From d9d24b8cd9ee4397f76fa8e25b0494bd7328079f Mon Sep 17 00:00:00 2001 From: Irfan Ahmad Date: Wed, 1 Jul 2026 16:37:15 +0500 Subject: [PATCH] feat: migrate codejail sandbox to its own uv project (uv migration 3/5) Gives requirements/edx-sandbox/ its own standalone pyproject.toml + uv.lock, independent of the main app's dependency graph (codejail intentionally runs untrusted code in a separate, isolated venv). [tool.edx_lint].uv_constraints holds only the subset of the root constraints relevant to this environment's deps (numpy, lxml, setuptools) -- uv/edx-lint have no cross-project constraint chaining equivalent to pip-compile's "-c ../constraints.txt", so root and sandbox constraints are now independently maintained (documented in requirements/edx-sandbox/README.rst). base.txt is regenerated as a `uv export` compatibility artifact (the README documents it as a supported, if unstable, direct pip-install target). releases/*.txt are untouched -- they're frozen historical snapshots, not part of any active compile loop; README now documents cutting future ones via `uv export` instead of pip-compile. Part of https://github.com/openedx/public-engineering/issues/543 (3 of 5). Co-Authored-By: Claude Sonnet 5 --- Makefile | 29 +- requirements/edx-sandbox/README.rst | 30 +- requirements/edx-sandbox/base.in | 14 - requirements/edx-sandbox/base.txt | 53 +- requirements/edx-sandbox/pyproject.toml | 57 ++ requirements/edx-sandbox/uv.lock | 951 ++++++++++++++++++++++++ 6 files changed, 1077 insertions(+), 57 deletions(-) delete mode 100644 requirements/edx-sandbox/base.in create mode 100644 requirements/edx-sandbox/pyproject.toml create mode 100644 requirements/edx-sandbox/uv.lock diff --git a/Makefile b/Makefile index ba68befd1f8b..f85f6c4e1f8c 100644 --- a/Makefile +++ b/Makefile @@ -64,7 +64,7 @@ pull_translations: clean_translations ## pull translations via atlas detect_changed_source_translations: ## check if translation files are up-to-date i18n_tool changed -pre-requirements: ## install Python requirements for running pip-tools (still needed for requirements/edx-sandbox and scripts/*, which aren't on uv yet) +pre-requirements: ## install Python requirements for running pip-tools (still needed for scripts/*, which aren't on uv yet) pip install -r requirements/pip-tools.txt local-requirements: ## no-op; `uv sync` (used by the targets below) already installs -e . itself @@ -81,19 +81,22 @@ test-requirements: ## install only testing dependencies (used by CI and tox) requirements: dev-requirements ## install development environment requirements -# requirements/edx-sandbox (codejail's isolated sandbox environment) and the -# scripts/* one-off script directories are not yet migrated to uv (tracked in -# https://github.com/openedx/public-engineering/issues/543) and are still +# The scripts/* one-off script directories are not yet migrated to uv (tracked +# in https://github.com/openedx/public-engineering/issues/543) and are still # compiled with pip-compile below. Order is important: files must appear # after everything they include! REQ_FILES = \ - requirements/edx-sandbox/base \ scripts/xblock/requirements \ scripts/user_retirement/requirements/base \ scripts/user_retirement/requirements/testing \ scripts/structures_pruning/requirements/base \ scripts/structures_pruning/requirements/testing +# uv-managed sub-projects, each with their own pyproject.toml + uv.lock, +# independent of the root project's dependency graph. +UV_SUBPROJECTS = \ + requirements/edx-sandbox + define COMMON_CONSTRAINTS_TEMP_COMMENT # This is a temporary solution to override the real common_constraints.txt\n# In edx-lint, until the pyjwt constraint in edx-lint has been removed.\n# See BOM-2721 for more details.\n# Below is the copied and edited version of common_constraints\n endef @@ -152,7 +155,21 @@ compile-requirements: pre-requirements ## Regenerate uv.lock for the root projec export REBUILD=''; \ done -upgrade: $(COMMON_CONSTRAINTS_TXT) ## update all dependencies (uv.lock for the root project, pip-compile for the not-yet-migrated sub-projects) to the latest releases satisfying our constraints + @for d in $(UV_SUBPROJECTS); do \ + echo ; \ + echo "== $$d ===============================" ; \ + uv run --no-project --with edx-lint edx_lint write_uv_constraints $$d/pyproject.toml && \ + (cd $$d && uv lock ${UV_LOCK_OPTS}) && \ + ( \ + echo "# GENERATED FILE, DO NOT EDIT DIRECTLY."; \ + echo "# Compatibility export for anyone still 'pip install -r $$d/base.txt'"; \ + echo "# directly instead of using uv. Source of truth: $$d/pyproject.toml / uv.lock."; \ + (cd $$d && uv export --frozen --no-hashes --no-emit-project); \ + ) > $$d/base.txt \ + || exit 1; \ + done + +upgrade: $(COMMON_CONSTRAINTS_TXT) ## update all dependencies (uv.lock for the root project and uv sub-projects, pip-compile for the not-yet-migrated sub-projects) to the latest releases satisfying our constraints $(MAKE) compile-requirements COMPILE_OPTS="--upgrade" UV_LOCK_OPTS="--upgrade" upgrade-package: ## update just one package to the latest usable release diff --git a/requirements/edx-sandbox/README.rst b/requirements/edx-sandbox/README.rst index 96c90ee911f4..2a3836563170 100644 --- a/requirements/edx-sandbox/README.rst +++ b/requirements/edx-sandbox/README.rst @@ -10,22 +10,27 @@ within ``