido-local-scanner invocation so they use "uv run"
instead of "poetry run"; after switching the runner, verify that the nox
sessions referenced (verify_assured, aikido-weekly-scan, aikido-usage-report)
exist in your noxfile and either add or correct those session names to match
actual session functions in the noxfile.

In `@pyproject.toml`:
- Line 110: Ruff's configured target-version ("target-version = \"py312\"") is
higher than the project's declared runtime floor ("requires-python =
\"\u003e=3.11,<4.0\""), which can mask 3.11-only incompatibilities; update the
Ruff configuration to target the minimum supported runtime (e.g., change
target-version to "py311" or otherwise match the requires-python floor) so
linting/fixes reflect the actual supported Python version.
- Around line 36-41: The listed tooling packages (nox, semgrep, keyring,
keyrings.google-artifactregistry-auth, and any similar dev-only tools) are
incorrectly placed in [project].dependencies; move each of these entries out of
that list and add them under dependency-groups.dev in pyproject.toml (create a
dev group if missing) so they become dev-only installs; ensure you remove
"nox>=2025.2.9", "semgrep>=1.119.0,<2.0.0", "keyring>=24.0.0,<25.0.0", and
"keyrings.google-artifactregistry-auth>=1.1.2,<2.0.0" from the runtime
dependencies and add equivalent entries under dependency-groups.dev.

---

Outside diff comments:
In @.github/workflows/gh-pages.yml:
- Around line 26-31: Remove the unsupported with.GCP_SA_JSON input and only pass
the secret via the reusable workflow's secrets mapping: delete the with:
GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }} line (the "with" block entry) and keep
the secrets: GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }} mapping so prepare-uv.yml
(the reusable workflow) receives GCP_SA_JSON via workflow_call.secrets as
intended.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 11a927ab-f140-40ec-899f-0bc03c172514

📥 Commits

Reviewing files that changed from the base of the PR and between ca3bfe5 and f7c9e18.

⛔ Files ignored due to path filters (2)

• poetry.lock is excluded by !**/*.lock
• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (21)

• .github/workflows/gh-pages.yml
• .github/workflows/license.yml
• .github/workflows/prepare-poetry.yml
• .github/workflows/prepare-uv.yml
• .github/workflows/release.yml
• .github/workflows/sbom.yml
• .github/workflows/security-pip-audit.yml
• .github/workflows/security-semgrep.yml
• .github/workflows/security-snyk.yml
• .github/workflows/security-trivy.yml
• .github/workflows/templates/generate-matrix.yml
• .github/workflows/templates/lint-matrix.yml
• .github/workflows/templates/nox-template-matrix.yml
• .github/workflows/templates/nox-template.yml
• .github/workflows/templates/python-template-pip.yml
• .github/workflows/templates/test-matrix.yml
• .github/workflows/weekly-check.yml
• .pre-commit-config.yaml
• dev-requirements.txt
• poetry.toml
• pyproject.toml

💤 Files with no reviewable changes (2)

• .github/workflows/prepare-poetry.yml
• poetry.toml

[github-actions]

FIPS Compatibility Check: PASSED

Metric	Count
Errors	0
Warnings	0
Info	0