chore: Migrate from pip/setuptools to uv package manager (#380)

Migrate to uv for Python package management with `exclude-newer = "1 week"` to prevent supply chain attacks.

- Consolidate `setup.py`/`setup.cfg`/`requirements.txt` into `pyproject.toml`
- Add `uv.lock` for reproducible installs
- Update CI workflows to use `astral-sh/setup-uv`
- Update Dockerfile to use uv
- Update Makefile to use `uv run`

Author: erezrokah

.github/workflows/lint.yml

@@ -14,13 +14,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - name: Install uv
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8
+        with:
+          version: "0.11.2"
       - name: Set up Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: "3.13"
       - name: Install dependencies
-        run: |
-          pip install --upgrade pip
-          pip install -r requirements.txt
+        run: uv sync --frozen
       - name: Check formatting
         run: make fmt-check

.github/workflows/publish.yml

@@ -17,16 +17,15 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - name: Install uv
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8
+        with:
+          version: "0.11.2"
       - name: Set up Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: "3.13"
-      - name: Install dependencies
-        run: |
-          pip install --upgrade pip
-          pip install -r requirements.txt
-          pip install build
       - name: Build package
-        run: python -m build
+        run: uv build
       - name: Publish package distributions to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1

.github/workflows/unittests.yml

@@ -18,13 +18,15 @@ jobs:
       - # Required for the package command tests to work
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
+      - name: Install uv
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8
+        with:
+          version: "0.11.2"
       - name: Set up Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: "3.13"
       - name: Install dependencies
-        run: |
-          pip install --upgrade pip
-          pip install -r requirements.txt
+        run: uv sync --frozen
       - name: Run tests
         run: make test

Dockerfile

@@ -1,17 +1,20 @@
 FROM python:3.13-slim
 
+COPY --from=ghcr.io/astral-sh/uv:0.11.2 /uv /uvx /bin/
+
 WORKDIR /app
 
-# Copy the code and install dependencies
-COPY requirements.txt .
-COPY setup.cfg .
-COPY setup.py .
+# Copy dependency files and install
+COPY pyproject.toml uv.lock ./
+RUN uv sync --frozen --no-dev --no-install-project
+
+# Copy the code and install the project
 COPY cloudquery cloudquery
 COPY main.py .
-RUN pip3 install --no-cache-dir -r requirements.txt
+RUN uv sync --frozen --no-dev
 
 EXPOSE 7777
 
-ENTRYPOINT ["python3", "main.py"]
+ENTRYPOINT ["uv", "run", "python3", "main.py"]
 
-CMD ["serve", "--address", "[::]:7777", "--log-format", "json", "--log-level", "info"]
+CMD ["serve", "--address", "[::]:7777", "--log-format", "json", "--log-level", "info"]

Makefile

@@ -1,8 +1,8 @@
 test:
-	pytest .
+	uv run pytest .
 
 fmt:
-	black .
+	uv run black .
 
 fmt-check:
-	black --check .
+	uv run black --check .

README.md

@@ -5,7 +5,7 @@ This is the high-level package to use for developing CloudQuery plugins in Pytho
 ## Installation
 
 ```commandline
-pip install cloudquery-plugin-sdk
+uv add cloudquery-plugin-sdk
 ```
 
 ## Links

pyproject.toml

@@ -0,0 +1,63 @@
+[build-system]
+requires = ["setuptools>=75.0"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "cloudquery-plugin-sdk"
+version = "0.1.54"
+description = "CloudQuery Plugin SDK for Python"
+readme = "README.md"
+license = "MPL-2.0"
+requires-python = ">=3.11"
+authors = [
+    { name = "CloudQuery LTD", email = "[email protected]" },
+]
+classifiers = [
+    "Intended Audience :: Developers",
+    "Programming Language :: Python",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Operating System :: OS Independent",
+    "Topic :: Internet",
+]
+dependencies = [
+    "cloudquery-plugin-pb>=0.0.54",
+    "grpcio>=1.78.0",
+    "grpcio-tools>=1.78.0",
+    "Jinja2>=3.1.6",
+    "MarkupSafe>=3.0.3",
+    "numpy>=2.4.2",
+    "packaging>=26.0",
+    "pandas>=3.0.0",
+    "protobuf>=6.31.1",
+    "pyarrow>=23.0.0",
+    "python-dateutil>=2.8.1",
+    "pytz>=2025.2",
+    "six>=1.17.0",
+    "structlog>=25.5.0",
+    "tomli>=2.4.0",
+    "tzdata>=2025.3",
+]
+
+[project.urls]
+Homepage = "https://github.com/cloudquery/plugin-sdk-python"
+
+[dependency-groups]
+dev = [
+    "black>=26.3.1",
+    "pytest>=9.0.2",
+]
+
+[tool.setuptools.packages.find]
+include = ["cloudquery*"]
+
+[tool.setuptools.package-data]
+cloudquery = ["sdk/py.typed"]
+
+[tool.pytest.ini_options]
+python_files = "tests/*.py"
+
+[tool.uv]
+exclude-newer = "1 week"