migrate from pip-compile to uv

Author: de1987

.github/workflows/code_coverage.yml

@@ -55,6 +55,8 @@ jobs:
     - name: Install Dependencies (Python)
       run: |
         python3 -m pip install --upgrade pip
+        # Pin setuptools to keep pkg_resources available (needed by ansible-risk-insight)
+        pip install "setuptools<81"
         pip install -r requirements.txt
         pip install .[dev]
 

.github/workflows/pip_audit.yml

@@ -10,6 +10,7 @@ on:
       - .github/workflows/pip_audit.yml
       - ansible_ai_connect/**
       - pyproject.toml
+      - uv.lock
       - requirements.txt
   pull_request:
     branches:
@@ -18,6 +19,7 @@ on:
       - .github/workflows/pip_audit.yml
       - ansible_ai_connect/**
       - pyproject.toml
+      - uv.lock
       - requirements.txt
 permissions:
   contents: read
@@ -35,7 +37,8 @@ jobs:
         run: |
           python -m venv env/
           source env/bin/activate
-          python -m pip install . -r requirements.txt
+          python -m pip install -r requirements.txt
+          python -m pip install -e .
           # See: https://github.com/advisories/GHSA-r9hx-vwmv-q579
           pip install --upgrade setuptools
       - name: Create CA symlink to use RH's certifi on ubuntu-latest

.github/workflows/pip_compile.yml .github/workflows/uv_export.yml.github/workflows/pip_compile.yml renamed to .github/workflows/uv_export.yml

@@ -1,20 +1,22 @@
-name: wisdom-service - pip-compile
+name: wisdom-service - uv-export
 
 on:
   push:
     branches:
       - main
     paths:
       - ansible_ai_connect/**
-      - requirements.in
+      - pyproject.toml
+      - uv.lock
       - requirements.txt
       - Makefile
   pull_request:
     branches:
       - main
     paths:
       - ansible_ai_connect/**
-      - requirements.in
+      - pyproject.toml
+      - uv.lock
       - requirements.txt
       - Makefile
 permissions:
@@ -29,9 +31,10 @@ jobs:
       uses: actions/setup-python@v4
       with:
         python-version: 3.12
-    - name: install
+    - name: Install uv
+      uses: astral-sh/setup-uv@v4
+    - name: Compile requirements
       run: |
-        pip install --upgrade "pip<24.1"
-        pip install pip-tools
-        pip-compile --quiet -o requirements.txt requirements.in
-        git diff --exit-code -- requirements.txt
+        uv lock --python 3.12
+        uv export --format requirements-txt --no-hashes --no-emit-project -o requirements.txt
+        git diff --exit-code -- uv.lock requirements.txt

Makefile

@@ -99,13 +99,13 @@ update-openapi-schema:
 docker-compose-clean:
 	${COMPOSE_RUNTIME} -f ${PWD}/tools/docker-compose/compose.yaml down
 
-.PHONY: pip-compile
-pip-compile:
+.PHONY: export
+export:
 	${CONTAINER_RUNTIME} run --arch amd64 --os linux \
 		--volume $(PWD):/var/www/wisdom:Z \
 		--workdir /var/www/wisdom \
 		registry.access.redhat.com/ubi9/ubi:latest \
-		/var/www/wisdom/tools/scripts/pip-compile.sh
+		/var/www/wisdom/tools/scripts/uv-export.sh
 
 # DEPRECATED: Please use create-superuser-containerized instead
 docker-create-superuser: create-superuser-containerized DEPRECATED

README.md

@@ -194,30 +194,44 @@ pre-commit autoupdate && pre-commit run -a
 
 ## Updating the Python dependencies
 
-We are using pip-compile in order to manage our Python dependencies.
+We use [uv](https://github.com/astral-sh/uv) to manage Python dependencies,
+following the same approach as [ansible-chatbot-stack](https://github.com/ansible/ansible-chatbot-stack).
+All dependencies are defined in `pyproject.toml`.
 
-The specification of what packages we need lives in the
-`requirements.in` file. Use your preferred editor to make the needed
-changes in that file, then run:
+To update the pinned dependencies, run:
 
 ```bash
-make pip-compile
+make export
 ```
 
 This will spin up a container and run the equivalent of:
 
 ```bash
-pip-compile requirements.in
+uv lock --python 3.12
+uv export --format requirements-txt --no-hashes -o requirements.txt
 ```
 
-This command will produce a fully populated and pinned `requirements.txt`
-file, containing all of the dependencies of our dependencies.
-Due to differences in architecture and version of Python between
-developers' machines, we do not recommend running pip-compile directly.
+This generates:
+- `uv.lock` - The lock file with exact pinned versions (commit this file)
+- `requirements.txt` - Exported for pip compatibility
 
-### Use of `pyproject.toml`
+### Security constraints
 
-`pyproject.toml` contains the dependencies used by downstream builds. Changes to any of the top level dependencies in `requirements.in` must there also be reflected in `pyproject.toml` too. See [PEP-518](https://peps.python.org/pep-0518/) for details.
+Security-pinned transitive dependencies are defined in the `[tool.uv]`
+section of `pyproject.toml` using `constraint-dependencies`. These constraints
+are automatically applied when running `uv lock`.
+
+### Development dependencies
+
+Development dependencies (testing, linting, etc.) are defined as optional
+dependencies in `pyproject.toml` under `[project.optional-dependencies]`.
+Install them with:
+
+```bash
+pip install .[dev]
+# or with uv:
+uv pip install -e .[dev]
+```
 
 # Using the VS Code extension
 

ansible_ai_connect/main/templates/chatbot/index.html

@@ -9,8 +9,8 @@
       content="{{bot_name}}"
     />
     <title>{{bot_name}}</title>
-    <script type="module" crossorigin src="/static/chatbot/index-ecUyj60O.js"></script>
-    <link rel="stylesheet" crossorigin href="/static/chatbot/index-Dm-_Ojks.css">
+    <script type="module" crossorigin src="/static/chatbot/index-YdyFlNn2.js"></script>
+    <link rel="stylesheet" crossorigin href="/static/chatbot/index-DBhoCAvz.css">
   </head>
   <body>
     <noscript>You need to enable JavaScript to run this app.</noscript>

pyproject.toml

@@ -8,10 +8,10 @@ description = "Ansible Lightspeed with IBM watsonx Code Assistant."
 version = "0.1.0"
 dependencies = [
   'aiohttp~=3.12.14',
-  'ansible-core~=2.15.9',
+  'ansible-core~=2.16.5',
   'ansible-anonymizer~=1.5.0',
-  'ansible-risk-insight~=0.2.7',
-  'ansible-lint~=24.2.2',
+  'ansible-risk-insight==0.2.7',
+  'ansible-lint~=25.5.0',
   'boto3~=1.40',
   'cython',
   'daphne~=4.1.2',
@@ -68,7 +68,6 @@ dev = [
   'flake8~=6.0.0',
   'grpcio-tools~=1.68.1',
   'isort~=5.10.1',
-  'pip-tools',
   'pre-commit',
   'responses~=0.24.1',
   'torch-model-archiver',
@@ -85,6 +84,25 @@ wisdom-manage = "ansible_ai_connect.manage:main"
 
 [tool]
 
+[tool.uv]
+# Security-pinned transitive dependencies
+constraint-dependencies = [
+  # Use Red Hat's system-certifi for certificate handling
+  'certifi @ git+https://github.com/ansible/system-certifi@5aa52ab91f9d579bfe52b5acf30ca799f1a563d9',
+  # Pin cryptography to address security vulnerabilities
+  'cryptography==43.0.1',
+  # Pin idna to address GHSA-jjg7-2v4v-x38h
+  'idna==3.7',
+  # Pin jsonpickle to address SNYK-PYTHON-JSONPICKLE-8136229
+  'jsonpickle==3.3.0',
+  # Pin pyjwt for compatibility
+  'pyjwt==2.8.0',
+  # Pin pyOpenSSL for compatibility
+  'pyOpenSSL==24.2.1',
+  # Pin sqlparse to address GHSA-2m57-hf25-phgg
+  'sqlparse==0.5.2',
+]
+
 [tool.setuptools.packages.find]
 include = ["ansible_ai_connect*"]
 

requirements.in

@@ -1,76 +0,0 @@
-# ======================================================================
-# If any top level dependency is added, updated or deleted be
-# sure to check pyproject.toml too. pyproject.toml is the *only*
-# dependencies file used by downstream and hence *must* be synchronized.
-# It is also recommended that dependencies in pyproject.toml use the '~=' version qualifier.
-#
-# See the following for details:
-# - https://peps.python.org/pep-0518
-# - https://peps.python.org/pep-0631
-# - https://peps.python.org/pep-0508
-# ======================================================================
-aiohttp==3.12.14
-ansible-anonymizer==1.5.0
-ansible-risk-insight==0.2.7
-ansible-lint==24.2.2
-boto3==1.40.63
-# pin black on 24.3.0 to address PYSEC-2024-48.
-black==24.3.0
-certifi@git+https://github.com/ansible/system-certifi@5aa52ab91f9d579bfe52b5acf30ca799f1a563d9
-cryptography==43.0.1
-daphne==4.1.2
-Django==4.2.27
-django-deprecate-fields==0.1.1
-django-extensions==3.2.1
-django-health-check==3.17.0
-django-import-export==3.2.0
-django-oauth-toolkit==3.0.1
-django_prometheus==2.2.0
-django-test-migrations==1.3.0
-djangorestframework==3.15.2
-drf-spectacular==0.27.2
-fire==0.7.0
-# pin idna on 3.7 to address GHSA-jjg7-2v4v-x38h
-# remove this once requests and yarl is updated to properly
-# pull a version of idna >= 3.7.
-idna==3.7
-ipython==8.10.0
-# pin jwcrypto on 1.5.6 to address GHSA-j857-7rvv-vj97
-# remove this once django-oauth-toolkit is updated to properly
-# pull a version of jwcrypto >= 1.5.6.
-jwcrypto==1.5.6
-# pin jinja2 on 3.1.6 to address GHSA-cpwx-vrp4-4pq7
-# remove this once ansible-core or torch are updated
-jinja2==3.1.6
-# pin jsonpickle on 3.3.0 to address SNYK-PYTHON-JSONPICKLE-8136229
-# remove this once ansible-risk-insight is updated
-jsonpickle==3.3.0
-langchain==0.3.26
-langchain-core==0.3.80
-langchain-ollama==0.3.5
-# CVE-2025-6985: XXE Vulnerability fixed in 0.3.9+
-langchain-text-splitters==0.3.11
-launchdarkly-server-sdk==8.3.0
-llama-stack-client>=0.2.12
-protobuf==5.29.5
-psycopg[binary]==3.2.3
-pydantic==2.9.2
-PyDrive2==1.20.0
-pytz
-pyjwt==2.8.0
-pyOpenSSL==24.2.1
-PyYAML==6.0.2
-requests==2.32.3
-segment-analytics-python==2.2.2
-# pin sqlparse on 0.5.0 to address GHSA-2m57-hf25-phgg
-# Remove once a Django>4.2.11 is released with an updated dep on sqlparse
-sqlparse==0.5.2
-social-auth-app-django==5.4.1
-social-auth-core==4.5.4
-slack-sdk==3.31.0
-urllib3==2.6.0
-uwsgi==2.0.28
-uwsgi-readiness-check==0.2.0
-django-allow-cidr==0.6.0
-django-csp==3.7
-django-ansible-base[jwt-consumer,resource-registry]==2025.8.18