feat: migrate codejail sandbox to its own uv project (3/5)#38837
feat: migrate codejail sandbox to its own uv project (3/5)#38837irfanuddinahmad wants to merge 1 commit into
Conversation
Gives requirements/edx-sandbox/ its own standalone pyproject.toml + uv.lock, independent of the main app's dependency graph (codejail intentionally runs untrusted code in a separate, isolated venv). [tool.edx_lint].uv_constraints holds only the subset of the root constraints relevant to this environment's deps (numpy, lxml, setuptools) -- uv/edx-lint have no cross-project constraint chaining equivalent to pip-compile's "-c ../constraints.txt", so root and sandbox constraints are now independently maintained (documented in requirements/edx-sandbox/README.rst). base.txt is regenerated as a `uv export` compatibility artifact (the README documents it as a supported, if unstable, direct pip-install target). releases/*.txt are untouched -- they're frozen historical snapshots, not part of any active compile loop; README now documents cutting future ones via `uv export` instead of pip-compile. Part of openedx/public-engineering#543 (3 of 5). Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
|
Thanks for the pull request, @irfanuddinahmad! This repository is currently maintained by Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review. 🔘 Get product approvalIf you haven't already, check this list to see if your contribution needs to go through the product review process.
🔘 Provide contextTo help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:
🔘 Get a green buildIf one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green. DetailsWhere can I find more information?If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources: When can I expect my changes to be merged?Our goal is to get community contributions seen and reviewed as efficiently as possible. However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:
💡 As a result it may take up to several weeks or months to complete a review and merge your PR. |
Summary
PR 3 of 5 in the pip-compile -> uv migration tracked in openedx/public-engineering#543.
Stacked on #38836 (PR 2), which is itself stacked on #38835 (PR 1) — this diff only shows PR 3's own changes. It'll retarget automatically as each parent merges.
pyproject.tomldeps/dependency-groups + commituv.lockMakefile,tox.ini, and CI touvfor the main appuvprojectuvprojectsWhat changed
requirements/edx-sandbox/(codejail's isolated sandbox environment for running untrusted instructor-authored Python) gets its ownpyproject.toml+uv.lock, kept fully independent of the main app's dependency graph — codejail intentionally runs in a separate venv for security isolation, so this isn't merged into the root project's dependencies.[tool.uv].package = false— this was neverpip install -e'd, just resolved into an isolated venv.[tool.edx_lint].uv_constraintsholds only the subset of the rootpyproject.toml's constraints actually relevant to this environment's dependencies (numpy<2.0.0,lxml==5.3.2,setuptools<82). uv/edx-lint have no equivalent to pip-compile's-c ../constraints.txtcross-project chaining, so root and sandbox constraints are now maintained independently — documented as an explicit trade-off inrequirements/edx-sandbox/README.rst.base.indeleted;base.txtis now auv export --no-hashes --no-emit-projectcompatibility artifact (the README already documented this file as a supported, if unstable, directpip install -rtarget — no reason to break that contract).releases/*.txtuntouched — confirmed these are frozen historical snapshots, not part of any active compile loop (not in the oldREQ_FILESlist either). README now documents cutting future release snapshots viauv export ... -o releases/<name>.txtinstead of pip-compile.Makefile: added aUV_SUBPROJECTSloop (currently justrequirements/edx-sandbox) tocompile-requirements/upgrade, runningedx_lint write_uv_constraints+uv lock+ regenerating thebase.txtcompat export for each sub-project.External compatibility (tutor/Docker, org-level
.githubworkflows)tutor/env/build/openedx/Dockerfile) that it does not referencerequirements/edx-sandbox/at all — onlyrequirements/edx/{base,assets,development}.txt(handled in PR 2). So this PR'sbase.txtcompat export isn't preserving a tutor/Docker contract; it's preserving the contractrequirements/edx-sandbox/README.rstalready documents for anyone directlypip install -r-ing this file outside of tutor..githubreusable workflows: none of this repo's workflows delegate sandbox-specific logic toopenedx/.github, so there's nothing to reconcile there for this PR (see PR 2's body for the one org-level workflow that is relevant to this migration,upgrade-python-requirements.yml, which already supports uv).Verification
uv lockinside anubuntu:24.04container — resolves cleanly to 32 packages; confirmed constraints honored (numpy==1.26.4not 2.x,lxml==5.3.2exact match).uv sync --frozen+uv run python3 -c "import chem, cryptography, lxml, matplotlib, networkx, nltk, scipy, sympy, pyparsing"— all imports succeed.make compile-requirementsre-run end-to-end (rootuv lock+ sandboxuv lockvia the newUV_SUBPROJECTSloop + the still-pip-compiledscripts/*) — completes cleanly; sandbox's constraint-writing step is confirmed idempotent (re-run produces the same 5 merged constraints).🤖 Generated with Claude Code