Migrate to uv

[PastelStorm]

Note

Medium Risk
Broad build/CI/Docker dependency-management migration (tooling, lockfile, image build steps) could break installs or release pipelines if uv.lock/workflow assumptions are off, but runtime application logic is largely unchanged.

Overview
Migrates the project from pip/requirements/*.txt to uv by introducing a full pyproject.toml (including test extras and uv constraints) and switching installs/tests/linting in the Makefile, Docker image, and GitHub Actions to uv sync/uv run with uv.lock as the reproducible source of truth.

CI/release automation is updated accordingly: Dependabot now targets the repo root, the library-bump workflow upgrades via uv lock --upgrade, caching is based on uv.lock, Docker publish reads version from prepline_general/api/__version__.py, and legacy pinned requirements/*, setup.cfg, preprocessing-pipeline-family.yaml, the Rocky Linux Dockerfile, and the pandoc install script are removed. Tests are tweaked for stability (more tolerant OCR assertions) and the version is bumped to 0.1.0 with a changelog entry.

^{Written by Cursor Bugbot for commit 1ebbd36. This will update automatically on new commits. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	github/​astral-sh/​setup-uv@​e58605a9b6da7c637471fab8847a5e5a6b8df081

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: pypi cuda-bindings is 98.0% likely obfuscated Confidence: 0.98 Location: Package overview From: ? → pypi/cuda-bindings@12.9.4 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/cuda-bindings@12.9.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Smoke test fails: bare pytest call after venv activation removed

High Severity

The old CI workflows ran source .venv/bin/activate before make docker-test, putting pytest on PATH. This PR removes that activation and uses uv sync instead, but docker-smoke-test.sh (line 83) still calls bare pytest — not uv run pytest. Since uv sync creates a .venv without activating it, and setup-uv only adds uv to PATH, pytest won't be found. Every other pytest invocation in the Makefile was correctly updated to use uv run, but this script was missed.

Additional Locations (1)

• .github/workflows/docker-publish.yml#L88-L96