Skip to content

Cache uv dependencies to speed up PR checks #333

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
chayac wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Cache uv dependencies to speed up PR checks #333

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
f0cdf34
Cache uv dependencies to speed up PR checks
chayac Feb 18, 2026
fade2dd
Potential fix for code scanning alert no. 29: Workflow does not conta…
chayac Feb 18, 2026
61690be
update astral-sh/setup-uv workflow to latest version
chayac Feb 18, 2026
3fefebc
refresh dependency cache daily
chayac Feb 18, 2026
19f30c9
Add GH workflow to test Pypi release
chayac Feb 18, 2026
c737fa4
update workflow permissions
chayac Feb 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 49 additions & 0 deletions .github/workflows/cache-dependencies.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
name: Build uv cache

permissions:
contents: read

on:
push:
branches:
- main
paths:
- "uv.lock"
- "**/pyproject.toml"
workflow_dispatch:
schedule:
- cron: '0 0 * * *'

jobs:
build-cache:
name: build cache on ${{ matrix.python-version }}
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
python-version: ["3.10", "3.11", "3.12", "3.13"]
Copy link
Copy Markdown
Contributor

@davidharting davidharting Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! Was wondering how our multi-python version stuff would make this differ from the post you linked.

Pretty simple - just run across all python versions and include python-version in the cache key!


steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Install uv
uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7
with:
python-version: ${{ matrix.python-version }}
enable-cache: false

- name: Install dependencies and populate cache
run: |
echo "Building global UV cache..."
uv sync --all-packages --all-extras
echo "Cache populated successfully"

- name: Save uv caches
uses: actions/cache/save@v4
with:
path: |
~/.cache/uv
~/.local/share/uv
.venv
key: uv-main-${{ matrix.python-version }}-${{ hashFiles('uv.lock') }}
Comment on lines +19 to +49

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 3 months ago

In general, the fix is to explicitly declare a restrictive permissions: block, either at the workflow root or at the job level, granting only the scopes required. For this workflow, the steps only need to read repository contents (for checkout) and do not need to write to the repo or interact with issues/PRs, so contents: read at the workflow level is sufficient. actions/cache/save uses dedicated cache APIs and does not require repo write permissions.

The best minimal fix without changing existing behavior is to add a root-level permissions: block just after the name: (before on:), specifying contents: read. This will apply to all jobs in this workflow (there is only build-cache). No other scopes (like pull-requests, issues, etc.) are necessary based on the current steps. No additional imports or code changes are needed; we only modify .github/workflows/cache-dependencies.yml.

Concretely: in .github/workflows/cache-dependencies.yml, insert:

permissions:
  contents: read

between line 1 (name: Build uv cache) and line 3 (on:). The rest of the workflow remains unchanged.

Suggested changeset 1
.github/workflows/cache-dependencies.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/cache-dependencies.yml b/.github/workflows/cache-dependencies.yml
--- a/.github/workflows/cache-dependencies.yml
+++ b/.github/workflows/cache-dependencies.yml
@@ -1,5 +1,8 @@
 name: Build uv cache
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
EOF
@@ -1,5 +1,8 @@
name: Build uv cache

permissions:
contents: read

on:
push:
branches:
Copilot is powered by AI and may make mistakes. Always verify output.
@chayac chayac committed this autofix suggestion 3 months ago.
Copy link
Copy Markdown
Contributor

@davidharting davidharting Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So I guess we need a top level:

permissions:
  contents: read

block. But to write to the cache, maybe we need read,write?

Might have to play with it. I'm not seeing cache-management explicitly discussed in this doc on workflow permissions syntax

44 changes: 44 additions & 0 deletions .github/workflows/check-pypi-release.yml
View file
Open in desktop
Copy link
Copy Markdown
Contributor

@davidharting davidharting Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was this for your own debugging or is this something we want to keep around?

It looks like it overlaps somewhat with our noxfile tests

Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
name: Check Latest Pypi Release

on:
workflow_dispatch:
inputs:
release-version:
type: string
description: Choose which release tag to test (no leading v)

permissions:
contents: read

jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 1
sparse-checkout: |
tests/integration_tests/dbt_projects/project1
tests/integration_tests/package_upgrades/mixed_versions
sparse-checkout-cone-mode: false

- name: Install uv
uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7

- name: Create new uv project
run: uv init

- name: Install specified release
run: uv add dbt-autofix==${{ inputs.release-version }}

- name: Display uv dependencies
run: uv tree

- name: Check version
run: uv run dbt-autofix --version

- name: Test deprecations
run: uv run dbt-autofix deprecations --all --path tests/integration_tests/dbt_projects/project1

- name: Test package upgrade
run: uv run dbt-autofix packages --force-upgrade --path tests/integration_tests/package_upgrades/mixed_versions
2 changes: 1 addition & 1 deletion .github/workflows/nox-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,6 @@ jobs:
steps:
- uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # actions/checkout@v4
- name: Install uv
uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # astral-sh/setup-uv@v5
uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7
- uses: fjwillemsen/setup-nox2@fc5420448a3f1145b0128f86b1837e82841684a4 # fjwillemsen/setup-nox2@v3.0.0
- run: nox
32 changes: 27 additions & 5 deletions .github/workflows/pytest-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,25 +20,47 @@ jobs:
steps:
- uses: actions/checkout@v4

- uses: astral-sh/setup-uv@e58605a9b6da7c637471fab8847a5e5a6b8df081 # v5
- name: Restore global uv cache
id: cache-restore
uses: actions/cache/restore@v4
with:
path: |
~/.cache/uv
~/.local/share/uv
.venv
key: uv-main-${{ matrix.python-version }}-${{ hashFiles('uv.lock') }}
restore-keys: |
uv-main-${{ matrix.python-version }}-
Copy link
Copy Markdown
Contributor

@davidharting davidharting Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not really clear why restore-keys does not include the uv.lock hash


- uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7
with:
python-version: ${{ matrix.python-version }}
enable-cache: true
cache-suffix: test
enable-cache: false

- run: uv sync --all-extras --all-packages
- run: uv run pytest

- name: Save uv caches
if: steps.cache-restore.outputs.cache-hit != 'true'
uses: actions/cache/save@v4
with:
path: |
~/.cache/uv
~/.local/share/uv
.venv
key: uv-main-${{ matrix.python-version }}-${{ hashFiles('uv.lock') }}

lint:
name: lint
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- uses: actions/checkout@v4
- uses: astral-sh/setup-uv@e58605a9b6da7c637471fab8847a5e5a6b8df081 # v5
- uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7
with:
python-version: "3.10"
enable-cache: true
cache-suffix: lint
- run: uv tool run ruff@0.14.14 check . --config pyproject.toml
- run: uv tool run ruff@0.14.14 format --check --diff . --config pyproject.toml
- run: uv tool run ruff@0.14.14 format --check --diff . --config pyproject.toml

2 changes: 1 addition & 1 deletion .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ jobs:
persist-credentials: false

- name: Install uv
uses: astral-sh/setup-uv@caf0cab7a618c569241d31dcd442f54681755d39 # astral-sh/setup-uv@v3
uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7
Copy link
Copy Markdown
Contributor

@davidharting davidharting Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for the upgrades!


- name: Build artifacts
run: uv build --all
Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/schedule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,16 @@ on:
schedule:
- cron: '0 * * * *'

permissions:
contents: read

jobs:
nox:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # actions/checkout@v4
- name: Install uv
uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # astral-sh/setup-uv@v5
uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7
- uses: fjwillemsen/setup-nox2@fc5420448a3f1145b0128f86b1837e82841684a4 # fjwillemsen/setup-nox2@v3.0.0
- run: nox --session check_latest_schema-3.13
- run: uv sync --all-extras --all-packages --python 3.13
Expand Down