konflux: unpin uv version for hermetic build

[raptorsun]

Description

keep uv version up to date.

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement

Tools used to create PR

Identify any AI code assistants used in this PR (for transparency and review context)

• Assisted-by: (e.g., Claude, CodeRabbit, Ollama, etc., N/A if not used)
• Generated by: (e.g., tool name and version; N/A if not used)

Related Tickets & Documents

• Related Issue #
• Closes #

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

• Please provide detailed steps to perform tests related to this code change.
• How were the fix/results from this change verified? Please provide relevant screenshots or results.

Summary by CodeRabbit

• Chores
  • Relaxed a build-stage dependency constraint to allow newer compatible uv versions (minimum requirement introduced).
  • Updated hermetic dependency pins for uv and pip to more recent releases, ensuring builds use newer, patched versions.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Relaxed the uv constraint in the Containerfile to uv>=0.8.15; updated requirements.hermetic.txt to pin uv==0.9.16 and pip==25.3 (replacing previous uv==0.8.15 and pip==24.2).

Changes

Cohort / File(s)	Summary
Containerfile change Containerfile	Relaxed uv installation constraint from exact uv==0.8.15 to a minimum uv>=0.8.15 in the builder stage.
Hermetic requirements update requirements.hermetic.txt	Updated pinned versions: uv from ==0.8.15 → ==0.9.16, and pip from ==24.2 → ==25.3. No code/control-flow changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Files to inspect closely:
  • Containerfile — ensure relaxed constraint aligns with intended build/test matrix.
  • requirements.hermetic.txt — confirm uv==0.9.16 and pip==25.3 are compatible with the project and CI images.

Possibly related PRs

• LCORE-497, LCORE-498, LCORE-499: Bundle most of ansible, assist-installer, default run.yaml dependencies, with pytorch and libs that depends on it. #292: Modifies uv package version constraints in similar build/dependency files.

Suggested reviewers

• tisnik

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'konflux: unpin uv version for hermetic build' accurately describes the main change: relaxing uv version constraints in the Konflux/Containerfile to allow newer versions while updating dependencies in requirements.hermetic.txt.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5509703 and d97742a.

📒 Files selected for processing (2)

• Containerfile (1 hunks)
• requirements.hermetic.txt (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• Containerfile

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-11-24T16:58:04.410Z

Learnt from: CR
Repo: lightspeed-core/lightspeed-stack PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:58:04.410Z
Learning: Use Python package manager `uv` with `uv run` prefix for all development commands

Applied to files:

• requirements.hermetic.txt

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: build-pr
• GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-on-pull-request
• GitHub Check: E2E: server mode / ci
• GitHub Check: E2E: library mode / ci
• GitHub Check: E2E: library mode / azure
• GitHub Check: E2E: server mode / azure

🔇 Additional comments (3)

requirements.hermetic.txt (3)

1-2: Verify version availability and stability before merge.

The PR updates uv from 0.8.15 to 0.9.16 and pip from 24.2 to 25.3 but the PR checklist indicates that self-review and CI/test passing are unchecked. Please verify the new versions are stable and compatible before merging.

---

1-1: Check for breaking changes and advisories in uv 0.9.16.

The uv version bump crosses a minor version boundary (0.8 → 0.9). Verify there are no breaking changes or known issues that could impact the hermetic build.

---

1-2: Pin the exact versions correctly, but complete the PR validation first.

uv 0.9.16 was released on 2025-12-06 (3 days old) and pip 25.3 is the fourth and final major release of pip for 2025. However, there are concerns:

1. Breaking changes in uv 0.9.x: uv 0.9.0 is a breaking release motivated by Python 3.14 containing breaking changes. The jump from 0.8.15 to 0.9.16 crosses a breaking version boundary and requires validation.

2. Breaking changes in pip 25.3: pip 25.3 removed non-PEP 517 package build support including --no-use-pep517, which could affect build steps in the Containerfile.

3. Incomplete PR review: The PR checklist shows self-review, CI/test passing, and test-addition items are unchecked. Since hermetic builds must be reproducible and deterministic, these version changes need to be validated before merge.

Run the full CI/test suite to confirm the Konflux build succeeds with these versions, and document any changes to build behavior.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tisnik]

LGTM

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

Containerfile (1)

20-37: Relaxing the uv pin changes hermetic/reproducibility characteristics

Switching to pip3.12 install "uv>=0.8.15" means the builder image will pick up newer uv releases over time, which can affect lockfile format, resolution behaviour, or uv sync defaults and make Konflux builds less reproducible compared to the previously pinned toolchain (and to the project’s general preference for exact pins based on previous sprints).

If this drift is intentional for Konflux (so the platform can roll forward uv without touching this repo), it would be good to:

• Explicitly call this out in the PR description or a short comment here.
• Optionally update the commented-out install in the final stage to stay consistent with the new policy if/when it’s re-enabled.

requirements.hermetic.txt (1)

1-2: Hermetic requirements now allow uv and pip to drift; confirm pip unpin is intentional

Changing both lines to:

uv>=0.8.15
pip>=24.2

means the “hermetic” toolchain for Konflux can now vary over time for both uv and pip. That may be fine for uv (per the PR objective), but for pip this also weakens strict hermeticity and can introduce behaviour changes when new pip releases land.

Two concrete suggestions:

• Please confirm that unpinning pip as well as uv is intentional and aligns with your Konflux expectations.
• If you do want some guardrails, consider constraining the upper bound (e.g., <25) or documenting in a comment that this file is allowed to float for tooling despite the project’s usual exact-pin policy. (Based on learnings, the rest of the stack is typically pinned exactly.)

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2fbbe74 and 5509703.

📒 Files selected for processing (2)

• Containerfile (1 hunks)
• requirements.hermetic.txt (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: matysek
Repo: lightspeed-core/lightspeed-stack PR: 292
File: pyproject.toml:43-45
Timestamp: 2025-08-18T10:55:18.914Z
Learning: The lightspeed-stack project updates dependencies every sprint as part of their regular maintenance cycle, which explains their preference for exact dependency pins rather than version ranges.

📚 Learning: 2025-11-24T16:58:04.410Z

Learnt from: CR
Repo: lightspeed-core/lightspeed-stack PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:58:04.410Z
Learning: Use Python package manager `uv` with `uv run` prefix for all development commands

Applied to files:

• requirements.hermetic.txt
• Containerfile

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: build-pr
• GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-on-pull-request
• GitHub Check: E2E: library mode / azure
• GitHub Check: E2E: library mode / ci
• GitHub Check: E2E: server mode / azure
• GitHub Check: E2E: server mode / ci