uv-ify our development

.github/dependabot.yml

@@ -1,10 +1,12 @@
 version: 2
 
 updates:
-  - package-ecosystem: pip
+  - package-ecosystem: uv
     directory: /
     schedule:
       interval: daily
+    cooldown:
+      default-days: 7
 
   - package-ecosystem: github-actions
     directory: /
@@ -16,6 +18,8 @@ updates:
       actions:
         patterns:
           - "*"
+    cooldown:
+      default-days: 7
 
   - package-ecosystem: github-actions
     directory: .github/actions/upload-coverage/
@@ -27,3 +31,5 @@ updates:
       actions:
         patterns:
           - "*"
+    cooldown:
+      default-days: 7

.github/workflows/check-embedded-root.yml

@@ -3,7 +3,7 @@ name: Check embedded root
 on:
   workflow_dispatch:
   schedule:
-    - cron: '13 13 * * 3'
+    - cron: "13 13 * * 3"
 
 jobs:
   check-embedded-root:
@@ -16,11 +16,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: "3.x"
-          cache: "pip"
-          cache-dependency-path: pyproject.toml
+      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
 
       - name: Setup environment
         run: make dev
@@ -30,7 +26,6 @@ jobs:
           make update-embedded-root
           git diff --exit-code
 
-
       - if: failure()
         name: Create an issue if embedded root is not up-to-date
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
@@ -40,9 +35,9 @@ jobs:
             const body = `
             The Sigstore [TUF repository](https://tuf-repo-cdn.sigstore.dev/) contents have changed: the data embedded
             in sigstore-python sources can be updated. This is not urgent but will improve cold-cache performance.
-            
+
             Run \`make update-embedded-root\` to update the embedded data.
-            
+
             This issue was filed by _${context.workflow}_ [workflow run](${context.serverUrl}/${repo}/actions/runs/${context.runId}).
             `
 

.github/workflows/ci.yml

@@ -15,7 +15,8 @@ permissions: {}
 jobs:
   test:
     # Avoid scheduled runs in forks
-    if: github.event_name != 'schedule' || github.repository == 'sigstore/sigstore-python'
+    if: github.event_name != 'schedule' || github.repository ==
+      'sigstore/sigstore-python'
     permissions:
       # Needed to access the workflow's OIDC identity.
       id-token: write
@@ -38,15 +39,12 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
           python-version: ${{ matrix.conf.py }}
-          allow-prereleases: true
-          cache: "pip"
-          cache-dependency-path: pyproject.toml
 
       - name: deps
-        run: make dev SIGSTORE_EXTRA=test
+        run: make dev
 
       - name: test (offline)
         if: matrix.conf.os == 'ubuntu-latest'
@@ -91,7 +89,8 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: test (interactive)
-        if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
+        if: (github.event_name != 'pull_request') ||
+          !github.event.pull_request.head.repo.fork
         run: make test-interactive TEST_ARGS="-vv --showlocals"
 
       - uses: ./.github/actions/upload-coverage
@@ -100,7 +99,8 @@ jobs:
         if: ${{ matrix.conf.os == 'ubuntu-latest' }}
 
   all-tests-pass:
-    if: always() && (github.event_name != 'schedule' || github.repository == 'sigstore/sigstore-python')
+    if: always() && (github.event_name != 'schedule' || github.repository ==
+      'sigstore/sigstore-python')
 
     needs:
       - test
@@ -124,11 +124,9 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: "3.x"
+      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
 
-      - run: pip install coverage[toml]
+      - run: uv tool install coverage[toml]
 
       - name: download coverage data
         uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
@@ -139,6 +137,6 @@ jobs:
         id: combinecoverage
         run: |
           set +e
-          python -m coverage combine all-artifacts/coverage-data-*
+          coverage combine all-artifacts/coverage-data-*
           echo "## python coverage" >> $GITHUB_STEP_SUMMARY
-          python -m coverage report -m --format=markdown >> $GITHUB_STEP_SUMMARY
+          coverage report -m --format=markdown >> $GITHUB_STEP_SUMMARY

.github/workflows/conformance.yml

@@ -19,23 +19,25 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: "3.x"
-          cache: "pip"
-          cache-dependency-path: pyproject.toml
+      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
 
       - name: install sigstore-python
-        run: python -m pip install .
+        run: |
+          uv venv
+          uv pip install .
+          echo "$(pwd)/.venv/bin" >> ${GITHUB_PATH}
 
       - uses: sigstore/sigstore-conformance@4d66ba3cb0c9c95f705c757c0f5e226d3f4d5151 # v0.0.27
         with:
           entrypoint: ${{ github.workspace }}/test/integration/sigstore-python-conformance
-          xfail: "test_verify*intoto-with-custom-trust-root] test_verify*managed-key-happy-path] test_verify*managed-key-and-trusted-root]" # see issues 1442, 1244
+          xfail: "test_verify*intoto-with-custom-trust-root]
+            test_verify*managed-key-happy-path]
+            test_verify*managed-key-and-trusted-root]" # see issues 1442, 1244
 
   file-issue-on-failure:
-    needs: [conformance]
-    if: failure() && github.event_name == 'schedule' && github.repository == 'sigstore/sigstore-python'
+    needs: [ conformance ]
+    if: failure() && github.event_name == 'schedule' && github.repository ==
+      'sigstore/sigstore-python'
     permissions:
       issues: write # required to file an issue
     runs-on: ubuntu-latest

.github/workflows/cross-os.yml

@@ -34,23 +34,19 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu, macos, windows]
+        os: [ ubuntu, macos, windows ]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: "3.x"
-          cache: "pip"
-          cache-dependency-path: pyproject.toml
-      - run: pip install .
+      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
       - name: Fetch testing oidc token
         run: |
           curl --fail --retry 3 --output oidc-token.txt \
             https://storage.googleapis.com/sigstore-conformance-testing-token/untrusted-testing-token.txt
-      - name: Sign 
-        run: python -m sigstore --staging sign --identity-token $(cat oidc-token.txt) test/assets/a.txt
+      - name: Sign
+        run: uv run python -m sigstore --staging sign --identity-token $(cat
+          oidc-token.txt) test/assets/a.txt
       - name: upload signature bundle
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
@@ -61,29 +57,24 @@ jobs:
   verify:
     name: Verify ${{ matrix.signed-with-os }} bundle on ${{ matrix.os }}
     if: ${{ always() }} # don't stop some verification if one of the signing jobs failed
-    needs: [sign]
+    needs: [ sign ]
     runs-on: ${{ matrix.os }}-latest
     strategy:
       fail-fast: false # Don't cancel other jobs if one fails
       matrix:
-        os: [ubuntu, macos, windows]
-        signed-with-os: [ubuntu, macos, windows]
+        os: [ ubuntu, macos, windows ]
+        signed-with-os: [ ubuntu, macos, windows ]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: "3.x"
-          cache: "pip"
-          cache-dependency-path: pyproject.toml
-      - run: pip install .
+      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
       - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: ${{ matrix.signed-with-os }}-bundle
       - name: Verify
         run: |
-          python -m sigstore --staging verify identity --verbose \
+          uv run python -m sigstore --staging verify identity --verbose \
             --cert-identity "untrusted-sa@sigstore-conformance.iam.gserviceaccount.com" \
             --cert-oidc-issuer "https://accounts.google.com" \
             --bundle a.txt.sigstore.json \

.github/workflows/cross-version-verify.yaml

@@ -31,22 +31,17 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: "3.x"
-          cache: "pip"
-          cache-dependency-path: pyproject.toml
-      - run: pip install .
+      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
       - name: Fetch testing oidc token
         run: |
           curl --fail --retry 3 --output oidc-token.txt \
             https://storage.googleapis.com/sigstore-conformance-testing-token/untrusted-testing-token.txt
-      - name: Sign 
+      - name: Sign
         run: |
           touch artifact
-          python -m sigstore --staging sign --bundle artifact-staging-rekor2.sigstore.json --identity-token $(cat oidc-token.txt) --rekor-version=2 artifact
-          python -m sigstore --staging sign --bundle artifact-staging-rekor1.sigstore.json --identity-token $(cat oidc-token.txt) --rekor-version=1 artifact
-          python -m sigstore sign --bundle artifact-prod-rekor1.sigstore.json --identity-token $(cat oidc-token.txt) --rekor-version=1 artifact
+          uv run python -m sigstore --staging sign --bundle artifact-staging-rekor2.sigstore.json --identity-token $(cat oidc-token.txt) --rekor-version=2 artifact
+          uv run python -m sigstore --staging sign --bundle artifact-staging-rekor1.sigstore.json --identity-token $(cat oidc-token.txt) --rekor-version=1 artifact
+          uv run python -m sigstore sign --bundle artifact-prod-rekor1.sigstore.json --identity-token $(cat oidc-token.txt) --rekor-version=1 artifact
       - name: upload signature bundle
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
@@ -56,14 +51,14 @@ jobs:
           retention-days: 1
   verify:
     name: Verify with ${{ matrix.version }} on ${{ matrix.env }}
-    needs: [sign]
+    needs: [ sign ]
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false # Don't cancel other jobs if one fails
       matrix:
         # hand crafted list of old versions we care about
-        version: [3.5.6, 3.6.7, 4.0.0, 4.1.0, 4.2.0]
-        env: [staging, prod]
+        version: [ 3.5.6, 3.6.7, 4.0.0, 4.1.0, 4.2.0 ]
+        env: [ staging, prod ]
         exclude:
           # exclude staging for versions with https://github.com/sigstore/sigstore-python/issues/1656
           - env: staging
@@ -74,10 +69,9 @@ jobs:
             version: 4.1.0
 
     steps:
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: "3.x"
-      - run: pip install sigstore==${{ matrix.version }}
+      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+      - run: |
+          uv tool install --prerelease=allow sigstore==${{ matrix.version }}
       - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: bundle
@@ -89,7 +83,7 @@ jobs:
           ENV_OPT: ${{ matrix.env == 'staging' && '--staging' || '' }}
           BUNDLE: artifact-${{matrix.env}}-rekor2.sigstore.json
         run: |
-          python -m sigstore $ENV_OPT verify identity --verbose \
+          sigstore $ENV_OPT verify identity --verbose \
             --cert-identity "untrusted-sa@sigstore-conformance.iam.gserviceaccount.com" \
             --cert-oidc-issuer "https://accounts.google.com" \
             --bundle $BUNDLE \
@@ -99,7 +93,7 @@ jobs:
           ENV_OPT: ${{ matrix.env == 'staging' && '--staging' || '' }}
           BUNDLE: artifact-${{matrix.env}}-rekor1.sigstore.json
         run: |
-          python -m sigstore $ENV_OPT verify identity --verbose \
+          sigstore $ENV_OPT verify identity --verbose \
             --cert-identity "untrusted-sa@sigstore-conformance.iam.gserviceaccount.com" \
             --cert-oidc-issuer "https://accounts.google.com" \
             --bundle $BUNDLE \

.github/workflows/docs.yml

@@ -15,15 +15,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: "3.x"
-          cache: "pip"
-          cache-dependency-path: pyproject.toml
-
-      - name: setup
-        run: |
-          make dev SIGSTORE_EXTRA=doc
+      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
 
       - name: build docs
         run: |

.github/workflows/lint.yml

@@ -17,14 +17,9 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
-          python-version: "3.x"
-          cache: "pip"
-          cache-dependency-path: pyproject.toml
-
-      - name: deps
-        run: make dev SIGSTORE_EXTRA=lint
+          python-version: "3.10"
 
       - name: lint
         run: make lint
@@ -38,14 +33,9 @@ jobs:
 
       # NOTE: We intentionally check --help rendering against our minimum Python,
       # since it changes slightly between Python versions.
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
           python-version: "3.10"
-          cache: "pip"
-          cache-dependency-path: pyproject.toml
-
-      - name: deps
-        run: make dev
 
       - name: check-readme
         run: make check-readme
@@ -74,14 +64,9 @@ jobs:
           persist-credentials: false
 
       # NOTE: We intentionally check test certificates against our minimum supported Python.
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
           python-version: "3.10"
-          cache: "pip"
-          cache-dependency-path: pyproject.toml
-
-      - name: deps
-        run: make dev
 
       - name: ensure testcase generation does not regress
         run: make gen-x509-testcases