Switch from Poetry to uv package manager #216
Conversation
Co-authored-by: norkans7 <1040571+norkans7@users.noreply.github.com>
Co-authored-by: norkans7 <1040571+norkans7@users.noreply.github.com>
.github/workflows/ci.yml
Outdated
| - name: Install Poetry | ||
| uses: snok/install-poetry@v1 | ||
| - name: Install uv | ||
| uses: astral-sh/setup-uv@v5 |
Co-authored-by: norkans7 <1040571+norkans7@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR migrates the smartmin repository from Poetry to uv package manager. The change includes updating the build backend to hatchling, converting all dependency specifications to uv's format, creating a new uv.lock file, updating the GitHub Actions CI workflow, and making necessary adjustments to development tooling.
- Updated build system from poetry-core to hatchling
- Converted Poetry dependency format to standard PEP 621 format with optional dependencies
- Migrated CI/CD workflows to use uv commands instead of Poetry
- Updated ruff command syntax and configuration structure
Reviewed changes
Copilot reviewed 3 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| pyproject.toml | Converted from Poetry format to standard PEP 621 format with hatchling build backend, updated ruff configuration structure |
| uv.lock | New lock file replacing poetry.lock with all dependency specifications |
| poetry.lock | Deleted Poetry lock file (863 lines removed) |
| code_check.py | Updated ruff command from ruff smartmin to ruff check smartmin |
| .gitignore | Added uv-specific entries (.venv/, .python-version) |
| .github/workflows/ci.yml | Migrated from Poetry to uv commands, updated setup-uv action to v7, changed Python version from 3.10.x to 3.11.x for publishing |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
pyproject.toml
Outdated
| [build-system] | ||
| requires = ["poetry-core>=2.0.0,<3.0.0"] | ||
| build-backend = "poetry.core.masonry.api" | ||
| requires = ["hatchling"] |
There was a problem hiding this comment.
The [build-system] declaration uses an unpinned third-party build backend dependency hatchling via requires = ["hatchling"], which means each build will fetch and execute whatever the latest hatchling release is from PyPI. If an attacker compromises the hatchling package or its release process, they could execute arbitrary code in your build environment (with access to build secrets and artifacts) via this mutable dependency. To reduce supply-chain risk, pin hatchling to a specific trusted version (and update it consciously) or otherwise constrain it with an immutable or tightly bounded version specifier.
There was a problem hiding this comment.
Pinned hatchling to >=1.25.0 to address the supply-chain risk in commit d88897d.
smartmin/templatetags/smartmin.py
Outdated
| if re.search(pattern, request.path): | ||
| return "active" | ||
| return "" | ||
| return "" |
Co-authored-by: norkans7 <1040571+norkans7@users.noreply.github.com>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #216 +/- ##
=======================================
Coverage 74.59% 74.59%
=======================================
Files 24 24
Lines 2051 2051
=======================================
Hits 1530 1530
Misses 521 521 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Plan: Switch to uv package manager
Summary
Successfully migrated the smartmin repository from Poetry to uv package manager. All changes have been tested and verified, and PR feedback has been addressed including security improvements and code formatting fixes.
Original prompt
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.