diff --git a/.envrc b/.envrc
index d30a4028..05461775 100644
--- a/.envrc
+++ b/.envrc
@@ -4,13 +4,15 @@ if [[ -f .env ]]; then
     dotenv .env
 fi
 
-if [ ! -d .venv ]; then
-    echo "warning: creating virtualenv for the first time"
-    python3 -m venv .venv
-    source .venv/bin/activate
-    pip install -r requirements.txt
-    pip install -r requirements-dev.txt
-else
-    source .venv/bin/activate
-    unset PS1
+PATH_add "${HOME}/.local/share/sentry-devenv/bin"
+
+if ! command -v devenv >/dev/null; then
+    echo "install devenv: https://github.com/getsentry/devenv#install"
+    return 1
 fi
+
+PATH_add "${PWD}/.devenv/bin"
+
+export VIRTUAL_ENV="${PWD}/.venv"
+
+PATH_add "${PWD}/.venv/bin"
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index be5ae585..a96f713b 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -31,8 +31,7 @@ jobs:
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
-          pip install -r requirements.txt
-          pip install -r requirements-dev.txt
+          pip install -r requirements-dev-frozen.txt
           pip install -e .
       - name: Run tests
         run: pytest --cov --junitxml=junit.xml -o junit_family=legacy
diff --git a/Makefile b/Makefile
new file mode 100644
index 00000000..7c3e2fb9
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,7 @@
+all: requirements-frozen.txt requirements-dev-frozen.txt
+
+requirements-frozen.txt: requirements.txt
+	.venv/bin/pip-compile --allow-unsafe --no-annotate --quiet --strip-extras requirements.txt -o requirements-frozen.txt
+
+requirements-dev-frozen.txt: requirements.txt requirements-dev.txt
+	.venv/bin/pip-compile --allow-unsafe --no-annotate --quiet --strip-extras requirements.txt requirements-dev.txt -o requirements-dev-frozen.txt
diff --git a/devenv/config.ini b/devenv/config.ini
new file mode 100644
index 00000000..e754b8e9
--- /dev/null
+++ b/devenv/config.ini
@@ -0,0 +1,19 @@
+[devenv]
+minimum_version = 1.15.0
+
+[venv.venv]
+python = 3.12.6
+path = .venv
+requirements = requirements-dev-frozen.txt
+editable =
+  .
+
+[python3.12.6]
+darwin_x86_64 = https://github.com/indygreg/python-build-standalone/releases/download/20240909/cpython-3.12.6+20240909-x86_64-apple-darwin-install_only.tar.gz
+darwin_x86_64_sha256 = 8c56da91436bee158b0d592aed3393c1fe3da3694ca35950ee1c52935ba8bfd5
+darwin_arm64 = https://github.com/indygreg/python-build-standalone/releases/download/20240909/cpython-3.12.6+20240909-aarch64-apple-darwin-install_only.tar.gz
+darwin_arm64_sha256 = 899f46eb592fcac4e834c064e4c901e8a4a6b5864e80b18efd2f0b7c3c050584
+linux_x86_64 = https://github.com/indygreg/python-build-standalone/releases/download/20240909/cpython-3.12.6+20240909-x86_64-unknown-linux-gnu-install_only.tar.gz
+linux_x86_64_sha256 = 68ff386c923c59a33a272bd984b8a33fe8117c56ad7f7552e0c2b21937ee3c0b
+linux_arm64 = https://github.com/indygreg/python-build-standalone/releases/download/20240909/cpython-3.12.6+20240909-aarch64-unknown-linux-gnu-install_only.tar.gz
+linux_arm64_sha256 = caac1033f68f69d8978dc8c6b6964cfb9d8a111abc55c03403bd4ece63f331f3
diff --git a/devenv/sync.py b/devenv/sync.py
new file mode 100644
index 00000000..00b27020
--- /dev/null
+++ b/devenv/sync.py
@@ -0,0 +1,24 @@
+from __future__ import annotations
+
+from devenv.lib import config
+from devenv.lib import proc
+from devenv.lib import venv
+
+
+def main(context: dict[str, str]) -> int:
+    reporoot = context["reporoot"]
+
+    venv_dir, python_version, requirements, editable_paths, bins = venv.get(
+        reporoot,
+        "venv",
+    )
+    url, sha256 = config.get_python(reporoot, python_version)
+    print(f"ensuring venv at {venv_dir}...")
+    venv.ensure(venv_dir, python_version, url, sha256)
+
+    print(f"syncing venv with {requirements}...")
+    venv.sync(reporoot, venv_dir, requirements, editable_paths, bins)
+
+    proc.run(("pre-commit", "install", "--install-hooks", "-f"))
+
+    return 0
diff --git a/pyoxidizer.bzl b/pyoxidizer.bzl
index 81718fde..d12c396b 100644
--- a/pyoxidizer.bzl
+++ b/pyoxidizer.bzl
@@ -64,7 +64,7 @@ def make_exe():
 
     # Invoke `pip install` using a requirements file and add the collected resources
     # to our binary.
-    exe.add_python_resources(exe.pip_install(["-r", "requirements.txt"]))
+    exe.add_python_resources(exe.pip_install(["-r", "requirements-frozen.txt"]))
 
     # Read Python files from a local directory and add them to our embedded
     # context, taking just the resources belonging to the `foo` and `bar`
diff --git a/requirements-dev-frozen.txt b/requirements-dev-frozen.txt
new file mode 100644
index 00000000..c491dae8
--- /dev/null
+++ b/requirements-dev-frozen.txt
@@ -0,0 +1,46 @@
+#
+# This file is autogenerated by pip-compile with Python 3.12
+# by the following command:
+#
+#    pip-compile --allow-unsafe --no-annotate --output-file=requirements-dev-frozen.txt --strip-extras requirements-dev.txt requirements.txt
+#
+--index-url https://pypi.devinfra.sentry.io/simple
+
+black==24.4.2
+build==0.8.0
+certifi==2025.1.31
+cfgv==3.4.0
+click==8.1.8
+coverage==7.6.4
+distlib==0.3.9
+filelock==3.18.0
+freezegun==1.2.2
+identify==2.6.9
+iniconfig==2.0.0
+mypy==1.11.2
+mypy-extensions==1.0.0
+nodeenv==1.9.1
+packaging==24.0
+pathspec==0.12.1
+pep517==0.13.0
+pip-tools==7.3.0
+platformdirs==4.3.6
+pluggy==1.5.0
+pre-commit==3.6.0
+pytest==8.1.1
+pytest-cov==4.1.0
+python-dateutil==2.9.0.post0
+pyyaml==6.0.1
+sentry-devenv==1.8.0
+sentry-sdk==2.20.0
+six==1.17.0
+supervisor==4.2.5
+types-pyyaml==6.0.11
+typing-extensions==4.13.0
+urllib3==2.3.0
+virtualenv==20.29.3
+wheel==0.42.0
+
+# The following packages are considered to be unsafe in a requirements file:
+pip==23.3.2
+setuptools==70.0.0
diff --git a/requirements-dev.txt b/requirements-dev.txt
index 4160a077..54530687 100644
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@@ -9,3 +9,4 @@ setuptools==70.0.0
 build==0.8.0
 wheel==0.42.0
 freezegun==1.2.2
+pip-tools
diff --git a/requirements-frozen.txt b/requirements-frozen.txt
new file mode 100644
index 00000000..d73afc46
--- /dev/null
+++ b/requirements-frozen.txt
@@ -0,0 +1,19 @@
+#
+# This file is autogenerated by pip-compile with Python 3.12
+# by the following command:
+#
+#    pip-compile --allow-unsafe --no-annotate --output-file=requirements-frozen.txt --strip-extras requirements.txt
+#
+--index-url https://pypi.devinfra.sentry.io/simple
+
+certifi==2025.1.31
+packaging==24.0
+pyyaml==6.0.1
+sentry-devenv==1.8.0
+sentry-sdk==2.20.0
+supervisor==4.2.5
+typing-extensions==4.13.0
+urllib3==2.3.0
+
+# The following packages are considered to be unsafe in a requirements file:
+setuptools==78.1.0