Skip to content

feat: migrate codejail sandbox to its own uv project (3/5)#38837

Open
irfanuddinahmad wants to merge 1 commit into
irfanuddinahmad/uv-migration-02-cutoverfrom
irfanuddinahmad/uv-migration-03-codejail-sandbox
Open

feat: migrate codejail sandbox to its own uv project (3/5)#38837
irfanuddinahmad wants to merge 1 commit into
irfanuddinahmad/uv-migration-02-cutoverfrom
irfanuddinahmad/uv-migration-03-codejail-sandbox

Conversation

@irfanuddinahmad

@irfanuddinahmad irfanuddinahmad commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

PR 3 of 5 in the pip-compile -> uv migration tracked in openedx/public-engineering#543.

Stacked on #38836 (PR 2), which is itself stacked on #38835 (PR 1) — this diff only shows PR 3's own changes. It'll retarget automatically as each parent merges.

  1. PR 1 (feat: add pyproject.toml deps, dependency-groups, and uv.lock (1/5) #38835) — populate pyproject.toml deps/dependency-groups + commit uv.lock
  2. PR 2 (feat: cut over Makefile, tox.ini, and CI to uv (2/5) #38836) — cut over Makefile, tox.ini, and CI to uv for the main app
  3. PR 3 (this PR) — migrate the codejail sandbox to its own standalone uv project
  4. PR 4 — migrate the three standalone scripts to standalone uv projects
  5. PR 5 — cleanup docs/README and follow-through on tracking issues

What changed

requirements/edx-sandbox/ (codejail's isolated sandbox environment for running untrusted instructor-authored Python) gets its own pyproject.toml + uv.lock, kept fully independent of the main app's dependency graph — codejail intentionally runs in a separate venv for security isolation, so this isn't merged into the root project's dependencies.

  • [tool.uv].package = false — this was never pip install -e'd, just resolved into an isolated venv.
  • [tool.edx_lint].uv_constraints holds only the subset of the root pyproject.toml's constraints actually relevant to this environment's dependencies (numpy<2.0.0, lxml==5.3.2, setuptools<82). uv/edx-lint have no equivalent to pip-compile's -c ../constraints.txt cross-project chaining, so root and sandbox constraints are now maintained independently — documented as an explicit trade-off in requirements/edx-sandbox/README.rst.
  • base.in deleted; base.txt is now a uv export --no-hashes --no-emit-project compatibility artifact (the README already documented this file as a supported, if unstable, direct pip install -r target — no reason to break that contract).
  • releases/*.txt untouched — confirmed these are frozen historical snapshots, not part of any active compile loop (not in the old REQ_FILES list either). README now documents cutting future release snapshots via uv export ... -o releases/<name>.txt instead of pip-compile.
  • Root Makefile: added a UV_SUBPROJECTS loop (currently just requirements/edx-sandbox) to compile-requirements/upgrade, running edx_lint write_uv_constraints + uv lock + regenerating the base.txt compat export for each sub-project.

External compatibility (tutor/Docker, org-level .github workflows)

  • Tutor/Docker: confirmed via direct grep of the installed tutor plugin's Dockerfile (tutor/env/build/openedx/Dockerfile) that it does not reference requirements/edx-sandbox/ at all — only requirements/edx/{base,assets,development}.txt (handled in PR 2). So this PR's base.txt compat export isn't preserving a tutor/Docker contract; it's preserving the contract requirements/edx-sandbox/README.rst already documents for anyone directly pip install -r-ing this file outside of tutor.
  • Org-level .github reusable workflows: none of this repo's workflows delegate sandbox-specific logic to openedx/.github, so there's nothing to reconcile there for this PR (see PR 2's body for the one org-level workflow that is relevant to this migration, upgrade-python-requirements.yml, which already supports uv).

Verification

  • uv lock inside an ubuntu:24.04 container — resolves cleanly to 32 packages; confirmed constraints honored (numpy==1.26.4 not 2.x, lxml==5.3.2 exact match).
  • uv sync --frozen + uv run python3 -c "import chem, cryptography, lxml, matplotlib, networkx, nltk, scipy, sympy, pyparsing" — all imports succeed.
  • Full make compile-requirements re-run end-to-end (root uv lock + sandbox uv lock via the new UV_SUBPROJECTS loop + the still-pip-compiled scripts/*) — completes cleanly; sandbox's constraint-writing step is confirmed idempotent (re-run produces the same 5 merged constraints).

🤖 Generated with Claude Code

Gives requirements/edx-sandbox/ its own standalone pyproject.toml +
uv.lock, independent of the main app's dependency graph (codejail
intentionally runs untrusted code in a separate, isolated venv).

[tool.edx_lint].uv_constraints holds only the subset of the root
constraints relevant to this environment's deps (numpy, lxml,
setuptools) -- uv/edx-lint have no cross-project constraint chaining
equivalent to pip-compile's "-c ../constraints.txt", so root and
sandbox constraints are now independently maintained (documented in
requirements/edx-sandbox/README.rst).

base.txt is regenerated as a `uv export` compatibility artifact (the
README documents it as a supported, if unstable, direct pip-install
target). releases/*.txt are untouched -- they're frozen historical
snapshots, not part of any active compile loop; README now documents
cutting future ones via `uv export` instead of pip-compile.

Part of openedx/public-engineering#543 (3 of 5).

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@openedx-webhooks openedx-webhooks added open-source-contribution PR author is not from Axim or 2U core contributor PR author is a Core Contributor (who may or may not have write access to this repo). labels Jul 1, 2026
@openedx-webhooks

Copy link
Copy Markdown

Thanks for the pull request, @irfanuddinahmad!

This repository is currently maintained by @openedx/wg-maintenance-openedx-platform.

Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review.

🔘 Get product approval

If you haven't already, check this list to see if your contribution needs to go through the product review process.

  • If it does, you'll need to submit a product proposal for your contribution, and have it reviewed by the Product Working Group.
    • This process (including the steps you'll need to take) is documented here.
  • If it doesn't, simply proceed with the next step.
🔘 Provide context

To help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:

  • Dependencies

    This PR must be merged before / after / at the same time as ...

  • Blockers

    This PR is waiting for OEP-1234 to be accepted.

  • Timeline information

    This PR must be merged by XX date because ...

  • Partner information

    This is for a course on edx.org.

  • Supporting documentation
  • Relevant Open edX discussion forum threads
🔘 Get a green build

If one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green.

Details
Where can I find more information?

If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources:

When can I expect my changes to be merged?

Our goal is to get community contributions seen and reviewed as efficiently as possible.

However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:

  • The size and impact of the changes that it introduces
  • The need for product review
  • Maintenance status of the parent repository

💡 As a result it may take up to several weeks or months to complete a review and merge your PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

core contributor PR author is a Core Contributor (who may or may not have write access to this repo). open-source-contribution PR author is not from Axim or 2U

Projects

Status: Needs Triage

Development

Successfully merging this pull request may close these issues.

2 participants