feat: add pyproject.toml deps, dependency-groups, and uv.lock (1/5)#38835
feat: add pyproject.toml deps, dependency-groups, and uv.lock (1/5)#38835irfanuddinahmad wants to merge 2 commits into
Conversation
|
Thanks for the pull request, @irfanuddinahmad! This repository is currently maintained by Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review. 🔘 Get product approvalIf you haven't already, check this list to see if your contribution needs to go through the product review process.
🔘 Provide contextTo help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:
🔘 Get a green buildIf one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green. DetailsWhere can I find more information?If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources: When can I expect my changes to be merged?Our goal is to get community contributions seen and reviewed as efficiently as possible. However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:
💡 As a result it may take up to several weeks or months to complete a review and merge your PR. |
Rewrites the Makefile's requirements targets, tox.ini, and ~13 CI workflows to use uv instead of pip-compile/pip-sync for the main app. Deletes requirements/edx/*.in and *.txt (superseded by pyproject.toml + uv.lock, added in PR 1 / #38835). requirements/constraints.txt, common_constraints.txt, and pip-tools.{in,txt} are intentionally kept for now: requirements/edx-sandbox and scripts/* still pip-compile against them and aren't migrated until PR 3/4. requirements/edx/{base,assets,development}.txt are regenerated as `uv export` compatibility artifacts (via the Makefile's compile-requirements target) since external tooling -- notably tutor's Dockerfile -- installs from those exact paths with plain pip, not uv. check_python_dependencies.yml is disabled (workflow_dispatch only, job gated with if: false) since find_python_dependencies can't scan pyproject.toml yet; tracked at openedx/repo-tools#725. User-confirmed before committing since this removes a CI safety net. Part of openedx/public-engineering#543 (2 of 5). Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
…ration 1/5) Populates [project.dependencies] (from kernel.in + bundled.in), adds [project.optional-dependencies] for the legacy openstack storage backend, adds PEP 735 [dependency-groups] (coverage/testing/doc/assets/development/ semgrep/ci/dev, mirroring the current .in file composition), and [tool.edx_lint].uv_constraints + generated [tool.uv].constraint-dependencies for the ~20 repo-specific version pins, with a committed uv.lock. This is purely additive: the Makefile, tox.ini, and CI workflows are untouched and continue to use pip-compile/requirements/*.txt as the source of truth. Part of the pip-compile -> uv migration tracked in openedx/public-engineering#543 (1 of 5 PRs). Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
…ions Found via real CI runs: a fresh uv resolution picked social-auth-core 5.0.2 (previously locked at 4.9.1 via pip-compile), which changes the OAuth pipeline's post-login redirect behavior and breaks common/djangoapps/third_party_auth's integration test suite (AzureAD, Google, LinkedIn, Twitter full-pipeline specs all failed the same assertion in tests/specs/base.py's assert_logged_in_cookie_redirect). This migration is meant to be a tooling swap, not a dependency upgrade, so pin back to the 4.x line rather than bundle an investigation into social-auth-core 5.x's behavior change into this PR. Mirrors the existing social-auth-app-django<=5.4.1 constraint, pinned for a related, already-deferred migration in this same dependency family. Follow-up tracked at #38841. Verified: all 46 previously-failing third_party_auth tests pass with social-auth-core==4.9.1 restored via this constraint. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
8fc67fa to
9bbfff1
Compare
Rewrites the Makefile's requirements targets, tox.ini, and ~13 CI workflows to use uv instead of pip-compile/pip-sync for the main app. Deletes requirements/edx/*.in and *.txt (superseded by pyproject.toml + uv.lock, added in PR 1 / #38835). requirements/constraints.txt, common_constraints.txt, and pip-tools.{in,txt} are intentionally kept for now: requirements/edx-sandbox and scripts/* still pip-compile against them and aren't migrated until PR 3/4. requirements/edx/{base,assets,development}.txt are regenerated as `uv export` compatibility artifacts (via the Makefile's compile-requirements target) since external tooling -- notably tutor's Dockerfile -- installs from those exact paths with plain pip, not uv. check_python_dependencies.yml is disabled (workflow_dispatch only, job gated with if: false) since find_python_dependencies can't scan pyproject.toml yet; tracked at openedx/repo-tools#725. User-confirmed before committing since this removes a CI safety net. Part of openedx/public-engineering#543 (2 of 5). Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Summary
Part of the org-wide Python packaging modernization tracked in
openedx/public-engineering#543
(child of #506): migrate
openedx-platform from pip-compile to
uv+ PEP 621/735pyproject.toml.This is PR 1 of 5 in the migration sequence. It is purely additive and
does not change how CI,
make, ortoxinstall dependencies today — thosestill use
requirements/*.in/*.txt+ pip-compile as the source of truthuntil PR 2 cuts over. The goal of this PR is to introduce the new
pyproject.toml/uv.lockfiles, get them independently reviewed andmerged, and only then swap the tooling that consumes them.
pyproject.tomldeps/dependency-groups + commituv.lock(additive only)Makefile,tox.ini, and CI workflows touv; delete the oldrequirements/edx/*.{in,txt}filesrequirements/edx-sandbox/) to its own standaloneuvprojectscripts/xblock,scripts/user_retirement,scripts/structures_pruning) to standaloneuvprojectsWhat changed
[project.dependencies]: populated fromrequirements/edx/kernel.in+bundled.in(previously a placeholder["setuptools"]). Every entry's explanatory comment (whether originally trailing or on a preceding line) is preserved.[project.optional-dependencies].openstack: the legacyrequirements/edx/openstack.txt(django-storage-swift) — this is a pluggable runtime storage backend, not a dev-tool dependency group, so it belongs here rather than in[dependency-groups].[dependency-groups]:coverage,testing(includescoverage),doc,assets,development(includestesting+doc+assets),semgrep,ci(tox,tox-uv),dev(includesdevelopment+ci) — mirrors the current.infile composition (-rchains) using PEP 735{include-group = "..."}.[tool.edx_lint].uv_constraints: the ~20 repo-specific version pins fromrequirements/constraints.txt, each with its original multi-line rationale/issue-link comment preserved as#lines above the entry.[tool.uv].constraint-dependencies: generated by runningedx_lint write_uv_constraints pyproject.toml(merges the above with edx-lint's bundled global constraints — confirmed identical to today'srequirements/common_constraints.txt, so nothing is lost).uv.lock: committed, resolved against Python 3.12 inside anubuntu:24.04container (matching CI's actual build environment, sincemysqlclienthas no prebuilt wheel for any platform and must build from source againstlibmysqlclient-dev).Two issues found and fixed during this work
edx-lint==6.1.0'swrite_uv_constraintscommand crashes (AttributeError: 'OutOfOrderTableProxy' object has no attribute 'add') on anypyproject.tomlwhere[tool]is split across multiple out-of-line sub-tables — which is true here ([tool.setuptools],[tool.pytest.ini_options],[tool.ruff],[tool.importlinter]all already exist) and will be true for essentially every real-worldpyproject.toml. Worked around by pre-declaring an empty[tool.uv]table before running the command, but this will also break the ongoingmake upgradeworkflow added in PR 2 unless fixed upstream. Filing a bug againstopenedx/edx-lintas a follow-up — flagging here so reviewers are aware this isn't fully resolved yet.--local <file>flag mentioned inopenedx-aspects#359's PR description does not exist in the actually-publishededx-lint==6.1.0— confirmed by installing it and reading the source directly. Used the real, supported mechanism ([tool.edx_lint].uv_constraints) instead.uv.lockis a fresh resolution against the same constraints, not a byte-for-byte carryover of the versions already pinned in the (still-authoritative-until-PR-2)requirements/edx/*.txtfiles. Diffing the two systematically: of 294 packages shared between the oldbase.txtand the newuv.lock, 39 resolved to a different version. Most are harmless patch/minor bumps, but a few are worth reviewers' attention specifically:protobuf7.35.1 → 6.33.6 andwrapt2.2.1 → 1.17.3 — both downgrades across a major version. Root cause:opentelemetry-instrumentation*packages (pulled in transitively viaedx-django-utils's FrontendMonitoringMiddleware feature — already pinned>=5.14.1before this change) requirewrapt<2, which cascades toprotobuf<7viagrpcio-status/google-api-core. This is a resolver-driven side effect of an already-adopted dependency, not something new I introduced, but it's a real behavior difference from what's currently deployed.pycasbin2.8.0 → 2.2.0 — also a downgrade; I wasn't able to fully trace the constraint forcing this one.django-autocomplete-light4.0.3 → 5.0.0,edxval4.0.1 → 5.0.1,social-auth-core4.9.1 → 5.0.2 — major-version upgrades that could carry API/behavior changes worth a changelog check before this becomes the live lockfile in PR 2.By contrast, the
testing/devdependency-groups are stable:pytest,Django,mypy,edx-lint, andcoverageare all unchanged; onlyruff/toxsaw trivial patch bumps.This PR itself has no runtime effect (
uv.lockisn't wired into anything yet), but PR 2 makes these the versions actually installed by CI andmake— recommend reviewing/testing this specific set before that merges, rather than treating this purely as a tooling migration.External compatibility (tutor/Docker, org-level
.githubworkflows)Not applicable to this PR — it's purely additive (
pyproject.toml+uv.lockonly), and doesn't touchMakefile,tox.ini, or any CI workflow. Tutor's Dockerfile and the org-levelopenedx/.githubreusable workflows are addressed starting in PR 2, where the tooling that actually consumes these files changes.Verification
python3 -c "import tomllib; tomllib.load(...)"— valid TOML.uv lockinsideubuntu:24.04(matching CI's system packages:libmysqlclient-dev,libxmlsec1-dev) — resolves cleanly to 445 packages.uv.lockversions (e.g.Djangoresolves to5.2.15not6.0.x,setuptoolsto81.0.0not82.x,elasticsearchexactly7.9.1, etc.) — all honored correctly.uv sync --group dev --frozeninside the same container — installs the full ~440-package dev environment cleanly, includingopenedx-platformitself as an editable install.🤖 Generated with Claude Code