Skip to content

build(ci): Use setup-uv v7 and remove uv version pinning#7799

Merged
phacops merged 5 commits intomasterfrom
fix/bump-version-python-install
Mar 6, 2026
Merged

build(ci): Use setup-uv v7 and remove uv version pinning#7799
phacops merged 5 commits intomasterfrom
fix/bump-version-python-install

Conversation

@phacops
Copy link
Contributor

@phacops phacops commented Mar 5, 2026
edited
Loading

Summary

  • Update astral-sh/setup-uv from pinned v6 SHA to the v7 tag across all workflow files
  • Remove explicit uv version pinning (0.8.2) from all workflow files and the Dockerfile
  • Use uv run instead of direct python / .venv/bin/python calls to let uv handle Python installation automatically

Test plan

  • CI workflows pass (linting, typing, tests, docs build, ddl-changes, bump-version-test)
  • Docker image builds successfully

🤖 Generated with Claude Code

phacops added 2 commits March 5, 2026 11:09
@phacops
fix(ci): Install Python in bump-version workflow
c2417a7 
The bump-version workflow fails because python3 (via uv shim) cannot
find the Python 3.13.12 interpreter specified in .python-version.
Add an explicit uv python install step and remove the pinned uv version
to use the latest.

Co-Authored-By: Claude <noreply@anthropic.com>

Agent transcript: https://claudescope.sentry.dev/share/L0DH5cB_C9aBYvM9KtWa2qrE0CiMiAyIVEBDtkLbBjg
@phacops
build(ci): Update setup-uv action to v7
a0757ac 
Co-Authored-By: Claude <noreply@anthropic.com>

Agent transcript: https://claudescope.sentry.dev/share/ok8yylFxCXKjR-v1odgTh458iiovfYErpyy767e4Sto
@phacops phacops marked this pull request as ready for review March 5, 2026 19:12
@phacops phacops requested a review from a team as a code owner March 5, 2026 19:12
cursor[bot]
cursor bot reviewed Mar 5, 2026
View reviewed changes
@phacops phacops enabled auto-merge (squash) March 5, 2026 19:20
@phacops phacops disabled auto-merge March 5, 2026 19:52
@phacops
build(ci): Remove uv version pinning and use setup-uv v7
128bf98 
Use the v7 tag for astral-sh/setup-uv instead of the pinned SHA for v6,
and remove all explicit uv version pins (0.8.2) from workflow files and
Dockerfile to always use the latest version.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Agent transcript: https://claudescope.sentry.dev/share/UYlMeQ0s-VRuT8HpAY3vBFOD7WExPjh-XbUO-7Yas9E
sentry[bot]
sentry bot reviewed Mar 5, 2026
View reviewed changes
@phacops
build(ci): Use uv run for Python execution in workflows and Makefile
f49dc6b 
Replace direct python and .venv/bin/python calls with uv run so that
uv handles Python installation automatically. This avoids needing
explicit uv python install steps in CI workflows.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Agent transcript: https://claudescope.sentry.dev/share/QAyeHyyaEWgI5HtIWmkwComyWCTEDh9ULqHVrBat1kc
@phacops phacops changed the title fix(ci): Install Python in bump-version workflow build(ci): Use setup-uv v7 and remove uv version pinning Mar 5, 2026
@phacops
build(ci): Pin setup-uv to commit hash for v7.3.1
c9a4eb4 
Pin astral-sh/setup-uv to the exact commit hash for v7.3.1 instead
of the mutable v7 tag, improving supply chain security.

Co-Authored-By: Claude <noreply@anthropic.com>

Agent transcript: https://claudescope.sentry.dev/share/cTaWcqt1ukWWrnk-CJvWYTcGVbg73d2YMrDik-_Rz-I
@phacops phacops enabled auto-merge (squash) March 6, 2026 21:53
cursor[bot]
cursor bot reviewed Mar 6, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Dockerfile

RUN python3 -m pip install \
--index-url 'https://pypi.devinfra.sentry.io/simple' 'uv==0.8.2'
--index-url 'https://pypi.devinfra.sentry.io/simple' 'uv'
Copy link

@cursor cursor bot Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unpinned uv version in production Dockerfile risks build breakage

Medium Severity

The uv package version pin was removed in the production Dockerfile, changing from 'uv==0.8.2' to 'uv'. While the GitHub Actions all pin to a specific SHA for setup-uv, the Dockerfile now installs whatever uv version happens to be latest on the private PyPI index at build time. A breaking uv release (e.g., changes to uv sync, lockfile format, or dependency resolution) could cause non-reproducible or failing production image builds without any code change.

Fix in Cursor Fix in Web

@phacops phacops merged commit 1e1857e into master Mar 6, 2026
42 of 43 checks passed
@phacops phacops deleted the fix/bump-version-python-install branch March 6, 2026 22:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sentry sentry[bot] sentry[bot] left review comments

@cursor cursor[bot] cursor[bot] left review comments

@MeredithAnya MeredithAnya MeredithAnya approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@phacops @MeredithAnya