Skip to content

uv upgrade#169

Merged
mhieta merged 10 commits into
mainfrom
NS-209/uv-upgrade
Jun 25, 2026
Merged

uv upgrade#169
mhieta merged 10 commits into
mainfrom
NS-209/uv-upgrade

Conversation

@mhieta

@mhieta mhieta commented Jun 23, 2026

Copy link
Copy Markdown
Contributor
  • Replace requirements.in / requirements-dev.in / requirements.txt / requirements-dev.txt with pyproject.toml config + uv.lock
  • Move production dependencies to [project].dependencies
  • Move dev dependencies to [dependency-groups].dev
  • Move uwsgi and uwsgitop to [dependency-groups].prod
  • Add [tool.uv] configuration with package = false
  • Add [tool.uv] exclude-newer = "P3D" (supply chain protection)
  • Add .venv to .gitignore
  • Docker-build: install uv and use uv sync instead of pip install
  • Add .dockerignore-file
  • Update Dependabot to use uv
  • Update CI to use common uv django api workflow
  • Add uv-lock hook to pre-commit-configuration
  • Update pre-commit tool versions
  • Update README-instructions for uv
  • release-please: sync uv.lock lockfile version with pyproject.toml
  • update resilient_logger API usage after library upgrade
  • migrate custom_health_checks to django-health-check v4 API

Refs: NS-209

Summary by CodeRabbit

  • Chores
    • Migrated dependency management from pip/requirements to uv, including Docker build and development installs.
    • Updated CI workflow wiring, Dependabot settings, and pre-commit hooks for the new tooling.
  • Refactor
    • Reworked the health check system and JSON health endpoint behavior (including async execution and error reporting).
  • Documentation
    • Updated README instructions for maintaining and installing dependencies with uv/uv.lock.
  • Tests
    • Updated health/audit logging tests and added consistent resilient logger setup for test runs.

- Replace requirements.in / requirements-dev.in / requirements.txt /
  requirements-dev.txt with pyproject.toml config + uv.lock
- Move production dependencies to [project].dependencies
- Move dev dependencies to [dependency-groups].dev
- Move uwsgi and uwsgitop to [dependency-groups].prod
- Add [tool.uv] configuration with package = false
- Add [tool.uv] exclude-newer = "P3D" (supply chain protection)
- Update README-instructions for uv
- Add .venv to .gitignore

Refs: NS-209
@mhieta mhieta requested a review from a team as a code owner June 23, 2026 12:26
@coderabbitai

coderabbitai Bot commented Jun 23, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5e12279a-38be-450c-82be-29f6e3d22753

📥 Commits

Reviewing files that changed from the base of the PR and between 164c04e and 1601bc4.

⛔ Files ignored due to path filters (1)
  • uv.lock is excluded by !**/*.lock
📒 Files selected for processing (16)
  • .dockerignore
  • .github/dependabot.yml
  • .github/workflows/ci.yml
  • .pre-commit-config.yaml
  • Dockerfile
  • api/tests/conftest.py
  • api/tests/test_models.py
  • audit_log/tests/conftest.py
  • audit_log/tests/test_services.py
  • custom_health_checks/apps.py
  • custom_health_checks/backends.py
  • custom_health_checks/tests/test_backends.py
  • custom_health_checks/tests/test_healthz.py
  • custom_health_checks/views.py
  • pyproject.toml
  • release-please-config.json
💤 Files with no reviewable changes (1)
  • custom_health_checks/apps.py
✅ Files skipped from review due to trivial changes (3)
  • .dockerignore
  • .github/dependabot.yml
  • audit_log/tests/test_services.py
🚧 Files skipped from review as they are similar to previous changes (9)
  • release-please-config.json
  • custom_health_checks/tests/test_backends.py
  • api/tests/test_models.py
  • api/tests/conftest.py
  • pyproject.toml
  • audit_log/tests/conftest.py
  • .pre-commit-config.yaml
  • Dockerfile
  • custom_health_checks/views.py

📝 Walkthrough

Walkthrough

The PR migrates Python dependency management from pip and requirements.txt to uv and pyproject.toml, updates build and release tooling, refactors DatabaseHealthCheck to a dataclass-based async health check, and adjusts test fixtures and imports for resilient logger behavior.

Changes

pip → uv dependency management migration

Layer / File(s) Summary
Dependency declarations and lockfile inputs
pyproject.toml, requirements.txt
pyproject.toml gains project dependencies, dev/prod dependency groups, and uv settings; pip-tools compile config is removed; requirements.txt is cleared.
Docker and ignore rules for uv builds
Dockerfile, .dockerignore, .gitignore
Docker build stages switch to uv sync with pyproject.toml and uv.lock; local and build artifacts are added to ignore files.
CI, pre-commit, dependabot, release-please, and docs
.github/workflows/ci.yml, .pre-commit-config.yaml, .github/dependabot.yml, release-please-config.json, README.md
CI, pre-commit, Dependabot, and release-please are updated for uv, and the README rewrites dependency maintenance steps around uv sync and uv lock.

DatabaseHealthCheck framework refactor

Layer / File(s) Summary
DatabaseHealthCheck backend and app registration
custom_health_checks/backends.py, custom_health_checks/apps.py
DatabaseHealthCheck now subclasses HealthCheck with run(), and apps.py removes the runtime plugin registration hook.
HealthCheckJSONView async execution
custom_health_checks/views.py
HealthCheckJSONView now extends HealthCheckView, defines a fixed checks tuple, and runs checks asynchronously with asyncio.gather().
Backend and healthz tests updated to run()
custom_health_checks/tests/test_backends.py, custom_health_checks/tests/test_healthz.py
Tests switch from check_status() to run() and update the success and error response assertions.

ResilientLogSourceEntry test fixture and import updates

Layer / File(s) Summary
Test conftest fixtures for resilient logger environment
api/tests/conftest.py, audit_log/tests/conftest.py
Autouse fixtures set the resilient logger environment to test and clear cached config before and after each test.
ResilientLogSourceEntry import and usage in tests
api/tests/test_models.py, audit_log/tests/test_services.py
Tests replace ResilientLogSource with ResilientLogSourceEntry when building audit-log documents.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant HealthCheckJSONView
    participant Executor
    participant DatabaseHealthCheck

    Client->>HealthCheckJSONView: GET /healthz/
    HealthCheckJSONView->>Executor: asyncio.gather(configured checks)
    Executor->>DatabaseHealthCheck: run()
    DatabaseHealthCheck-->>Executor: result or ServiceUnavailable
    Executor-->>HealthCheckJSONView: results[]
    HealthCheckJSONView->>HealthCheckJSONView: derive status from result.error
    HealthCheckJSONView-->>Client: JSON response with 200 or 500
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐇 I hopped from pip to uv today,
With locks and sync to guide my way.
The health check runs, the tests all cheer,
And bunny docs are crisp and clear.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 54.55% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the main change: migrating the project to uv-based dependency management and tooling.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch NS-209/uv-upgrade

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
custom_health_checks/backends.py (2)

21-22: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Avoid exposing raw database errors in health responses.

At Lines 21-22, interpolating e into ServiceUnavailable can leak internal DB details through /healthz. Return a generic message and chain the original exception instead. This will also require updating the downstream assertion in custom_health_checks/tests/test_healthz.py Line 29.

Suggested fix
-from django.db import connection
+from django.db import DatabaseError, connection
@@
-        except Exception as e:
-            raise ServiceUnavailable(f"Database connection failed: {e}")
+        except DatabaseError as e:
+            raise ServiceUnavailable("Database connection failed") from e
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@custom_health_checks/backends.py` around lines 21 - 22, The
ServiceUnavailable exception in the except block is exposing raw database error
details through the health check endpoint, which is a security concern. Replace
the f-string that interpolates the error `e` with a generic message like
"Database connection failed" and chain the original exception using the `from e`
syntax to preserve the error context for logging without exposing it in the
response. Additionally, update the assertion in the test file
`custom_health_checks/tests/test_healthz.py` at Line 29 to expect the generic
message instead of the actual database error details.

20-20: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Use a table-agnostic DB probe query.

At Line 20, coupling health status to users_user can produce false negatives (e.g., custom user table, migration timing) even when DB connectivity is healthy.

Suggested fix
-                cursor.execute("SELECT 1 FROM users_user LIMIT 1")
+                cursor.execute("SELECT 1")
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@custom_health_checks/backends.py` at line 20, The cursor.execute call
targeting the users_user table creates unnecessary coupling to a specific table,
causing false negatives when that table doesn't exist or during migrations even
if database connectivity is healthy. Replace the query with a table-agnostic
health check that tests database connectivity without referencing any specific
table, such as a simple constant query like SELECT 1.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Line 13: The workflow file uses unconditional `secrets: inherit` which
forwards all available secrets to the called workflow without explicit control.
Replace the `secrets: inherit` line with explicit secret mapping by specifying
only the required secrets. List each secret that the reusable workflow needs
under a `secrets:` field with explicit mappings like `SECRET_NAME: ${{
secrets.SECRET_NAME }}` for each secret required, following the principle of
least privilege.
- Line 12: The reusable workflow reference in the uses statement is pinned to
the `@main` branch reference, which is mutable and poses a supply chain security
risk. Replace the `@main` reference with a full commit SHA from the
City-of-Helsinki/.github repository to ensure immutable and deterministic
workflow behavior. Identify a stable commit SHA from that repository and update
the uses statement to point to that specific commit instead of the branch.

In `@pyproject.toml`:
- Around line 16-17: The `factory-boy` and `ipython` packages are currently in
the `[project].dependencies` section of pyproject.toml, which causes them to be
installed in production environments. Since `factory-boy` is only used by test
factory files and `ipython` is unused, these packages should be moved to a test
or development dependency group. Remove `factory-boy` and `ipython` from
`[project].dependencies` and add them to an appropriate optional dependencies
group in pyproject.toml (such as under `[project.optional-dependencies]` with a
`dev` or `test` key) so they are only installed during development.

---

Outside diff comments:
In `@custom_health_checks/backends.py`:
- Around line 21-22: The ServiceUnavailable exception in the except block is
exposing raw database error details through the health check endpoint, which is
a security concern. Replace the f-string that interpolates the error `e` with a
generic message like "Database connection failed" and chain the original
exception using the `from e` syntax to preserve the error context for logging
without exposing it in the response. Additionally, update the assertion in the
test file `custom_health_checks/tests/test_healthz.py` at Line 29 to expect the
generic message instead of the actual database error details.
- Line 20: The cursor.execute call targeting the users_user table creates
unnecessary coupling to a specific table, causing false negatives when that
table doesn't exist or during migrations even if database connectivity is
healthy. Replace the query with a table-agnostic health check that tests
database connectivity without referencing any specific table, such as a simple
constant query like SELECT 1.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 650e894d-8a28-42ad-9bd0-650ff836f2a2

📥 Commits

Reviewing files that changed from the base of the PR and between 4545a58 and 164c04e.

⛔ Files ignored due to path filters (1)
  • uv.lock is excluded by !**/*.lock
📒 Files selected for processing (22)
  • .dockerignore
  • .github/dependabot.yml
  • .github/workflows/ci.yml
  • .gitignore
  • .pre-commit-config.yaml
  • Dockerfile
  • README.md
  • api/tests/conftest.py
  • api/tests/test_models.py
  • audit_log/tests/conftest.py
  • audit_log/tests/test_services.py
  • custom_health_checks/apps.py
  • custom_health_checks/backends.py
  • custom_health_checks/tests/test_backends.py
  • custom_health_checks/tests/test_healthz.py
  • custom_health_checks/views.py
  • pyproject.toml
  • release-please-config.json
  • requirements-dev.in
  • requirements-dev.txt
  • requirements.in
  • requirements.txt
💤 Files with no reviewable changes (5)
  • requirements.in
  • requirements-dev.in
  • requirements-dev.txt
  • custom_health_checks/apps.py
  • requirements.txt

Comment thread .github/workflows/ci.yml
Comment thread .github/workflows/ci.yml
Comment thread pyproject.toml Outdated
@azure-pipelines

Copy link
Copy Markdown

NOTIFICATION-SERVICE-API branch is deployed to platta: https://notification-service-api-pr169.dev.hel.ninja 🚀🚀🚀

@mhieta mhieta force-pushed the NS-209/uv-upgrade branch from 44c7d74 to 26f7ad9 Compare June 23, 2026 13:03
@azure-pipelines

Copy link
Copy Markdown

NOTIFICATION-SERVICE-API branch is deployed to platta: https://notification-service-api-pr169.dev.hel.ninja 🚀🚀🚀

mhieta added 9 commits June 24, 2026 15:04
Also add .dockerignore-file.

Refs: NS-209
Replace ResilientLogSource(entry) instantiation with
ResilientLogSourceEntry(entry) in tests.
Add RESILIENT_LOGGER environment override and cache
clearing to test conftests to satisfy non-empty
environment validation.

Refs: NS-209
Replace BaseHealthCheckBackend/plugin_dir/MainView with HealthCheck/
HealthCheckView. Switch check_status() to run() and register checks
via HealthCheckView.checks instead of plugin_dir.

Refs: NS-209
@mhieta mhieta force-pushed the NS-209/uv-upgrade branch from 26f7ad9 to 1601bc4 Compare June 24, 2026 12:06
@sonarqubecloud

Copy link
Copy Markdown

@azure-pipelines

Copy link
Copy Markdown

NOTIFICATION-SERVICE-API branch is deployed to platta: https://notification-service-api-pr169.dev.hel.ninja 🚀🚀🚀

@mhieta mhieta merged commit 3454ed5 into main Jun 25, 2026
30 checks passed
@mhieta mhieta deleted the NS-209/uv-upgrade branch June 25, 2026 12:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants