uv is great! Unfortunately, it is not supported by Dependabot yet. I built a
simple GitHub Actions workflow to act as a stop-gap until support is added.
The repository containing a demo and the README on which this post is based is available here.
Motivation
uv is developed by Astral,
who also wrote ruff. It offers the benefits of
much faster dependency resolution and installation, along with leveraging the
more modern pyproject.toml configuration format defined in PEPs
518 and
618.
Dependabot is a GitHub native code tool which helps manage dependencies, with a focus on avoiding known security vulnerabilities. It can provide alerts and raise pull requests against repositories to ensure its dependencies are up-to-date and secure.
However, at time of writing (27th October 2024), Dependabot does not support
uv as a package ecosystem. However, the behaviour of PRs to version bump
dependencies, especially relating to security vulnerabilities, is still very
desirable.
Whilst there is ongoing work to support this, it is not ready yet. There are also some other solutions around this suggested in the uv docs for this functionality, such as using an alternative like Renovate. However, Renovate has compromises such as being non-native to GitHub and requiring complicated configuration.
In the meantime, a small GitHub Actions workflow to approximate the functionality in a lightweight way is a helpful thing to have.
Workflow
The workflow to create pull requests to bump lockfile versions is shown in its entirety below, duplicated from https://github.com/EdmundGoodman/update-bot/blob/main/.github/workflows/update-bot.yaml:
1name: update-bot
2
3on:
4 workflow_dispatch:
5 # Set the schedule, for example every week at 8:00am on Monday
6 schedule:
7 - cron: 0 8 * * 1
8
9permissions:
10 contents: write
11 pull-requests: write
12
13jobs:
14 lock:
15 runs-on: ubuntu-latest
16 steps:
17 - uses: actions/checkout@v4
18
19 - uses: astral-sh/setup-uv@v3
20
21 - run: |
22 echo "\`\`\`" > uv_output.md
23 uv lock --upgrade 2>&1 | tee -a uv_output.md
24 echo "\`\`\`" >> uv_output.md
25
26 - name: Create pull request
27 uses: peter-evans/create-pull-request@v7
28 with:
29 token: ${{ secrets.GITHUB_TOKEN }}
30 commit-message: Update uv lockfile
31 title: Update uv lockfile
32 body-path: uv_output.md
33 branch: update-uv
34 base: main
35 labels: install
36 delete-branch: true
37 add-paths: uv.lock
Usage
- In your repository’s “Settings>Actions>General” menu (https://github.com/USER/REPO/settings/actions), select the “Allow GitHub Actions to create and approve pull requests” checkbox at the bottom of the page
- Copy the workflow YAML file shown above to
.github/workflows/update-bot.yaml
That’s it! The workflow will automagically run on a cron schedule, creating
a PR to version bump your uv dependencies. An example PR generated by the
action on this demo repo is available
here, and shown in the
screenshot below:
Screenshot of the generated pull request.
In combination with GitHub Actions running your test suite against PRs, you should be able to merge them with confidence!
Provenance
This workflow was created to fill the need identified in the xDSL project when switching to uv.
Some other workflows to perform a similar task (blog post here) have been created, but these directly commit to the main branch, which could result in broken code on the release branch if the dependencies change in an unexpected way.
The mechanism for pull requesting the change rather than directly committing it was shown here, but targeting a different package manager.