chore: migrate dependency management from pip to uv for Docker containers
#2630
Conversation
There was a problem hiding this comment.
Pull request overview
This PR migrates Docker containers from pip-based dependency management to uv, a faster Python package manager. The changes update build and runtime configurations to use uv for installing and running Python applications.
Key changes:
- Adds uv binary to base Docker image from ghcr.io/astral-sh/uv
- Replaces pip install commands with uv sync in Dockerfiles
- Updates all Python command invocations in start_server.sh to use
uv runprefix - Adds server dependency group to pyproject.toml with 40+ dependencies
Reviewed changes
Copilot reviewed 4 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| uv.lock | Added lockfile with full dependency resolution including server dependencies |
| pyproject.toml | Contains merge conflict - adds server dependency group, conflicts on pygit2/requests versions |
| docker/Dockerfile.server.j2 | Replaces pip install with uv sync, updates cache mount target |
| docker/Dockerfile.base.j2 | Removes pip/wheel installation, adds uv binary copy |
| docker-compose.yml.tmpl | Adds UV_PROJECT_ENVIRONMENT variable |
| bin/start_server.sh | Prefixes all Python commands with 'uv run' |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| RUN --mount=type=cache,target=/root/.cache/uv \ | ||
| {% endif %} | ||
| pip3 install -r /tmp/requirements.txt --break-system-packages | ||
| cd /tmp && uv sync --frozen --no-dev --group server |
There was a problem hiding this comment.
The command 'uv sync --frozen --no-dev --group server' will install dependencies into a virtual environment, but the resulting binaries won't be in PATH unless the virtual environment is activated. The start_server.sh script uses 'uv run python' which should work, but direct command invocations in other scripts may fail. Consider adding ENV PATH="/tmp/.venv/bin:$PATH" to the Dockerfile or ensure all Python commands use 'uv run' prefix.
| pip3 install --upgrade pip --break-system-packages && \ | ||
| pip3 install wheel --break-system-packages | ||
| # Install uv for fast Python package management | ||
| COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv |
There was a problem hiding this comment.
The COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv stage pulls a third-party build tool image using the mutable latest tag, which creates a supply-chain risk: if that image is compromised or replaced in the registry, your builds will transparently consume and execute attacker-controlled code inside production images. Because this runs during image build with high privileges, an attacker controlling that tag could inject backdoors or exfiltrate secrets during builds. To mitigate this, pin the uv image to an immutable reference (e.g., a specific version tag and preferably a digest) and update it deliberately as part of your release process.
|
1 participant
Issues Fixed
Fixes #2610
Description
This pull request migrates dependency management in containers from
piptouv.Checklist