Skip to content

ci: use uv dependabot ecosystem instead of pip#699

Open
anxkhn wants to merge 1 commit into
ollama:mainfrom
anxkhn:ci/dependabot-uv-ecosystem
Open

ci: use uv dependabot ecosystem instead of pip#699
anxkhn wants to merge 1 commit into
ollama:mainfrom
anxkhn:ci/dependabot-uv-ecosystem

Conversation

@anxkhn

@anxkhn anxkhn commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

What

Switch Python dependency updates in .github/dependabot.yml from the pip ecosystem to the native uv ecosystem.

Why

uv.lock is the source of truth, while requirements.txt is generated by uv export. The lint job verifies that the exported requirements file matches the lockfile.

The current pip updater changes requirements.txt without updating uv.lock, so the export check fails on dependency PRs such as #657 through #661. Using the uv ecosystem makes Dependabot update uv.lock, keeping the generated requirements file consistent.

Verification

  • uvx hatch fmt --check -f
  • uvx hatch fmt --check -l
  • uv lock --check
  • uv export >requirements.txt followed by git diff --exit-code requirements.txt
  • uv run --no-sync pytest tests/ -q (92 passed)

Since the migration to hatch and uv, uv.lock is the source of truth and
requirements.txt is an autogenerated `uv export` of it. The lint job in
.github/workflows/test.yaml enforces this with `uv lock --check` followed by
`uv export >requirements.txt` and `git diff --exit-code requirements.txt`.

Dependabot's `pip` ecosystem edits requirements.txt directly and never
regenerates uv.lock, so on every dependency PR `uv export` rewrites
requirements.txt from the unchanged lockfile, reverting Dependabot's change and
failing the diff check. Switch to the natively supported `uv` ecosystem, which
updates uv.lock so the exported requirements.txt stays consistent and the lint
job passes.

Signed-off-by: Anas Khan <83116240+anxkhn@users.noreply.github.com>

@vaderollama vaderollama left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — uv.lock is the source of truth and requirements.txt is generated from it. Using the pip ecosystem was updating requirements.txt without touching uv.lock, causing the export verification check to fail on dependency PRs. Switching to uv ecosystem fixes the root cause.

@ParthSareen — ready to merge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants