Overhaul of lambda template to uv and updated devops conventions

Why these changes are being introduced:

This overhaul of the lambda template has been percolating for some time,
with changes like pipenv to uv, use of AWS SAM for testing, and some
updates to how we run linting, pre-commit hooks, etc.

This work is taken on together to bring a holistic upgrade to the template
instead of piecemeal work that was entrenching some stale patterns.

How this addresses that need:

It was going to be difficult to break this work out into meaningful
smaller commits, given how interwoven the changes are.  The work
breaks down into a few major areas:

1. Update from pipenv to uv
2. Introduce a Config class and simplify the lambda skeleton
3. Introduce AWS SAM for local testing
4. Update linting, pre-commit, and Makefile conventions

While theoretically possible to commit those changes in order, it
felt like an artifical divvying up of work.  These changes have been
vetted in other contexts independently; this commit weaves them
together for this template repository.

Side effects of this change:
* uv nows used for python environment and dependencies
* pre-commit only fires for git push, not git commit
* security scanning is opt-in until renovate becomes a rolling
dependency manager in CI

Relevant ticket(s):
* https://mitlibraries.atlassian.net/browse/IN-1542

Author: ghukill

.github/pull-request-template.md

@@ -15,5 +15,15 @@ YES | NO
 ### What are the relevant tickets?
 - Include links to Jira Software and/or Jira Service Management tickets here.
 
-### Code review
-* Code review best practices are documented [here](https://mitlibraries.github.io/guides/collaboration/code_review.html) and you are encouraged to have a constructive dialogue with your reviewers about their preferences and expectations.
+### Developer
+- [ ] All new ENV is documented in README
+- [ ] All new ENV has been added to staging and production environments
+- [ ] All related Jira tickets are linked in commit message(s)
+- [ ] Stakeholder approval has been confirmed (or is not needed)
+
+### Code Reviewer(s)
+- [ ] The commit message is clear and follows our guidelines (not just this PR message)
+- [ ] There are appropriate tests covering any new functionality
+- [ ] The provided documentation is sufficient for understanding any new functionality introduced
+- [ ] Any manual tests have been performed and verified
+- [ ] New dependencies are appropriate or there were no changes

.github/workflows/ci.yml

@@ -1,7 +1,10 @@
 name: CI
-on: push
+on:
+  pull_request:
+    paths-ignore:
+      - '.github/**'
 jobs:
   test:
-    uses: mitlibraries/.github/.github/workflows/python-shared-test.yml@main
+    uses: mitlibraries/.github/.github/workflows/python-uv-shared-test.yml@main
   lint:
-    uses: mitlibraries/.github/.github/workflows/python-shared-lint.yml@main
+    uses: mitlibraries/.github/.github/workflows/python-uv-shared-lint.yml@main

.gitignore

@@ -136,4 +136,7 @@ dmypy.json
 .vscode/
 
 # jetbrains
-.idea/
+.idea/
+
+.aws-sam/
+tests/sam/env.json

.pre-commit-config.yaml

@@ -1,29 +1,28 @@
 default_language_version:
-  python: python3.12 # set for project python version
+  python: python3.12
+default_stages:
+  - pre-push
 repos:
   - repo: local
     hooks:
-      - id: black-apply
-        name: black-apply
-        entry: pipenv run black
+      - id: ruff-format
+        name: ruff-format
+        entry: uv run ruff format --diff
         language: system
         pass_filenames: true
-        types: ["python"]
+        types: [ "python" ]
+
       - id: mypy
         name: mypy
-        entry: pipenv run mypy
+        entry: uv run mypy
         language: system
         pass_filenames: true
-        types: ["python"]
-        exclude: "tests/"
-      - id: ruff-apply
-        name: ruff-apply
-        entry: pipenv run ruff check --fix
+        types: [ "python" ]
+        exclude: "(tests/|output/|migrations/)"
+
+      - id: ruff-check
+        name: ruff-check
+        entry: uv run ruff check
         language: system
         pass_filenames: true
-        types: ["python"]
-      - id: pip-audit
-        name: pip-audit
-        entry: pipenv run pip-audit
-        language: system
-        pass_filenames: false
+        types: [ "python" ]

.python-version

@@ -1 +1 @@
-3.12
+3.13

Dockerfile

@@ -1,12 +1,18 @@
-FROM public.ecr.aws/lambda/python:3.12
+FROM public.ecr.aws/lambda/python:3.13
 
-# Copy function code
-COPY . ${LAMBDA_TASK_ROOT}/
+# Install uv
+COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
+
+# Copy project metadata
+COPY pyproject.toml uv.lock* ./
 
 # Install dependencies
-RUN pip3 install pipenv
-RUN pipenv requirements > requirements.txt
-RUN pip3 install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
+RUN cd ${LAMBDA_TASK_ROOT} && \
+    uv export --format requirements-txt --no-hashes --no-dev > requirements.txt && \
+    uv pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}" --system
+
+# Copy project files
+COPY . ${LAMBDA_TASK_ROOT}/
 
 # Default handler. See README for how to override to a different handler.
 CMD [ "lambdas.my_function.lambda_handler" ]

Makefile

@@ -5,53 +5,75 @@ help: # Preview Makefile commands
 	@awk 'BEGIN { FS = ":.*#"; print "Usage:  make <target>\n\nTargets:" } \
 /^[-_[:alpha:]]+:.?*#/ { printf "  %-15s%s\n", $$1, $$2 }' $(MAKEFILE_LIST)
 
-#######################
-# Dependency commands
-#######################
+# ensure OS binaries aren't called if naming conflict with Make recipes
+.PHONY: help install venv update test coveralls lint lint-fix security my-app
 
-install: # Install Python dependencies
-	pipenv install --dev
-	pipenv run pre-commit install
+##############################################
+# Python Environment and Dependency commands
+##############################################
 
-update: install # Update Python dependencies
-	pipenv clean
-	pipenv update --dev
+install: .venv .git/hooks/pre-commit .git/hooks/pre-push # Install Python dependencies and create virtual environment if not exists
+	uv sync --dev
+
+.venv: # Creates virtual environment if not found
+	@echo "Creating virtual environment at .venv..."
+	uv venv .venv
+
+.git/hooks/pre-commit: # Sets up pre-commit commit hooks if not setup
+	@echo "Installing pre-commit commit hooks..."
+	uv run pre-commit install --hook-type pre-commit
+
+.git/hooks/pre-push: # Sets up pre-commit push hooks if not setup
+	@echo "Installing pre-commit push hooks..."
+	uv run pre-commit install --hook-type pre-push
+
+venv: .venv # Create the Python virtual environment
+
+update: # Update Python dependencies
+	uv lock --upgrade
+	uv sync --dev
 
 ######################
 # Unit test commands
 ######################
 
 test: # Run tests and print a coverage report
-	pipenv run coverage run --source=lambdas -m pytest -vv
-	pipenv run coverage report -m
+	uv run coverage run --source=lambdas -m pytest -vv
+	uv run coverage report -m
 
 coveralls: test # Write coverage data to an LCOV report
-	pipenv run coverage lcov -o ./coverage/lcov.info
+	uv run coverage lcov -o ./coverage/lcov.info
 
 ####################################
-# Code quality and safety commands
+# Code linting and formatting
 ####################################
 
-lint: black mypy ruff safety # Run linters
-
-black: # Run 'black' linter and print a preview of suggested changes
-	pipenv run black --check --diff .
+lint: # Run linting, alerts only, no code changes
+	uv run ruff format --diff
+	uv run mypy .
+	uv run ruff check .
 
-mypy: # Run 'mypy' linter
-	pipenv run mypy .
+lint-fix: # Run linting, auto fix behaviors where supported
+	uv run ruff format .
+	uv run ruff check --fix .
 
-ruff: # Run 'ruff' linter and print a preview of errors
-	pipenv run ruff check .
+security: # Run security / vulnerability checks
+	uv run pip-audit
 
-safety: # Check for security vulnerabilities and verify Pipfile.lock is up-to-date
-	pipenv run pip-audit
-	pipenv verify
+####################################
+# SAM Lambda
+####################################
+sam-build: # SAM: Build SAM image for running Lambda locally
+	sam build --template tests/sam/template.yaml
 
-lint-apply: # Apply changes with 'black' and resolve 'fixable errors' with 'ruff'
-	black-apply ruff-apply 
+sam-http-run: # SAM: Run lambda locally as an HTTP server
+	sam local start-api --template tests/sam/template.yaml --env-vars tests/sam/env.json
 
-black-apply: # Apply changes with 'black'
-	pipenv run black .
+sam-http-ping: # SAM: Send curl command to SAM HTTP server
+	curl --location 'http://localhost:3000/myapp' \
+	--header 'Content-Type: application/json' \
+	--data '{"msg":"in a bottle"}'
 
-ruff-apply: # Resolve 'fixable errors' with 'ruff'
-	pipenv run ruff check --fix .
+sam-invoke: # SAM: Invoke lambda directly
+	echo '{"msg":"in a bottle"}' \
+	| sam local invoke -e -