feat: migrate to uv#407
Conversation
Pull Request Review: Migration to uvOverviewThis PR migrates the project from Poetry to uv for dependency management and build tooling. This is a significant infrastructure change that affects CI/CD workflows, dependency management, and publishing processes. ✅ Strengths1. Modernization
2. Clean Migration
3. Workflow Improvements
|
Pull Request Review: Migration to uvThis PR migrates the project from Poetry to uv as the package manager. Overall, this is a solid modernization effort that should improve build times and developer experience. Critical Issues1. Release Workflow - Incorrect Version Command The commands 'uv version --short' display the uv tool version, NOT the project version. This will break releases. Fix: Use 'grep' to read from pyproject.toml or use 'uv run hatch version' with hatchling. 2. Build Backend Configuration 'hatchling>=1.28.0' is listed as a runtime dependency but should ONLY be in [build-system]. Build tools should not be runtime dependencies. High Priority Issues3. Dependency Version Constraints Tightened
Consider using more flexible constraints unless there's a specific reason. 4. Missing Test Workflow Medium Priority5. Documentation Workflow Redundancy 6. Black Version Jump Strengths
SecurityNo security concerns identified. Token handling remains secure. SummaryMust fix before merge: Issues #1 and #2 |
Pull Request Review: Migration to uvOverviewThis PR migrates the project from Poetry to uv for dependency management and builds. Overall, this is a solid modernization effort that should improve build times and simplify the toolchain. 🔴 Critical Issues1. Incorrect uv commands in release workflowLocation: The workflow uses Current code: old_version=$(uv version --short)
uv version ${{ github.event.inputs.version_part }}
new_version=$(uv version --short)Issue: This will cause the release workflow to fail when triggered. Suggested fix: You need to either:
Example solution: # Read current version from pyproject.toml
old_version=$(grep "^version = " pyproject.toml | cut -d\" -f2)
# Use Python to bump the version
python << 'EOF'
import re
with open('pyproject.toml', 'r') as f:
content = f.read()
# Extract current version
current = re.search(r'version = "([^"]+)"', content).group(1)
major, minor, patch = map(int, current.split('.'))
# Bump based on input (you would use the workflow input here)
# This is just an example
patch += 1
new_version = f"{major}.{minor}.{patch}"
# Update the file
content = re.sub(r'version = "[^"]+"', f'version = "{new_version}"', content)
with open('pyproject.toml', 'w') as f:
f.write(content)
EOF
# Read new version
new_version=$(grep "^version = " pyproject.toml | cut -d\" -f2)
|
PR Review: Migration from Poetry to uvSummary: This PR migrates from Poetry to uv for dependency management, updating workflows, replacing poetry.lock with uv.lock, and converting to dependency groups. Critical Issues1. BROKEN: uv version command (release_and_publish.yml:43-47) The workflow uses uv version --short and uv version but these commands DO NOT EXIST in uv. The uv version command only shows uv's own version, not the project version. This will BREAK ALL FUTURE RELEASES. RECOMMENDED FIX - Use hatch for version management:
2. Authlib version changed from 1.6.0 to 1.6.5 (pyproject.toml:19) 3. Lock file mismatch risk Warnings
Minor Issues
Strengths
Security & Performance
Action ItemsMUST FIX BEFORE MERGE:
SHOULD FIX: CONSIDER: Overall Assessment
The migration to uv is excellent for performance and developer experience, but the critical bug in the release workflow MUST be fixed first to prevent broken releases. |
authlib was pinned to an exact ==1.6.5 incidentally by the uv migration (#407), which froze the then-resolved version. It was originally added in #228 as a flexible ^1.5.1 for the OAuth2 refresh-token client and has no compatibility guard requiring an exact version. An exact pin is especially harmful in a published SDK because it forces dependency conflicts on downstream users. Relax to >=1.6.5,<2 (matching the original caret intent, floored at the currently-tested version). Verified the range resolves and that the latest 1.x (1.7.2) imports the OAuth2Client/OAuthError used by the SDK cleanly under the existing httpx<0.29 constraint. Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com> Co-authored-by: RapidPoseidon <poseidon@rapidata.ai>
No description provided.