[codex] use uv dependency lock#195
Conversation
Co-Authored-By: Codex <noreply@openai.com>
There was a problem hiding this comment.
💡 Codex Review
https://github.com/QuantStrategyLab/FirstradePlatform/blob/f5247cd6c4bc1b57b23ced6c54b2d12e214e76a7/Dockerfile#L39
Keep /app writable for the runtime cache
When FIRSTRADE_COOKIE_DIR is left at its default relative path (.runtime/firstrade-cookies), the service creates that directory at login via Path(...).mkdir(parents=True), but .runtime is excluded from the Docker context and WORKDIR /app remains root-owned because this copy only chowns files that are copied. The previous chown -R appuser:appuser /app allowed the non-root user to create the cache directory; with this image, default Cloud Run executions that need a Firstrade session will fail with a permission error before trading/smoke checks can run.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| python -m pip install pytest pytest-cov ruff build | ||
|
|
||
| python -m pip install --upgrade pip uv | ||
| uv sync --frozen --extra test --no-install-project |
There was a problem hiding this comment.
Assert the uv.lock is current before syncing
When a dependency pin in pyproject.toml changes without regenerating uv.lock (for example a QPK/UES SHA bump), this CI step still installs the old locked package set: uv sync --help describes --frozen as syncing without updating uv.lock, not checking that it matches the project metadata. I verified a dry-run after changing only the pyproject ref still planned the old locked SHA, and the pin guard does not inspect uv.lock while this install runs before the guard; the Dockerfile and env-sync workflow use the same pattern, so tests/deploys can silently run against stale dependencies unless CI uses --locked or an explicit lock freshness check.
Useful? React with 👍 / 👎.
Summary
pyproject.toml+ a realuv.lock.requirements.txt/constraints.txtfor compatibility during the staged migration.--no-install-projectto keep this dependency-management change separate from package-layout changes..dockerignoreso local venv/build artifacts are not copied into Docker context.Validation
uv sync --frozen --extra test --no-install-projectuv run --no-sync python scripts/check_qpk_pin_consistency.pyuv run --no-sync python -m pytest -q tests/test_uv_dependency_workflow.py tests/test_dependency_pin_guard.pyuv pip checkuv run --no-sync ruff check --exclude external .uv run --no-sync python -m pytest -q(172 passed)uv run --no-sync python -m buildactionlint .github/workflows/ci.yml .github/workflows/sync-cloud-run-env.ymlgit diff --checkdocker build -t firstradeplatform-uv-sync:local .