Migrate to uv from requirements.txt

.github/dependabot.yml

@@ -13,8 +13,8 @@ updates:
     schedule:
       interval: "daily"
 
-  # Maintain dependencies for pip
-  - package-ecosystem: "pip"
+  # Maintain dependencies for Python
+  - package-ecosystem: "uv"
     directory: "/"
     schedule:
       interval: "daily"

.github/workflows/test.yml

@@ -24,13 +24,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
-      - uses: actions/setup-python@v6
+      - name: Install uv
+        uses: astral-sh/setup-uv@v4
         with:
-          python-version: ${{ env.DEFAULT_PYTHON }}
-          cache: "pip"
-          cache-dependency-path: requirements-dev.txt
-      - name: Install dev dependencies
-        run: pip install -r requirements-dev.txt
+          enable-cache: true
+      - name: Set up Python
+        run: uv python install ${{ env.DEFAULT_PYTHON }}
+      - name: Install dependencies
+        run: uv sync --group dev
       - name: Restore pre-commit environment from cache
         id: cache-precommit
         uses: actions/[email protected]
@@ -40,11 +41,11 @@ jobs:
             ${{ runner.os }}-pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}
       - name: Install pre-commit dependencies
         if: steps.cache-precommit.outputs.cache-hit != 'true'
-        run: pre-commit install-hooks
+        run: uv run pre-commit install-hooks
       - name: Run pre-commit
-        run: pre-commit run --hook-stage manual --all-files --show-diff-on-failure
+        run: uv run pre-commit run --hook-stage manual --all-files --show-diff-on-failure
       - name: Run unit-tests
-        run: python -m pytest --cov --cov-config=tox.ini --cov-report=term --cov-report=html
+        run: uv run pytest --cov --cov-config=tox.ini --cov-report=term --cov-report=html
       - uses: actions/upload-artifact@v6
         with:
           name: test-coverage

CONTAINER_DOCS.md

@@ -47,7 +47,9 @@ contrast_verify:
     APP_NAME: $APP_NAME
     BUILD_NUMBER: $CI_COMMIT_SHORT_SHA
   script:
-    - /usr/bin/env python3 /verify.py
+    # Both approaches work for backward compatibility:
+    - /usr/bin/env python3 /verify.py  # Legacy approach (still supported)
+    # - uv run python3 verify.py       # New approach (optional)
 ```
 
 ## Logging

Dockerfile

@@ -1,14 +1,24 @@
 FROM ghcr.io/astral-sh/uv:python3.13-alpine
 
-ENV VIRT_ENV=/opt/venv
-RUN uv venv $VIRT_ENV --python 3.13
-ENV PATH="$VIRT_ENV/bin:$PATH"
+WORKDIR /app
 
-ADD requirements.txt requirements.txt
-RUN uv pip install -r requirements.txt
+# Copy pyproject.toml and lock file for dependency installation
+COPY pyproject.toml uv.lock* ./
 
-ADD contrastverify contrastverify
-ADD version.py version.py
-ADD verify.py verify.py
+# Install dependencies and create the virtual environment
+RUN uv sync --frozen --no-dev
 
-ENTRYPOINT ["/usr/bin/env", "python3", "/verify.py"]
+# Copy application code
+COPY contrastverify contrastverify
+COPY version.py version.py
+COPY verify.py verify.py
+COPY verify-wrapper.py verify-wrapper.py
+
+# Install the local package in the already created environment
+RUN uv pip install --no-deps -e .
+
+# Create backward compatibility symlink for GitLab users
+RUN ln -s /app/verify-wrapper.py /verify.py && chmod +x /verify.py
+
+# Use the virtual environment directly instead of uv run
+ENTRYPOINT ["/app/.venv/bin/python3", "verify.py"]

README.md

@@ -80,7 +80,8 @@ A HTTP or HTTPS proxy may be used, by setting the environment variables `HTTP_PR
 If your environment requires custom certificate(s) to be trusted, these may be provided via the input `caFile` in pem format.
 
 ## Development Setup
-1. Run `python -m venv venv` to setup a virtual environment
-1. Run `. venv/bin/activate` to activate the virtual environment
-1. Run `pip install -r requirements-dev.txt` to install development dependencies (will also include app dependencies)
-1. Run `pre-commit install` to setup the pre-commit hook which handles formatting
+1. Install [uv](https://github.com/astral-sh/uv) if you haven't already: `curl -LsSf https://astral.sh/uv/install.sh | sh`
+1. Run `uv sync --group dev` to install all dependencies (including development dependencies)
+1. Run `uv run pre-commit install` to setup the pre-commit hook which handles formatting
+1. Use `uv run pytest` to run tests
+1. Use `uv run python verify.py` to run the application locally

pyproject.toml

@@ -0,0 +1,30 @@
+[project]
+name = "contrast-verify-action"
+version = "1.0.0"
+description = "GitHub Action to verify an application by determining whether the application violates a job outcome policy or threshold of open vulnerabilities from Contrast Security"
+authors = [
+    {name = "Josh Anderson", email = "[email protected]"}
+]
+requires-python = ">=3.13"
+dependencies = [
+    "requests",
+    "actions-toolkit",
+    "certifi",
+    "cryptography",
+]
+
+[dependency-groups]
+dev = [
+    "pytest",
+    "pytest-cov",
+    "responses",
+    "pre-commit",
+    "bump2version",
+]
+
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[tool.hatch.build.targets.wheel]
+packages = ["contrastverify"]