chore: migrate to uv with supply-chain guardrails#91
Merged
Conversation
- Add missing deps to pyproject.toml (flask-socketio, simple-websocket, requests, cryptography); swap mlflow[genai] for mlflow-tracing - Add [tool.uv] exclude-newer = "7 days" to block packages less than a week old (supply-chain protection) - Add [tool.uv.sources] git overrides for requests + cryptography (Databricks PyPI proxy workaround) - Gitignore uv.lock — hashes are proxy-specific, not portable for customers - Add compile step to dependency-audit.yml to warn when requirements.txt drifts from pyproject.toml - Add update-lockfile.yml to auto-regenerate requirements.lock whenever Dependabot merges a requirements.txt bump Co-authored-by: Marshall Krassenstein <marshall.krassenstein@databricks.com>
uv==0.7.12 predates relative duration support in exclude-newer ("7 days").
Switching to the official action ensures we always get a current uv version.
Co-authored-by: Marshall Krassenstein <marshall.krassenstein@databricks.com>
Owner
|
Pyproject.toml isn't used currently. Only requirements.txt and the lock file from there. But this is important. Did you run it on a workspace to see everything runs ok? I'm out at the moment, if things check out fine, please merge right in. |
Co-authored-by: Marshall Krassenstein
Collaborator
Author
|
FYI @datasciencemonkey it failed the dependabot check because I added a check against the lock file after everything else runs. Confirmed the app runs successfully on dogfood just deploying from git 
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In my own words: pyproject didn't match requirements.txt in some of the packages. Relevant to litellm stuff was a dependency on mlflow[genai] that we didn't actually need or use. I added the uv.lock to .gitignore for now because of the proxy server.
Dependabot now generates the requirements.lock file for us based on packages being at least 7 days old. Hopefully this is an alright pattern.
AI Summary below is pretty good.
Summary
pyproject.toml— added missing deps (flask-socketio,simple-websocket,requests,cryptography); swappedmlflow[genai]formlflow-tracing(app only uses tracing hooks, confirmed by codebase search); added[tool.uv]withexclude-newer = "7 days"to block packages uploaded less than a week ago; added[tool.uv.sources]git overrides forrequestsandcryptography(Databricks PyPI proxy workaround).gitignore— ignoreuv.locksince package hashes from the internal proxy aren't portable for customersdependency-audit.yml— added compile step that warns ifrequirements.txthas drifted frompyproject.tomlupdate-lockfile.yml— new workflow that auto-regeneratesrequirements.lockwhenever Dependabot merges arequirements.txtbumpTest plan
dependency-audit.yml) passes on this PR — validates the new compile step worksupdate-lockfile.ymltriggers correctly on a future Dependabot mergeThis pull request was AI-assisted by Marshall.