chore: migrate dependency management from Poetry to uv

.github/PULL_REQUEST_TEMPLATE.md

@@ -30,7 +30,7 @@ This PR has been labeled with:
 
 - **type:dependencies** – indicates that this is a dependency update.
 - **automerge** (or **requires-review**) – indicates whether this PR will be merged automatically or requires manual review.
-- **scope:** labels (such as `scope:poetry`, `scope:devtools`, `scope:docker`, etc.) – to categorize the changes into production or development scopes.
+- **scope:** labels (such as `scope:python-deps`, `scope:devtools`, `scope:docker`, etc.) – to categorize the changes into production or development scopes.
 
 ---
 

.github/workflows/gh-pages.yml

@@ -8,7 +8,7 @@
 behavior: "Builds documentation and deploys to GitHub Pages"
 inputs: "Source documentation files"
 outputs: "Deployed documentation on GitHub Pages"
-dependencies: "Poetry, Nox, Sphinx"
+dependencies: "uv, Nox, Sphinx"
 author: "LedgerBase Team"
 last_modified: "2023-11-15"
 changelog: "Initial migration to front-matter format"
@@ -23,14 +23,14 @@
 
 jobs:
   prepare:
-    name: Prepare Poetry & Assured OSS
-    uses: ./.github/workflows/templates/prepare-poetry.yml
+    name: Prepare uv & Assured OSS
+    uses: ./.github/workflows/prepare-uv.yml
     with:
       GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}
     secrets:
       GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}
 
   docs:
     name: Build & Deploy Docs
     needs: prepare
     runs-on: ubuntu-22.04
@@ -40,10 +40,10 @@
         uses: actions/checkout@v4
 
       - name: Verify no public PyPI fallbacks
-        run: poetry run nox -s verify_assured
+        run: uv run nox -s verify_assured
 
       - name: Build & collect docs via Nox
-        run: poetry run nox -s build_docs
+        run: uv run nox -s build_docs
 
       - name: Deploy to GitHub Pages
         uses: peaceiris/actions-gh-pages@v4

.github/workflows/license.yml

@@ -9,7 +9,7 @@ usage: "Trigger weekly on Sundays at 02:00 UTC, on push/main, or on PR"
 behavior: "Runs Nox license_report; comments on PRs via comment_violations; uploads report artifacts"
 inputs: "Repository code and dependencies"
 outputs: "License report artifacts and PR comments"
-dependencies: "Poetry, Nox, GitHub Actions"
+dependencies: "uv, Nox, GitHub Actions"
 author: "Byron Williams"
 last_modified: "2025-04-25"
 changelog: "Initial migration to front-matter format"
@@ -34,8 +34,8 @@ permissions:
 
 jobs:
   prepare:
-    name: Prepare Poetry & Assured OSS
-    uses: ./.github/workflows/templates/prepare-poetry.yml
+    name: Prepare uv & Assured OSS
+    uses: ./.github/workflows/prepare-uv.yml
     with:
       GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}
     secrets:
@@ -50,10 +50,10 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Verify no public PyPI fallbacks
-        run: poetry run nox -s verify_assured
+        run: uv run nox -s verify_assured
 
       - name: Run license_report session
-        run: poetry run nox -s license_report
+        run: uv run nox -s license_report
 
       - name: Upload license report artifacts
         uses: actions/upload-artifact@v4
@@ -75,9 +75,9 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Verify no public PyPI fallbacks
-        run: poetry run nox -s verify_assured
+        run: uv run nox -s verify_assured
 
       - name: Run comment_violations session
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: poetry run nox -s comment_violations
+        run: uv run nox -s comment_violations

.github/workflows/prepare-uv.yml

@@ -0,0 +1,73 @@
+---
+# Front-Matter for GitHub Workflow
+title: "Prepare uv Environment"
+name: "prepare-uv.yml"
+description: "Sets up a uv environment with Google Artifact Registry authentication"
+category: workflow
+usage: "Called by other workflows that need a uv environment"
+behavior: "Installs uv, configures Assured OSS via keyring, and installs dependencies"
+inputs: "GCP_SA_JSON secret for Google Artifact Registry authentication"
+outputs: "python-version output variable and dev-requirements.txt file"
+dependencies: "astral-sh/setup-uv, google-github-actions/auth"
+author: "LedgerBase Team"
+last_modified: "2026-05-29"
+changelog: "Migrated dependency management to uv"
+tags: [uv, workflow, python]
+---
+
+name: Prepare uv Environment
+
+on:
+  workflow_call:
+    secrets:
+      GCP_SA_JSON:
+        description: "Service account JSON for Google Artifact Registry"
+        required: true
+
+jobs:
+  setup:
+    runs-on: ubuntu-latest
+    outputs:
+      python-version: ${{ steps.setup-python.outputs.python-version }}
+
+    # Route uv installs through Assured OSS, with PyPI as a fallback index
+    env:
+      UV_INDEX_URL: https://_json_key_base64:${{ secrets.GCP_SA_JSON }}@us-python.pkg.dev/cloud-aoss/cloud-aoss-python/simple
+      UV_EXTRA_INDEX_URL: https://pypi.org/simple
+
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2.12
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          enable-cache: true
+          cache-dependency-glob: "uv.lock"
+
+      - name: Set up Python
+        id: setup-python
+        run: |
+          uv python install 3.11
+          echo "python-version=3.11" >> "$GITHUB_OUTPUT"
+
+      - name: Authenticate to Google Artifact Registry
+        uses: google-github-actions/auth@v1
+        with:
+          credentials_json: ${{ secrets.GCP_SA_JSON }}
+
+      - name: Install Artifact Registry keyring backend
+        run: uv tool install keyring --with keyrings.google-artifactregistry-auth
+
+      - name: Install Dependencies
+        run: uv sync --frozen --keyring-provider subprocess
+
+      - name: Export Dev Requirements
+        run: |
+          uv export --only-group dev --no-hashes --format requirements-txt \
+            --output-file dev-requirements.txt

.github/workflows/python-compatibility.yml

@@ -37,7 +37,9 @@ jobs:
     name: Python Compatibility Matrix
     uses: ByronWilliamsCPA/.github/.github/workflows/python-compatibility.yml@c22009ccaab0d3234819d30d9d7a03d53c531cb9  # main
     with:
-      python-versions: '["3.10", "3.11", "3.12", "3.13"]'
+      # Project requires Python >=3.11 (sphinx>=8.2 in the dev group drops 3.10),
+      # so 3.10 is intentionally excluded to match requires-python in pyproject.toml.
+      python-versions: '["3.11", "3.12", "3.13"]'
       operating-systems: '["ubuntu-latest"]'
       include-macos: true
       include-windows: true

.github/workflows/release.yml

@@ -8,7 +8,7 @@ usage: "Triggered automatically on push to main branch"
 behavior: "Runs semantic-release to create new releases based on commit messages"
 inputs: "GitHub token and PyPI token secrets"
 outputs: "New GitHub release and PyPI package if applicable"
-dependencies: "semantic-release, poetry"
+dependencies: "semantic-release, uv"
 author: "LedgerBase Team"
 last_modified: "2023-11-15"
 changelog: "Updated to match annotation spec format"
@@ -28,8 +28,8 @@ permissions:
 
 jobs:
   prepare:
-    name: Prepare Poetry & Assured OSS
-    uses: ./.github/workflows/templates/prepare-poetry.yml
+    name: Prepare uv & Assured OSS
+    uses: ./.github/workflows/prepare-uv.yml
     with:
       GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}
     secrets:
@@ -45,10 +45,10 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Verify no public PyPI fallbacks
-        run: poetry run nox -s verify_assured
+        run: uv run nox -s verify_assured
 
       - name: Run Semantic-Release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
-        run: poetry run semantic-release publish
+        run: uv run semantic-release publish

.github/workflows/sbom.yml

@@ -9,7 +9,7 @@ usage: "Triggered on push, pull request, or manual workflow dispatch"
 behavior: "Generates SBOM in CycloneDX format and validates it"
 inputs: "Project source code and dependencies"
 outputs: "CycloneDX SBOM artifact (docs/generated/sbom/sbom.cdx.json)"
-dependencies: "Poetry, Nox, Trivy, Docker Buildx"
+dependencies: "uv, Nox, Trivy, Docker Buildx"
 author: "Byron Williams"
 last_modified: "2023-11-15"
 changelog: "Updated header to match annotation specification"
@@ -28,9 +28,9 @@ permissions:
   security-events: write
 
 jobs:
-  # 1. Prepare Poetry & Assured OSS environment (with caching)
+  # 1. Prepare uv & Assured OSS environment (with caching)
   prepare:
-    uses: ./.github/workflows/templates/prepare-poetry.yml
+    uses: ./.github/workflows/prepare-uv.yml
     with:
       GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}
     secrets:
@@ -46,7 +46,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Verify no public PyPI fallbacks
-        run: poetry run nox -s verify_assured
+        run: uv run nox -s verify_assured
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
@@ -57,8 +57,8 @@ jobs:
           curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \
             | sh -s -- -b /usr/local/bin
 
-      - name: Run SBOM Validate via Poetry
-        run: poetry run nox -s sbom_validate
+      - name: Run SBOM Validate via uv
+        run: uv run nox -s sbom_validate
 
       - name: Upload SBOM artifact
         uses: actions/upload-artifact@v4

.github/workflows/security-pip-audit.yml

@@ -35,7 +35,7 @@ permissions:
 
 jobs:
   prepare:
-    uses: ./.github/workflows/templates/prepare-poetry.yml
+    uses: ./.github/workflows/prepare-uv.yml
     with:
       GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}
     secrets:
@@ -59,22 +59,22 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Verify no public PyPI fallbacks
-        run: poetry run nox -s verify_assured
+        run: uv run nox -s verify_assured
 
       - name: Install jq for JSON parsing
         run: |
           sudo apt-get update && sudo apt-get install -y jq
 
       - name: Run pip-audit scan (JSON)
         run: |
-          poetry run pip-audit \
+          uv run pip-audit \
             --requirement "${{ matrix.target.req }}" \
             --format json \
             --output "${{ matrix.target.name }}.json"
 
       - name: Convert JSON → SARIF
         run: |
-          poetry run sarif summary "${{ matrix.target.name }}.json" --format sarif \
+          uv run sarif summary "${{ matrix.target.name }}.json" --format sarif \
             > "${{ matrix.target.name }}.sarif"
 
       - name: Upload JSON report

.github/workflows/security-semgrep.yml

@@ -37,8 +37,8 @@ env:
 
 jobs:
   prepare:
-    name: Prepare Poetry & Assured OSS
-    uses: ./.github/workflows/templates/prepare-poetry.yml
+    name: Prepare uv & Assured OSS
+    uses: ./.github/workflows/prepare-uv.yml
     with:
       GCP_SA_JSON: ${{ secrets.GCP_SA_JSON }}
     secrets:
@@ -53,14 +53,14 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Verify no public PyPI fallbacks
-        run: poetry run nox -s verify_assured
+        run: uv run nox -s verify_assured
 
       - name: Run Semgrep session
         run: |
           if [ "${{ github.event_name }}" = "pull_request" ]; then
-            poetry run nox -s semgrep_ci
+            uv run nox -s semgrep_ci
           else
-            poetry run nox -s semgrep_full
+            uv run nox -s semgrep_full
           fi
 
       - name: Upload Semgrep SARIF (PR only)