Adopt uv for Python dependency management (#286)

[nitrobass24]

Summary

• Replace pip with uv across Docker builds and CI for faster, reproducible installs
• pyproject.toml + uv.lock become the single source of truth, eliminating the duplicate requirements.txt / requirements-test.txt files
• Zero impact on final Docker image size — uv binary is used only in builder stages and removed before the final image

Changes

Docker

• Production Dockerfile: COPY --from=ghcr.io/astral-sh/uv:latest into python-deps stage, uv pip install --system --no-cache --strict -r pyproject.toml, binary removed after install
• Test Dockerfile: Same pattern with --group test to include test dependencies

CI (ci.yml)

• Added astral-sh/setup-uv@v6 step to python-lint, python-typecheck, and python-test jobs
• Replaced all pip install commands with uv pip install --system equivalents
• Removed pip cache configuration (uv handles its own caching)

Deleted

• src/python/requirements.txt — was a manual copy of pyproject.toml dependencies
• src/python/requirements-test.txt — was a manual copy of pyproject.toml test group

Added

• src/python/uv.lock — deterministic lock file generated from pyproject.toml

Test plan

• CI python-lint job passes with uv-installed ruff
• CI python-typecheck job passes with uv-installed deps + pyright
• CI python-test job passes with uv-installed deps (runtime + test group)
• Docker image builds successfully (uv binary NOT present in final image)
• Container starts and serves web UI

Closes #286

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated CI/CD pipelines and container builds to use modernized package management tooling
  • Simplified and consolidated dependency configuration across build and test environments

[coderabbitai]

Warning

Rate limit exceeded

@nitrobass24 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 22 minutes and 18 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b8d27486-5a15-48b5-91cd-c8747b7bc04c

📥 Commits

Reviewing files that changed from the base of the PR and between 04f0ecc and 25d2798.

📒 Files selected for processing (3)

• .github/workflows/ci.yml
• src/docker/build/docker-image/Dockerfile
• src/docker/build/test-image/Dockerfile

📝 Walkthrough

Walkthrough

This PR adopts uv as the Python package manager, replacing pip in CI workflows and Docker builds. Dependency installation is migrated from separate requirements.txt files to pyproject.toml with dependency groups, and uv.lock is committed for reproducible installs.

Changes

Cohort / File(s)	Summary
CI Workflow Setup .github/workflows/ci.yml	Added setup-uv step to lint, typecheck, and test jobs. Replaced pip install commands with uv pip install --system for Ruff and dependencies. Updated test job to install from pyproject.toml with --group test instead of separate test requirements file. Removed actions/setup-python pip cache configuration.
Docker Build Image src/docker/build/docker-image/Dockerfile	Switched dependency installation from pip with requirements.txt to uv pip install --system using pyproject.toml and uv.lock. Added copying of uv binary, --no-cache and --strict flags, and cleanup of uv binary and cache directories after installation.
Docker Test Image src/docker/build/test-image/Dockerfile	Replaced multi-file pip install from requirements.txt and requirements-test.txt with uv pip install --system using pyproject.toml with --group test. Added uv binary copy, --strict enforcement, and removal of temporary build artifacts and the uv binary.
Requirements File Cleanup src/python/requirements.txt, src/python/requirements-test.txt	Emptied both requirements files, consolidating all dependency declarations to pyproject.toml for single source of truth.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• Evaluate uv adoption for Python dependency management #286: This PR implements the acceptance criteria for adopting uv as the Python dependency manager, including Dockerfile and CI updates, plus commitment of uv.lock for reproducible installs.
• Consolidate Python dependencies to pyproject.toml with uv as single source of truth #280: This PR builds upon the prior consolidation of dependencies to pyproject.toml by fully migrating CI and Docker build processes to consume from the single source and removing intermediate requirements files.

Possibly related PRs

• Consolidate Python deps to PEP 621 pyproject.toml #287: Addresses the same dependency consolidation objective—migrating to pyproject.toml and updating CI/Docker dependency installation flows.
• Remove ~25 MB of unnecessary packages from Docker image #100: Modifies Dockerfile Python dependency installation and pip uninstall steps, affecting the same build stages.
• Slim Docker image — remove unused deps and strip stdlib #139: Changes multi-stage Docker installs and dependency installation patterns in Dockerfiles.

Poem

🐰 In gardens green where dependencies grow,
A speedy uv makes workflows flow,
From pip to lock, the packages align—
Reproducible installs in record time! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main objective of the PR: adopting uv for Python dependency management.
Linked Issues check	✅ Passed	The PR comprehensively addresses all coding requirements from issue #286: adopting uv in Dockerfiles and CI, using pyproject.toml with uv.lock, and removing duplicate requirements files.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with the objective of adopting uv for dependency management; no unrelated modifications are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/uv-dependency-management

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 56-57: Update the GitHub Actions step that configures uv to use
the latest released version: replace the uses reference "astral-sh/setup-uv@v6"
with the latest tag "astral-sh/setup-uv@v7.6.0" in the CI workflow; ensure any
inputs or outputs expected by the new action version (the step named "Set up
uv") remain compatible and adjust call parameters if needed.

In `@src/docker/build/docker-image/Dockerfile`:
- Line 19: The Dockerfile currently copies from the floating image tag
"ghcr.io/astral-sh/uv:latest" which undermines reproducible builds; update the
COPY line to reference a pinned uv tag (or introduce a build ARG like UV_TAG and
default it to a specific version such as "ghcr.io/astral-sh/uv:0.10.x") so the
COPY --from source is deterministic—change the COPY --from reference (the line
containing COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv) to use
the chosen pinned tag or an ARG-based pinned value.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: a847998e-6eb3-446d-9393-ad2c331e9105

📥 Commits

Reviewing files that changed from the base of the PR and between 1fa5dee and 04f0ecc.

⛔ Files ignored due to path filters (1)

• src/python/uv.lock is excluded by !**/*.lock

📒 Files selected for processing (5)

• .github/workflows/ci.yml
• src/docker/build/docker-image/Dockerfile
• src/docker/build/test-image/Dockerfile
• src/python/requirements-test.txt
• src/python/requirements.txt

💤 Files with no reviewable changes (2)

• src/python/requirements-test.txt
• src/python/requirements.txt

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

astral-sh/setup-uv GitHub action latest version

💡 Result:

The latest version of the astral-sh/setup-uv GitHub Action is v7.6.0, released on March 16, 2026.

Citations:

• 1: https://github.com/astral-sh/setup-uv/releases
• 2: https://github.com/astral-sh/setup-uv
• 3: https://github.com/marketplace/actions/astral-sh-setup-uv

---

Update setup-uv action to the latest version.

The workflow currently uses astral-sh/setup-uv@v6, but the latest version is v7.6.0. Update to the latest version to benefit from new features and security patches.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 56 - 57, Update the GitHub Actions
step that configures uv to use the latest released version: replace the uses
reference "astral-sh/setup-uv@v6" with the latest tag
"astral-sh/setup-uv@v7.6.0" in the CI workflow; ensure any inputs or outputs
expected by the new action version (the step named "Set up uv") remain
compatible and adjust call parameters if needed.