Skip to content

Change workflow to using uv and ruff.#133

Open
roberthdevries wants to merge 3 commits into
wolfSSL:masterfrom
roberthdevries:pipeline-use-uv-and-ruff
Open

Change workflow to using uv and ruff.#133
roberthdevries wants to merge 3 commits into
wolfSSL:masterfrom
roberthdevries:pipeline-use-uv-and-ruff

Conversation

@roberthdevries

Copy link
Copy Markdown
Contributor

uv is used to manage virtual environments and building wheels and source distributions.
This replaces tox.
ruff is used to do static checking.
README is updated to reflect this change.

@dgarske dgarske left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skoll Code Review

Scan type: reviewOverall recommendation: REQUEST_CHANGES
Findings: 7 total — 7 posted, 0 skipped
7 finding(s) posted as inline comments (see file-level comments below)

Posted findings

  • [High] build-no-pqc 'Install uv' step has both uses and run (invalid workflow).github/workflows/python-app.yml:79-87
  • [High] 'Install wolfcrypt-py' step left with only env and loses USE_LOCAL_WOLFSSL.github/workflows/python-app.yml:76-78
  • [High] uv sync --locked will fail: no uv.lock committed in the repo.github/workflows/python-app.yml:32
  • [Medium] README documents invalid uv run sync --dev commandREADME.rst:93
  • [Medium] README uv pip install . requires an active virtualenvREADME.rst:67
  • [Low] RST title underline too short for renamed 'pytest' headingREADME.rst:83-84
  • [Low] --all-extras is a no-op (no optional-dependencies defined).github/workflows/python-app.yml:32

Review generated by Skoll

Comment thread .github/workflows/python-app.yml Outdated
Comment thread .github/workflows/python-app.yml
Comment thread .github/workflows/python-app.yml Outdated
Comment thread README.rst Outdated
Comment thread README.rst Outdated
Comment thread README.rst
Comment thread .github/workflows/python-app.yml Outdated
@dgarske dgarske assigned roberthdevries and unassigned dgarske Jun 30, 2026
uv is used to manage virtual environments and building wheels and
source distributions.
This replaces tox.
ruff is used to do static checking.
README is updated to reflect this change.
@roberthdevries roberthdevries force-pushed the pipeline-use-uv-and-ruff branch from adfa03e to 37e8f12 Compare June 30, 2026 20:56
@dgarske dgarske self-requested a review July 1, 2026 14:47

@dgarske dgarske left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skoll Code Review

Scan type: reviewOverall recommendation: COMMENT
Findings: 6 total — 6 posted, 0 skipped
5 finding(s) posted as inline comments (see file-level comments below)
1 finding(s) not tied to a diff line (full detail below)

Posted findings

  • [Medium] build-no-pqc mixes uv pip install with uv run, risking an extension rebuild without USE_LOCAL_WOLFSSL.github/workflows/python-app.yml:84-93
  • [Medium] Malformed reStructuredText: code-block directive missing blank lineREADME.rst:76-77
  • [Medium] Enabling uv run ruff check may fail CI on previously-unlinted code.github/workflows/python-app.yml:33-34
  • [Low] README tells users to uv sync to install against local wolfSSL, changing install semanticsREADME.rst:67
  • [Low] tox tested a built wheel (package = "wheel"); uv run pytest tests the editable/source installpyproject.toml:43-51 (removed [tool.tox])

Findings not tied to a diff line

Incomplete tox removal: Makefile test-all/check-all still invoke tox

File: Makefile:61-64
Function: test-all / check-all
Severity: Low

This PR removes tox from pyproject.toml and requirements/test.txt, but make test-all and make check-all still call tox. Because tox is no longer a declared test dependency, uv sync / pip install -r requirements/test.txt will not install it and those Makefile targets now break. This is a direct consequence of the diff (the Makefile is outside the changed-file set but the tox removal makes it dead/broken).

Recommendation: Update or remove the tox-based Makefile targets to keep the tox->uv migration consistent.

Referenced code: Makefile:61-64 (4 lines)


Review generated by Skoll

@@ -81,12 +82,12 @@ jobs:
env:
USE_LOCAL_WOLFSSL: ${{ github.workspace }}/wolfssl-install
run: |

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 [Medium] build-no-pqc mixes uv pip install with uv run, risking an extension rebuild without USE_LOCAL_WOLFSSL

The install step uses uv's pip interface (uv venv + uv pip install -e .) with USE_LOCAL_WOLFSSL set so the CFFI extension builds against the locally-built no-PQC wolfSSL. The next two steps switch to uv's project interface (uv run python -c ..., uv run pytest tests). In a directory containing a [project] table, uv run performs an automatic project sync (lock + exact sync) before executing the command. If that sync rebuilds/reinstalls the wolfcrypt extension, the Import smoke step runs uv run with NO USE_LOCAL_WOLFSSL in its env, so scripts/build_ffi.py falls back to building wolfSSL from the lib/wolfssl submodule with default features (which include ML-KEM/ML-DSA). That would declare INVALID_DEVID and silently defeat the exact regression scenario this job exists to cover (issue #2659), or fail the build. Mixing the pip and project interfaces in one job is the documented footgun here.

Fix: Verify uv does not rebuild the extension between steps; if it can, add --no-sync to the uv run invocations and set USE_LOCAL_WOLFSSL on the smoke step (or convert the whole job to USE_LOCAL_WOLFSSL=... uv sync up front) so the regression coverage stays valid.

Comment thread README.rst

Testing
-------
.. code-block:: console

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 [Medium] Malformed reStructuredText: code-block directive missing blank line

The newly added console block has no blank line between the directive header and its body. RST requires a blank line after a directive before its content; without it docutils raises Error in "code-block" directive and the snippet will not render as a code sample on PyPI/GitHub (the long_description is used as the PyPI page via setup.py). All the other code blocks in this file correctly include the blank line.

Fix: Insert a blank line between .. code-block:: console and $ uv run python3.

version: "0.11.25"
- name: Install the project
run: uv sync --dev
- name: Perform static checks

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 [Medium] Enabling uv run ruff check may fail CI on previously-unlinted code

The PR removes the commented-out flake8 block that carried the note # Won't pass flake8 yet and replaces it with an ACTIVE uv run ruff check step (configured rules E4,E7,E9,F,B,UP, over wolfcrypt/*.py and scripts/build_ffi.py). If that code has not been cleaned up to satisfy those rules, the build job now fails on every push/PR. The README shows passing pytest output but no ruff output, so ruff cleanliness is unverified in the diff.

Fix: Run uv run ruff check against the current tree and fix (or narrow the rule set / add # noqa) any violations before merging, so CI stays green.

Comment thread README.rst
.. code-block:: bash

$ USE_LOCAL_WOLFSSL=/path/to/wolfssl/install pip install .
$ USE_LOCAL_WOLFSSL=/path/to/wolfssl/install uv sync

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 [Low] README tells users to uv sync to install against local wolfSSL, changing install semantics

The Installation section replaced USE_LOCAL_WOLFSSL=/path/... pip install . with USE_LOCAL_WOLFSSL=/path/... uv sync. uv sync installs the project into a project-local .venv and only works from within the wolfcrypt-py source tree, whereas pip install . installed wolfcrypt into the user's active environment. A user following these Installation instructions to consume wolfcrypt-py will not get it on their normal Python path (they would have to uv run), which is a behavior change from the documented intent of this section.

Fix: Use uv pip install . here, or clarify that the package is installed into the project .venv and must be run via uv run.

Comment thread pyproject.toml
"sphinx",
"sphinx-rtd-theme",
"tox >= 4",
"ty",

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 [Low] tox tested a built wheel (package = "wheel"); uv run pytest tests the editable/source install

The removed [tool.tox.env_run_base] used package = "wheel", so tests ran against a freshly built wheel and thus exercised packaging (MANIFEST / package_data such as the bundled *.dll and *.pyi). The new flow runs uv run pytest against an editable/source install, which can miss packaging regressions (files that are present in the tree but not packaged into the wheel). This is a coverage change worth being deliberate about.

Fix: If packaging coverage matters, add a job/step that builds the wheel (uv build --wheel) and runs the tests against the installed wheel, in addition to the editable-install run.


Note: Referenced line (pyproject.toml:43-51 (removed [tool.tox])) is outside the diff hunk. Comment anchored to nearest changed region.

@dgarske dgarske left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants