Conversation
github-actions
bot
added
documentation
Replace three independent requirements.txt files with a uv workspace containing benchmarks, dev, and docs projects. This provides a single lockfile, eliminates ad-hoc venv/pip logic in bench.sh, and simplifies dependency management across all Python code in the repo. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace setup-python + venv + pip install with astral-sh/setup-uv and uv sync/run, matching the new uv workspace structure. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
adriangb
force-pushed
the
migrate-python-to-uv-workspace
branch
from
eda8580 to
353a8d1
Compare
timsaucer
left a comment
timsaucer
left a comment
There was a problem hiding this comment.
Overall looks good to me. I have a couple of minor suggestions. From the PR description it isn't clear to me if you've run all of those commands to verify they work as expected. Maybe just update the description if they've all been manually verified.
Should we also update our release documentation to tell people to run uv run python generate-changelog.py instead? Also we can do a drive-by delete of download-python-wheels.py since it isn't used (and maybe also check-rat-report.py since it isn't mentioned anywhere in the release documents)
| with: | ||
| python-version: "3.12" | ||
| - name: Setup uv | ||
| uses: astral-sh/setup-uv@f0ec1fc3b38f5e7cd731bb6ce540c5af426746bb # v6.1.0 |
There was a problem hiding this comment.
Is the specific commit a requirement? I think astral-sh/setup-uv@v6 is pretty stable
There was a problem hiding this comment.
No, but it is generally encouraged to lock to commits in GHA: a commit provides an immutable reference to "safe" code. A tag is mutable. If a malicious actor gains control of an action repository they can upload a new v6 and infect everyone. If everyone is pinned to the commit they can't force the malicious code into everyone's CI unless you opt in by updating the hash. TLDR because there are no lockfiles for CI and because CI is a critical vector for supply chain attacks it's best to pin to a hash.
| with: | ||
| python-version: "3.12" | ||
| - name: Setup uv | ||
| uses: astral-sh/setup-uv@f0ec1fc3b38f5e7cd731bb6ce540c5af426746bb # v6.1.0 |
There was a problem hiding this comment.
Same as below, do we need to specific a specific sha here?
| [tool.uv.workspace] | ||
| members = ["benchmarks", "dev", "docs"] |
There was a problem hiding this comment.
Is there a reason to use three pyproject.toml files instead of just one here at the root and three dependency groups?
There was a problem hiding this comment.
Dunno, maybe personal preference, I feel it better mirrors the cargo workspace structure and since we use cargo workspaces here I felt it fit better.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2 participants
I was having trouble getting benchmarks to gen data.
Summary
requirements.txtfiles with a uv workspace (benchmarks,dev,docsprojects)uv.locklockfile for reproducible dependency resolutionbench.shby removing all ad-hoc venv/pip logic in favor ofuv runTest plan
uv syncresolves all deps from repo rootuv run --project benchmarks python3 benchmarks/compare.pyworksuv run --project docs sphinx-build docs/source docs/buildbuilds docsbench.shthat uses Python (e.g., h2o data gen or compare flow)🤖 Generated with Claude Code