Conversation
Supply chain hardening via uv lockfile with cryptographic hashes for all direct and transitive dependencies. Covers build backend swap, CI workflows, Dockerfile, and pre-commit enforcement. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
8-task plan covering build backend, lockfile, CI workflows, Dockerfile, pre-commit hook, and AGENTS.md updates. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Swap build-system to uv_build, remove [tool.setuptools] sections, add [tool.uv] config with platform-restricted environments (Linux + macOS, x86_64 + arm64).
Pin Python 3.12 for uv auto-selection. Generated lockfile with cryptographic hashes for all direct and transitive dependencies across Linux + macOS (x86_64 + arm64). Also fix index-url field name (default-index is not valid in [tool.uv] for uv 0.9.28). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace setup-python + pip install with setup-uv + uv run --frozen. Lockfile hashes are now enforced in CI.
Use uv binary from official image, uv sync --frozen for hash-verified installs, improved Docker layer caching.
Runs uv lock --check when pyproject.toml changes, fails if lockfile is stale.
Add uv sync/run commands alongside existing pip instructions. Document uv add for dependency management. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Show both uv (recommended) and pip+venv installation options in README. Remove internal planning documents from branch. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
MLCommons CLA bot All contributors have signed the MLCommons CLA ✍️ ✅ |
…to README examples Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request migrates the project's dependency management and build system from setuptools and pip to uv. Key changes include updating the pyproject.toml to use uv_build, adding a uv-lock-check pre-commit hook, and revising the README and AGENTS documentation to prioritize uv-based workflows while maintaining backward compatibility for pip. The Dockerfile has also been updated to use uv for faster, reproducible builds. Feedback identifies a critical issue in the Dockerfile where the virtual environment may be shadowed by volume mounts and a pathing error in the build exclusion list within pyproject.toml.
There was a problem hiding this comment.
Pull request overview
Migrates the project’s Python dependency/build tooling from pip/setuptools-centric workflows to uv, updating local developer setup, Docker dev image, and CI pipelines accordingly.
Changes:
- Switch
pyproject.tomlbuild backend touv_buildand addtool.uvconfiguration for platform environments and build packaging rules. - Update developer workflows and docs (README/AGENTS) to use
uv sync/uv runand add a pre-commit hook to enforceuv.lockfreshness. - Update GitHub Actions to use
astral-sh/setup-uvand run tests/audits/pre-commit viauv.
Reviewed changes
Copilot reviewed 8 out of 9 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| scripts/Dockerfile.dev | Installs uv in the dev container and uses uv sync for dev/test dependencies. |
| README.md | Documents uv as the default dependency manager and adds a pip+venv fallback section. |
| pyproject.toml | Moves build backend to uv_build and configures uv build/data/exclude behavior. |
| AGENTS.md | Updates common commands and dependency guidance to use uv. |
| .python-version | Adds a Python version file intended for tool/CI alignment. |
| .pre-commit-config.yaml | Adds a uv lock --check hook to keep uv.lock in sync. |
| .github/workflows/test.yml | Runs tests and dependency audit via uv. |
| .github/workflows/pre-commit.yml | Runs pre-commit via uv. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 9 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Dockerfile.dev: set UV_PROJECT_ENVIRONMENT=/opt/venv to avoid volume mount shadowing .venv, add /opt/venv/bin to PATH, create dir with correct ownership - pyproject.toml: pin uv_build==0.7.6 (exact version), fix build exclude path to inference_endpoint/evaluation/livecodebench/_server.py - .python-version: pin to 3.12.11 for reproducibility - CI workflows: add python-version-file to setup-uv in both test.yml and pre-commit.yml - .pre-commit-config.yaml: use language: python with additional_dependencies: [uv] for uv-lock-check hook - README.md: add uv installation instructions and uv run usage note - AGENTS.md: clarify build-system requires also pinned to exact versions Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
viraatc
left a comment
viraatc
left a comment
There was a problem hiding this comment.
Review Council — Multi-AI Code Review
Reviewed by: Codex + Claude | Depth: thorough (3001 lines)
Found 5 issues across 4 files.
Review Council — Multi-AI Code ReviewReviewed by: Codex + Claude | Depth: thorough (3001 lines, 9 files) Found 5 issues across 4 files. 🔴 Must Fix (critical)Issues that will cause build failures or incorrect behavior in production.
🟡 Should Fix (medium)Real issues that trigger under specific conditions or diverge from project policy.
🔵 Consider (low)Valid improvements that could be follow-ups.
Note: 6 issues from the Claude reviewer were dropped during verification — they referenced files not changed in this PR (schema.py, init.py, test_cli.py, test_benchmark_command.py, main.py). All remaining issues were verified against HEAD source files. |
- Dockerfile.dev: add COPY README.md (uv_build needs it for metadata), split uv sync with --no-install-project for proper Docker layer caching - pyproject.toml: remove redundant data key (uv_build includes VCS-tracked files automatically; data key installs to data scheme) - .pre-commit-config.yaml: pin uv==0.7.6 in additional_dependencies - test.yml: add explicit uv sync steps for better CI diagnostics Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 9 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| language: python | ||
| additional_dependencies: ["uv==0.7.6"] | ||
| pass_filenames: false | ||
| files: ^pyproject\.toml$ |
There was a problem hiding this comment.
The new uv-lock-check hook only runs when pyproject.toml changes (files: ^pyproject\.toml$). If uv.lock is modified (or accidentally corrupted) without a pyproject.toml change, this check won’t run and an inconsistent lockfile could still be committed. Consider widening the files selector to also trigger on uv.lock changes (or remove the selector so it always runs when relevant).
| files: ^pyproject\.toml$ | |
| files: ^(pyproject\.toml|uv\.lock)$ |
| [build-system] | ||
| requires = ["setuptools==78.1.1", "wheel==0.46.3"] | ||
| build-backend = "setuptools.build_meta" | ||
| requires = ["uv_build==0.7.6"] | ||
| build-backend = "uv_build" |
There was a problem hiding this comment.
Switching the build backend to uv_build changes how sdists/wheels are produced, but the CI workflows only run uv sync + pytest and don’t exercise the packaging path. To catch packaging regressions early, consider adding a CI step that builds the distribution artifacts and performs a minimal smoke test (e.g., install the built wheel and import/run the CLI).
What does this PR do?
Type of change
Related issues
Testing
Checklist