build: migrate codespell and gitlint from pip to uvx

[cblecker]

What this PR does / why we need it:

Migrates codespell and gitlint from pip install --target to uvx, which runs Python tools in ephemeral, cached environments.

Before: pip install created local *_dist/ directories under hack/tools/bin/, required shuffling binaries around, and could conflict with system Python.

After: uvx handles tool installation transparently with zero side effects. No local dist directories, no pip invocations.

Changes:

• Add UVX ?= uvx variable (overridable)
• Replace $(CODESPELL) / $(GITLINT) invocations with $(UVX) codespell== / $(UVX) gitlint-core==
• Remove codespell and gitlint installation prerequisites and build targets
• Remove ./hack/tools/bin/codespell_dist from the codespell skip list (no longer exists)

Which issue(s) this PR fixes:

Special notes for your reviewer:

• The PyPI package providing the gitlint CLI via uvx is gitlint-core, not gitlint
• Version pins are preserved (codespell==2.4.1, gitlint-core==0.19.1)
• UVX variable is overridable (UVX ?= uvx) for CI environments

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

Chores

• Refactored tool management for code verification and linting to use explicit version handling, improving consistency across development environments
• Removed local tool installation steps that were previously required in the build process, reducing initial setup complexity for developers
• Enhanced baseline detection mechanism for local development linting workflows, providing improved accuracy when determining merge points

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Please specify an area label

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Walkthrough

The Makefile is refactored to use UVX as a universal tool invoker for external utilities (codespell, gitlint) instead of direct command calls. Legacy tool build targets are removed, and merge-base computation for non-PR scenarios is expanded to consider additional remote branches.

Changes

Cohort / File(s)

Summary

UVX Integration and Tool Management Makefile

Introduces UVX variable and replaces direct codespell/gitlint invocations with UVX-wrapped calls using explicit version constraints (CODESPELL_VER, GITLINT_VER). Removes legacy codespell and gitlint build targets. Updates verify-codespell and run-gitlint to call tools via UVX. Extends merge-base computation in non-PR path to include origin/main and origin/master branches for enhanced baseline determination in local development.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: migrating codespell and gitlint tooling from pip-based installation to uvx execution.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	The custom check for stable and deterministic test names is not applicable to this PR. The PR only modifies the Makefile for build tooling configuration, with no changes to any test files or test title declarations.
Test Structure And Quality	✅ Passed	The custom check for test structure and quality is inapplicable since this PR only modifies the Makefile for build tooling migration and contains no test file changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: cblecker
Once this PR has been reviewed and has the lgtm label, please assign sjenning for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Makefile`:
- Around line 382-383: The Makefile target verify-codespell currently uses an
invalid UVX version specifier "(UVX) codespell==$(CODESPELL_VER)"; update the
invocation in the verify-codespell recipe to use a valid UVX pinning form —
either call UVX with the direct command form $(UVX) codespell@$(CODESPELL_VER)
or use the PEP 508 form $(UVX) --from 'codespell==$(CODESPELL_VER)' codespell —
referencing the verify-codespell target and the UVX and CODESPELL_VER variables
when making the change.

---

ℹ️ Review info

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 40d6470 and 326bb87.

📒 Files selected for processing (1)

• Makefile

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

uvx version specifier syntax @ == documentation

💡 Result:

In uvx (alias of uv tool run), @ and == apply in different places:

• command@<version> (uvx shorthand) = exact tool version only
  Use this when the command name itself includes a pinned version, e.g. uvx ruff@0.6.0 check. The docs note this form and that @ is for an exact version (and @latest is also supported). [2]

• --from / --with use standard Python dependency specifiers (PEP 508), e.g. ==, ranges, extras
  Examples:

  • uvx --from 'ruff==0.3.0' ruff check
  • uvx --from 'ruff>0.2.0,<0.3.0' ruff check
  • uvx --from 'mypy[faster-cache,reports]==1.13.0' mypy ...
    This is standard “dependency specifier” syntax (name[extras] ==1.2.3, >=, <, !=, etc.). [2][3]

• CLI reference confirms command may include <package>@<version> (for the command token), and uvx behavior matches uv tool run. [1]

If you’re trying something like --with "pkg@1.2.3", that typically won’t parse as a version pin—use --with "pkg==1.2.3" instead. (This mismatch is also discussed in uv’s issue tracker.) [4]

Sources: uv CLI reference [1], uv “Using tools” guide [2], uv dependency specifiers (PEP 508) docs [3], GitHub issue discussion [4].

---

Fix uvx version specifier syntax.

uvx version pinning uses either @ for the direct command form (e.g., uvx codespell@2.4.1) or PEP 508 specifiers with the --from flag (e.g., uvx --from 'codespell==2.4.1' codespell). The current form $(UVX) codespell==$(CODESPELL_VER) mixes both approaches and will not work. Use either $(UVX) codespell@$(CODESPELL_VER) or $(UVX) --from 'codespell==$(CODESPELL_VER)' codespell.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Makefile` around lines 382 - 383, The Makefile target verify-codespell
currently uses an invalid UVX version specifier "(UVX)
codespell==$(CODESPELL_VER)"; update the invocation in the verify-codespell
recipe to use a valid UVX pinning form — either call UVX with the direct command
form $(UVX) codespell@$(CODESPELL_VER) or use the PEP 508 form $(UVX) --from
'codespell==$(CODESPELL_VER)' codespell — referencing the verify-codespell
target and the UVX and CODESPELL_VER variables when making the change.

[openshift-ci]

@cblecker: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/verify	326bb87	link	true	/test verify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[bryan-cox]

Verify is failing

/bin/sh: line 1: uvx: command not found

[cblecker]

@bryan-cox This would need openshift/release#75848 as a pre-requisite

[openshift-bot]

Stale PRs are closed after 21d of inactivity.

If this PR is still relevant, comment to refresh it or remove the stale label.
Mark the PR as fresh by commenting /remove-lifecycle stale.

If this PR is safe to close now please do so with /close.

/lifecycle stale

[hypershift-jira-solve-ci]

There it is. The custom-verify-src Dockerfile only installs python3-pip — it does NOT install uv/uvx. The PR changed the Makefile to use uvx instead of pip, but the CI image only has pip available. uvx is part of the uv Python package manager, which is a separate tool not available in the RHEL-based CI image.

I now have all the evidence for a complete root cause analysis.

Test Failure Analysis Complete

Job Information

• Prow Job: pull-ci-openshift-hypershift-main-verify
• Build ID: 2027571858034921472
• Target: verify
• PR: #7829 — build: migrate codespell and gitlint from pip to uvx

Test Failure Analysis

Error

/bin/sh: line 1: uvx: command not found
make: *** [Makefile:383: verify-codespell] Error 127

Summary

PR #7829 migrated the verify-codespell and run-gitlint Makefile targets from pip install --target to uvx (the uv Python package runner), but the CI container image used to run the verify step does not have uvx installed. The custom-verify-src image is built from a Dockerfile that only runs RUN dnf install -y python3-pip on top of the base Go builder image — uv is never installed. When make verify reaches the verify-codespell target, it invokes uvx codespell==2.4.1 which fails immediately with exit code 127 (command not found).

Root Cause

The custom-verify-src CI image is built from an inline Dockerfile defined in the ci-operator build configuration:

FROM base
RUN dnf install -y python3-pip

This image is based on openshift/release:rhel-9-release-golang-1.25-openshift-4.22 and only installs python3-pip. The uv tool (which provides the uvx command) is not part of this image and is not available in standard RHEL 9 repositories via dnf.

PR #7829 changed the Makefile to replace:

# Before: pip-installed codespell binary
verify-codespell: codespell
    @$(CODESPELL) --count ...

with:

# After: uvx-invoked codespell
verify-codespell:
    @$(UVX) codespell==$(CODESPELL_VER) --count ...

where UVX ?= uvx. Since uvx is not present in the CI environment, the verify-codespell make target fails with /bin/sh: line 1: uvx: command not found (exit code 127), which cascades to fail the entire make verify step.

The fix requires either updating the custom-verify-src Dockerfile in the openshift/release CI configuration to install uv (e.g., RUN pip install uv or curl -LsSf https://astral.sh/uv/install.sh | sh), or reverting to the pip-based approach.

Recommendations

1. Update the CI image to include uv: Modify the custom-verify-src Dockerfile in the openshift/release CI configuration to install uv. The inline Dockerfile should be updated to:

   FROM base
   RUN dnf install -y python3-pip && pip install uv

   or use the official installer:

   FROM base
   RUN dnf install -y python3-pip && curl -LsSf https://astral.sh/uv/install.sh | sh

2. Alternative — install uv in the Makefile: Add a Makefile target to install uv locally if not present, similar to how other tools are bootstrapped, and make verify-codespell depend on it.

3. Alternative — revert to pip: If updating the CI image is not desirable, revert the Makefile change and keep using pip install --target for codespell and gitlint.

4. Coordinate the changes: The Makefile change (hypershift repo) and the CI image change (openshift/release repo) need to land together or the CI image change needs to land first. Consider opening the CI image PR first, waiting for it to merge and propagate, then re-running this PR.

Evidence

Evidence	Detail
Error message	/bin/sh: line 1: uvx: command not found (build-log.txt lines 840, 880)
Exit code	127 — shell "command not found"
Failed make target	Makefile:383: verify-codespell
CI image Dockerfile	FROM base / RUN dnf install -y python3-pip (extracted from builds.json)
Base image	openshift/release:rhel-9-release-golang-1.25-openshift-4.22 (from .ci-operator.yaml)
PR diff	Replaced $(CODESPELL) (pip-installed binary) with $(UVX) codespell==$(CODESPELL_VER)
UVX variable	UVX ?= uvx — defaults to system uvx which is not installed
JUnit result	Run test verify - container test — failure in junit_operator.xml
Step graph	verify step failed: true; custom-verify-src build succeeded

---