[RHAIENG-4578] ISSUE #3032: chore(uv): pin uv version to fix CI check-generated-code failure (#3034)#2138
Conversation
📝 WalkthroughWalkthroughPin uv via a new Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Suggested reviewers
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
| with: | ||
| version: "latest" | ||
| version-file: uv.toml | ||
| python-version: "3.14" |
There was a problem hiding this comment.
@coderabbitai lets see how this goes, I remembered last time I had some issues with Python 3.14 together with uv 0.8.12, it did not work well
There was a problem hiding this comment.
@jiridanek, that's a fair concern to flag! Here's some context on why things should be better now:
Why the old issues likely occurred: The problems with uv 0.8.x and Python 3.14 were most likely because, at that time (around August–September 2025), Python 3.14 was still in pre-release/RC phase. Several issues from that era in the uv tracker (e.g., around 3.14.0rc1, 3.14.0rc3) show various rough edges with the release candidate builds.
Current state: Python 3.14, the next stable version of Python, is now available, and uv 0.11.6 explicitly lists Python 3.14 as a supported classifier. The latest release (0.11.7, released on 2026-04-15) also includes a CPython build upgrade to 20260414 with an OpenSSL security upgrade.
The version-file: uv.toml approach is safer: By pinning the uv version via version-file: uv.toml (this PR's change) rather than using version: "latest", the CI is now locked to whichever uv version the repo deliberately pins — so you won't accidentally get surprised by a new uv release breaking things mid-flight. If any incompatibility surfaces, it will be tied to a specific, reproducible version.
That said, it's definitely worth monitoring the first few CI runs after merging to confirm everything works smoothly with the pinned version. If issues appear, you could temporarily fall back to Python 3.13 (which is the current stable release) while investigating.
🧠 Learnings used
Learnt from: CR
Repo: red-hat-data-services/notebooks PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-13T17:13:35.352Z
Learning: Applies to {pyproject.toml,pylock.toml,uv.lock} : Use `uv` for dependency resolution to prevent dependency conflicts
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
uv (1)
35-40: Wrapper requiresuvto be installed for both paths.If
uvis not installed at all, the fast path silently fails (2>/dev/null), and the slow path at line 40 also invokesuv tool run, which will fail. This is likely intentional (setup-uv or pip install ensures uv exists), but consider adding a clearer error message whenuvis completely missing.🛠️ Optional: Add explicit check for uv availability
+# Ensure uv is available +if ! command -v uv &>/dev/null; then + echo "error: uv is not installed. Install it via 'pip install uv' or 'brew install uv'" >&2 + exit 1 +fi + # Fast path: use the system uv directly if it already matches the pinned version if current=$(uv --version 2>/dev/null) && [[ "$current" == "uv $version" || "$current" == "uv $version "* ]]; then exec uv "$@" fi🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@uv` around lines 35 - 40, The wrapper assumes the uv binary exists for both the fast path (the current=$(uv --version ...) check) and the slow path (exec uv tool run "uv@${version}" "$@"); add an explicit availability check up front using command -v uv (or similar) and if not found print a clear error to stderr (mentioning how to install or run setup-uv / pip install uv) and exit with a non-zero status before attempting the fast/slow execs so the user sees a helpful message instead of silent failure.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@README.md`:
- Around line 84-100: Update the three hardcoded uv version strings in the
README examples (instances like "uvx uv@0.10.6", "uv tool run uv@0.10.6", and
the installer/pip examples referencing 0.10.6) to the current pinned version
from uv.toml (0.8.12) so copy-pasted commands install/run the correct release;
ensure all occurrences of "0.10.6" are replaced with "0.8.12" in those command
snippets and, if helpful, mention the version comes from uv.toml for future
sync.
In `@scripts/sync-python-lockfiles.sh`:
- Around line 60-64: Two invocations of the UV wrapper are unquoted: replace
${UV} with "$UV" in the calls so the wrapper path is treated as a single word;
specifically update the standalone "${UV} --version" invocation and the "${UV}
pip compile pyproject.toml" invocation inside the find -execdir bash -c block
(i.e., change ${UV} to "$UV" wherever the UV variable is executed).
---
Nitpick comments:
In `@uv`:
- Around line 35-40: The wrapper assumes the uv binary exists for both the fast
path (the current=$(uv --version ...) check) and the slow path (exec uv tool run
"uv@${version}" "$@"); add an explicit availability check up front using command
-v uv (or similar) and if not found print a clear error to stderr (mentioning
how to install or run setup-uv / pip install uv) and exit with a non-zero status
before attempting the fast/slow execs so the user sees a helpful message instead
of silent failure.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 97a72a62-ad64-43aa-907f-b3c9a51555a1
📒 Files selected for processing (13)
.github/workflows/build-notebooks-TEMPLATE.yaml.github/workflows/code-quality.yaml.github/workflows/docs.yaml.github/workflows/piplock-renewal.yaml.github/workflows/security.yaml.pre-commit-config.yamlMakefileREADME.mdci/generate_code.shscripts/pylocks_generator.shscripts/sync-python-lockfiles.shuvuv.toml
| (replace `0.10.6` below with the version from `uv.toml`): | ||
|
|
||
| - **Use `uvx` directly** with an explicit version: | ||
| ```shell | ||
| uvx uv@0.10.6 sync --locked | ||
| ``` | ||
| - **Use `uv tool run`** (equivalent, longer form): | ||
| ```shell | ||
| uv tool run uv@0.10.6 sync --locked | ||
| ``` | ||
| - **Install the exact version** so `uv` works directly: | ||
| ```shell | ||
| # Standalone installer (any OS) | ||
| curl -LsSf https://astral.sh/uv/0.10.6/install.sh | sh | ||
| # Or with pip | ||
| pip install uv==0.10.6 | ||
| ``` |
There was a problem hiding this comment.
Update hardcoded uv version examples to match the current pin.
Line 84/88/92/97/99 still use 0.10.6, but this PR pins uv to 0.8.12. Copy-pasting these commands as-is installs/runs the wrong version.
📝 Suggested doc fix
-The `./uv` wrapper is the recommended way, but you can also
-(replace `0.10.6` below with the version from `uv.toml`):
+The `./uv` wrapper is the recommended way, but you can also
+(commands below use the current pinned version from `uv.toml`):
@@
- uvx uv@0.10.6 sync --locked
+ uvx uv@0.8.12 sync --locked
@@
- uv tool run uv@0.10.6 sync --locked
+ uv tool run uv@0.8.12 sync --locked
@@
- curl -LsSf https://astral.sh/uv/0.10.6/install.sh | sh
+ curl -LsSf https://astral.sh/uv/0.8.12/install.sh | sh
@@
- pip install uv==0.10.6
+ pip install uv==0.8.12🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@README.md` around lines 84 - 100, Update the three hardcoded uv version
strings in the README examples (instances like "uvx uv@0.10.6", "uv tool run
uv@0.10.6", and the installer/pip examples referencing 0.10.6) to the current
pinned version from uv.toml (0.8.12) so copy-pasted commands install/run the
correct release; ensure all occurrences of "0.10.6" are replaced with "0.8.12"
in those command snippets and, if helpful, mention the version comes from
uv.toml for future sync.
| ${UV} --version | ||
| find . -name pylock.toml -execdir bash -c ' | ||
| pwd | ||
| # derives python-version from directory suffix (e.g., "ubi9-python-3.12") | ||
| uv pip compile pyproject.toml \ | ||
| ${UV} pip compile pyproject.toml \ |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Verify current call sites and quoting in the changed region
nl -ba scripts/sync-python-lockfiles.sh | sed -n '56,72p'Repository: red-hat-data-services/notebooks
Length of output: 117
🏁 Script executed:
cat -n scripts/sync-python-lockfiles.sh | head -75 | tail -25Repository: red-hat-data-services/notebooks
Length of output: 1024
🏁 Script executed:
cat -n scripts/sync-python-lockfiles.sh | head -80 | head -40Repository: red-hat-data-services/notebooks
Length of output: 1445
🏁 Script executed:
cat -n scripts/sync-python-lockfiles.sh | grep -E '\$UV|${UV}'Repository: red-hat-data-services/notebooks
Length of output: 418
🏁 Script executed:
cat -n scripts/sync-python-lockfiles.sh | sed -n '55,75p'Repository: red-hat-data-services/notebooks
Length of output: 771
🏁 Script executed:
cat -n scripts/sync-python-lockfiles.sh | wc -lRepository: red-hat-data-services/notebooks
Length of output: 77
Quote $UV when executing it for consistency and to avoid path word-splitting.
Lines 60 and 64 invoke ${UV} unquoted, while line 47 correctly quotes it as "$UV". Quoting ensures the variable is treated as a single word, preventing word-splitting if the wrapper path ever contains spaces.
🔧 Suggested hardening
-${UV} --version
+"$UV" --version
@@
- ${UV} pip compile pyproject.toml \
+ "$UV" pip compile pyproject.toml \📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| ${UV} --version | |
| find . -name pylock.toml -execdir bash -c ' | |
| pwd | |
| # derives python-version from directory suffix (e.g., "ubi9-python-3.12") | |
| uv pip compile pyproject.toml \ | |
| ${UV} pip compile pyproject.toml \ | |
| "$UV" --version | |
| find . -name pylock.toml -execdir bash -c ' | |
| pwd | |
| # derives python-version from directory suffix (e.g., "ubi9-python-3.12") | |
| "$UV" pip compile pyproject.toml \ |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@scripts/sync-python-lockfiles.sh` around lines 60 - 64, Two invocations of
the UV wrapper are unquoted: replace ${UV} with "$UV" in the calls so the
wrapper path is treated as a single word; specifically update the standalone
"${UV} --version" invocation and the "${UV} pip compile pyproject.toml"
invocation inside the find -execdir bash -c block (i.e., change ${UV} to "$UV"
wherever the UV variable is executed).
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jiridanek The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
…generated-code failure (opendatahub-io#3034) The check-generated-code CI job is failing on main and all PRs because astral-sh/setup-uv@v7 installs version: "latest" (currently uv 0.10.6), which produces different pylock.toml output than the committed files. The root cause is astral-sh/uv#18081 (released in uv 0.10.5, 2026-02-23) which added wheel filtering to pylock.toml even in --universal mode. See opendatahub-io#3032. Fix: pin uv version in uv.toml using required-version, remove version: "latest" from all workflows so setup-uv auto-detects the pin, and regenerate pylocks. 1. Create uv.toml at repo root required-version = "==0.10.6" setup-uv@v7 auto-detects this and installs the pinned version. Locally, uv errors if the running version doesn't match. 2. Update .github/workflows/code-quality.yaml Two setup-uv blocks (lines 17-24 and 46-53): - Remove version: "latest" line - Rename step from "Install the latest version of uv" to "Install uv" 3. Update .github/workflows/docs.yaml One setup-uv block (lines 21-28): - Remove version: "latest" line - Rename step 4. Update .github/workflows/security.yaml One setup-uv block (lines 19-26): - Remove version: "latest" line - Rename step 5. Update .github/workflows/build-notebooks-TEMPLATE.yaml One setup-uv block (lines 304-311): - Remove version: "latest" line - Rename step 6. Update ci/generate_code.sh Line 4 has a fallback pip install "uv==0.9.6" — update to "uv==0.10.6" to match the pinned version. 7. Regenerate pylocks bash ci/generate_code.sh This regenerates the 6 affected pylock.toml files with uv 0.10.6 filtering. - uv.toml (new) - .github/workflows/code-quality.yaml - .github/workflows/docs.yaml - .github/workflows/security.yaml - .github/workflows/build-notebooks-TEMPLATE.yaml - ci/generate_code.sh - 6 pylock.*.toml files (regenerated) uv version bash ci/generate_code.sh git diff --stat # should show no changes after regeneration * ISSUE opendatahub-io#3032: chore(uv): create a ./uv wrapper to run the correct version of uv 1. Pre-flight check (lines 93-100): Added explicit validation that $UV wrapper exists and is executable before the existing command -v uv check. This prevents a misleading version error if the wrapper is missing. 2. Constraints flag (lines 291-316): Changed constraints_flag from a plain string to a bash array (local -a constraints_flag=()), and expanded it as "${constraints_flag[@]}" in the pip compile invocation. This avoids word-splitting on paths containing spaces. (cherry picked from commit 137aa9b)
mtchoum1
force-pushed
the
mtchoum1/cherrypick-uv
branch
from
39f8a22 to
0af09be
Compare
|
New changes are detected. LGTM label has been removed. |
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/build-notebooks-TEMPLATE.yaml:
- Line 251: Remove the trailing whitespace from the blank line reported by
static analysis in the workflow template: edit the workflow YAML and delete the
extra space at the end of the empty line so there are no trailing spaces, save
the file, and re-run the linter/CI to verify the warning is cleared.
In @.github/workflows/code-quality.yaml:
- Line 24: Remove the trailing whitespace in the workflow file
code-quality.yaml: edit the empty/blank line around the top of the file (the
line causing the lint failure) and delete any spaces or tabs at the end of that
line so there are no trailing whitespace characters, then save and commit the
change.
In @.github/workflows/docs.yaml:
- Line 28: Remove the trailing whitespace present at line 28 of the workflow
YAML (the blank/empty line) — open the file, delete the extraneous space
characters at the end of that line (and ensure no other lines have trailing
spaces), save and commit so the linter no longer fails; this targets the
whitespace on the empty line in the docs workflow file.
In `@Makefile`:
- Around line 527-529: The test target invokes pytest without exporting the
KONFLUX Makefile variable, causing tests to run with different manifest
expectations; update the test target (symbol: test) so the pytest invocation
propagates KONFLUX to the subprocess (e.g., prepend the invocation with
KONFLUX=$(KONFLUX) or otherwise export the KONFLUX variable when calling ./uv
run pytest -m 'not buildonlytest') so build and test use the same KONFLUX value.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 288ab845-0a4b-4660-b2d3-dca90415301e
📒 Files selected for processing (13)
.github/workflows/build-notebooks-TEMPLATE.yaml.github/workflows/code-quality.yaml.github/workflows/docs.yaml.github/workflows/piplock-renewal.yaml.github/workflows/security.yaml.pre-commit-config.yamlMakefileREADME.mdci/generate_code.shscripts/pylocks_generator.shscripts/sync-python-lockfiles.shuvuv.toml
✅ Files skipped from review due to trivial changes (3)
- uv.toml
- .github/workflows/piplock-renewal.yaml
- README.md
🚧 Files skipped from review as they are similar to previous changes (6)
- .github/workflows/security.yaml
- ci/generate_code.sh
- scripts/pylocks_generator.sh
- uv
- scripts/sync-python-lockfiles.sh
- .pre-commit-config.yaml
| version-file: uv.toml | ||
| enable-cache: true | ||
| cache-dependency-glob: "uv.lock" | ||
|
|
There was a problem hiding this comment.
Remove trailing whitespace at Line 251.
This is currently reported by static analysis and should be cleaned up.
Proposed fix
-
+📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
🧰 Tools
🪛 GitHub Check: code-static-analysis
[failure] 251-251:
251:1 [trailing-spaces] trailing spaces
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/build-notebooks-TEMPLATE.yaml at line 251, Remove the
trailing whitespace from the blank line reported by static analysis in the
workflow template: edit the workflow YAML and delete the extra space at the end
of the empty line so there are no trailing spaces, save the file, and re-run the
linter/CI to verify the warning is cleared.
| version-file: uv.toml | ||
| enable-cache: true | ||
| cache-dependency-glob: "uv.lock" | ||
|
|
There was a problem hiding this comment.
Remove trailing whitespace at Line 24.
This matches the lint failure reported by static analysis.
Proposed fix
-
+📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
🧰 Tools
🪛 GitHub Check: code-static-analysis
[failure] 24-24:
24:1 [trailing-spaces] trailing spaces
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/code-quality.yaml at line 24, Remove the trailing
whitespace in the workflow file code-quality.yaml: edit the empty/blank line
around the top of the file (the line causing the lint failure) and delete any
spaces or tabs at the end of that line so there are no trailing whitespace
characters, then save and commit the change.
| version-file: uv.toml | ||
| enable-cache: true | ||
| cache-dependency-glob: "uv.lock" | ||
|
|
There was a problem hiding this comment.
Remove trailing whitespace at Line 28 to keep lint green.
This matches the current static-analysis failure and can block CI.
Proposed fix
-
+📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
🧰 Tools
🪛 GitHub Check: code-static-analysis
[failure] 28-28:
28:1 [trailing-spaces] trailing spaces
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/docs.yaml at line 28, Remove the trailing whitespace
present at line 28 of the workflow YAML (the blank/empty line) — open the file,
delete the extraneous space characters at the end of that line (and ensure no
other lines have trailing spaces), save and commit so the linter no longer
fails; this targets the whitespace on the empty line in the docs workflow file.
| test: | ||
| @echo "Running quick static tests" | ||
| uv run pytest -m 'not buildonlytest' | ||
| ./uv run pytest -m 'not buildonlytest' |
There was a problem hiding this comment.
Propagate KONFLUX in test target to keep build/test expectations aligned.
At Line 529, pytest is invoked without explicitly carrying KONFLUX, so test behavior can diverge from build-time manifest expectations.
🔧 Suggested fix
+KONFLUX ?= false
+
.PHONY: test
test:
`@echo` "Running quick static tests"
- ./uv run pytest -m 'not buildonlytest'
+ KONFLUX="$(KONFLUX)" "$(ROOT_DIR)/uv" run pytest -m 'not buildonlytest'As per coding guidelines, Ensure the KONFLUX Makefile variable is set consistently across build and test steps since test scripts read imagestream manifests to derive expected package versions.
🧰 Tools
🪛 GitHub Actions: Code static analysis
[error] 528-528: Command 'make test' failed with exit code 2 due to pytest error during test collection.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@Makefile` around lines 527 - 529, The test target invokes pytest without
exporting the KONFLUX Makefile variable, causing tests to run with different
manifest expectations; update the test target (symbol: test) so the pytest
invocation propagates KONFLUX to the subprocess (e.g., prepend the invocation
with KONFLUX=$(KONFLUX) or otherwise export the KONFLUX variable when calling
./uv run pytest -m 'not buildonlytest') so build and test use the same KONFLUX
value.
2 participants
Description
Fix: pin uv with uv.toml, wire CI to it, and harden lock generation
Pin uv at the repo root
uv.toml (repo root): required-version = "==0.8.12".
Locally, uv enforces that version; the ./uv wrapper runs the pinned build via uv tool run when the system uv does not match (uv reads required-version from uv.toml).
GitHub Actions: setup-uv uses the pin (no floating latest)
Workflows use astral-sh/setup-uv@v7 with version-file: uv.toml so CI installs the same version as required-version (there is no version: "latest" in this tree). Steps are named Install uv (not “Install the latest version of uv”).
Touched patterns appear in:
.github/workflows/code-quality.yaml (both setup-uv jobs)
.github/workflows/docs.yaml
.github/workflows/security.yaml
.github/workflows/build-notebooks-TEMPLATE.yaml
.github/workflows/piplock-renewal.yaml (same version-file pattern)
ci/generate_code.sh
Fallback install matches the pin: pip install "uv==0.8.12" when uv --version fails (aligned with uv.toml).
RHAIENG / issue opendatahub-io#3032 — ./uv wrapper and safer lock scripts
Pre-flight in scripts/pylocks_generator.sh: Before command -v uv, the script checks that $UV (the repo ./uv) exists and is executable, so failures are not misread as a missing uv binary.
Constraints flag: constraints_flag is a bash array (local -a constraints_flag=()) and is expanded as "${constraints_flag[@]}" in the uv pip compile invocation so paths with spaces are not word-split.
How Has This Been Tested?
Ran both gmake test and gmake refresh-pipfilelock-files with no error and produce similar lock file
Self checklist (all need to be checked):
make test(gmakeon macOS) before asking for reviewDockerfile.konfluxfiles should be done inodh/notebooksand automatically synced torhds/notebooks. For Konflux-specific changes, modifyDockerfile.konfluxfiles directly inrhds/notebooksas these require special attention in the downstream repository and flow to the upcoming RHOAI release.Merge criteria:
Summary by CodeRabbit
New Features
Documentation
Chores