Separate security scanned lockfile (#159)

* Add tox env to compile lockfile

* Compile first lockfile

* Update readme

* Add ci job to verify the lockfile is up to date

* Use '--generate-hashes'

* Use pyproject.toml file with all extras for separate lockfile

* Rename scanned lockfile

* Add note to readme about requirements.txt

* Adjust lockfile ci test

* Transform tox.ini envs into simple files with commands

* Remove tox from deps

* Print useful notes in script

* Remove tox.ini

* Update github ci

* Lock build deps

* Add missing cicd to script

* Update lockfile

* Include duplicated build-system reqs in pyproject file

* Fix error msg in update-requirements script

* Have proper ranges for all requirements

* Invoke test and format commands via default interpreter

* Use explicit python platform for lockfile

* Use cicd deps correctly in ci

* Define uv system python by a default env var instead of cli flag

* debug uv in 'test' ci job

* Don't use system python with uv as 'astral-sh/setup-uv@v5' sets uv venv automatically

* Fix yaml syntax

* Remove debug commands from 'test' ci job

* Remove build deps locking workaround

* Fix typo in ci job deps install command

* Do not run python 3.9 in ci

3.9 is old and nearing its eol. Dependency libraries are also dropping
support for it widely.

* Update lockfile

* Add changelog for dropping python3.9

* Drop python 3.9 in pyproject.toml too

* Update README accordingly

* Apply suggestions from code review

Co-authored-by: Rakhim Davletkaliyev <rakhim.davletkaliyev@meetiqm.com>

---------

Co-authored-by: Rakhim Davletkaliyev <rakhim.davletkaliyev@meetiqm.com>

.github/workflows/ci.yml

@@ -8,37 +8,47 @@ on:
 jobs:
   test:
     runs-on: ${{ matrix.platform }}
-
     strategy:
       matrix:
         platform: [ ubuntu-latest, macos-latest, windows-latest ]
-        python-version: [ '3.9', '3.10', '3.11', '3.12' ]
-
+        python-version: [ "3.10", "3.11", "3.12" ]
     steps:
       - uses: actions/checkout@v4
-      - name: Setup Python
-        uses: actions/setup-python@v5
+      - name: Install uv and set the python version
+        uses: astral-sh/setup-uv@v5
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          python -m pip install -e ".[dev]"
-          python -m pip install tox-gh-actions==2.12.0
+        run: uv pip install --constraint requirements.txt --editable .[cicd,testing]
       - name: Run tests
-        run: tox
+        run: ./test
+
   test_docs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - name: Setup Python
-        uses: actions/setup-python@v5
+      - name: Install uv and set the python version
+        uses: astral-sh/setup-uv@v5
         with:
-          python-version: '3.12'
+          python-version: "3.12"
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip
-          python -m pip install -e ".[dev, docs]"
+          uv pip install --constraint requirements.txt --editable .[cicd,docs]
           sudo apt-get install graphviz
       - name: Test if docs can be built
-        run: tox -e docs
+        run: ./docbuild
+
+  test_requirements_lock:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install uv and set the python version
+        uses: astral-sh/setup-uv@v5
+        with:
+          python-version: "3.12"
+      - name: Install dependencies
+        run: uv pip install --constraint requirements.txt --editable .[cicd]
+      - name: Regenerate requirements.txt
+        run: python update-requirements.py
+      - name: Check lockfile is up-to-date
+        run: git diff --exit-code HEAD requirements.txt

.github/workflows/publish.yml

@@ -9,21 +9,18 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
-
     steps:
       - uses: actions/checkout@v4
       - name: Fetch all history for all tags and branches
         run: git fetch --prune --unshallow
-      - name: Setup Python
-        uses: actions/setup-python@v5
+      - name: Install uv and set the python version
+        uses: astral-sh/setup-uv@v5
         with:
-          python-version: '3.12'
+          python-version: "3.12"
       - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          python -m pip install build==1.0.3
+        run: uv pip install --constraint requirements.txt --editable .[cicd]
       - name: Build distribution
-        run: python -m build
+        run: uv build --no-build-isolation
       - name: Store distribution packages
         uses: actions/upload-artifact@v4
         with:
@@ -39,7 +36,6 @@ jobs:
       url: https://pypi.org/p/iqm-client
     permissions:
       id-token: write
-
     steps:
       - name: Download distribution packages
         uses: actions/download-artifact@v4
@@ -50,26 +46,24 @@ jobs:
 
   publish_docs:
     runs-on: ubuntu-latest
-
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - name: Setup Python
-        uses: actions/setup-python@v5
+      - name: Install uv and set the python version
+        uses: astral-sh/setup-uv@v5
         with:
-          python-version: '3.12'
+          python-version: "3.12"
       - name: Checkout latest tagged commit
         run: |
           git checkout $(git describe --tags --abbrev=0)
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip
-          pip install -e ".[dev]"
+          uv pip install --constraint requirements.txt --editable .[cicd,docs]
           sudo apt-get install graphviz
       - name: Build docs
         run: |
-          tox -e docs
+          ./docbuild
           touch build/sphinx/html/.nojekyll  # allow underscores in URL path
           # remove unnecessary build files
           sudo rm -rf build/sphinx/html/.doctrees
@@ -82,20 +76,16 @@ jobs:
 
   gen_licenses_info:
     runs-on: ubuntu-latest
-
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - name: Setup Python
-        uses: actions/setup-python@v5
+      - name: Install uv and set the python version
+        uses: astral-sh/setup-uv@v5
         with:
-          python-version: '3.12'
+          python-version: "3.12"
       - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install -e ".[dev]"
-          pip install pip-licenses
+        run: uv pip install --constraint requirements.txt --editable .[cicd]
       - name: Generate license information for dependencies
         run: |
           pip-licenses --format=confluence --with-urls > licenses.txt

CHANGELOG.rst

@@ -2,6 +2,12 @@
 Changelog
 =========
 
+Version 20.12
+=============
+
+* Drop support for Python 3.9. `#159 <https://github.com/iqm-finland/iqm-client/pull/159>`_
+* Add optional security-scanned lockfile. `#159 <https://github.com/iqm-finland/iqm-client/pull/159>`_
+
 Version 20.11
 =============
 

README.rst

@@ -16,34 +16,70 @@ Installation
 IQM client is not intended to be used directly by human users. For executing code on an IQM quantum computer,
 you can use for example the `Qiskit on IQM <https://iqm-finland.github.io/qiskit-on-iqm/>`_ library.
 
-If you want just this library, though, you can install it from the Python Package Index (PyPI):
+If you want just this library, though, you can install it from the Python Package Index (PyPI), e.g.:
 
 .. code-block:: bash
 
-    $ pip install iqm-client
+    $ uv pip install iqm-client
+
+.. note::
+
+    `uv <https://docs.astral.sh/uv/>`_ is highly recommended for practical Python environment and package management.
+
+Supplied within the Python package there is an additional `requirements.txt` file containing locked, security scanned
+dependencies. The file can be used to constrain installed dependencies either directly from the repo or by
+extracting it from the PyPI package.
+
+.. code-block:: bash
+
+    $ uv pip install --constraint requirements.txt iqm-client
+
+Contributing
+============
+
+Format your code:
+
+.. code-block:: bash
+
+   $ ./format
+
+Run the tests:
+
+.. code-block:: bash
+
+   $ ./test
+
+Update the requirements. This is necessary when you add a new dependency or update an existing one in `pyproject.toml`.
+After this, any changes in the lockfile `requirements.txt` have to be committed.
+The script upgrades locked dependencies defined in `pyproject.toml` within the given version ranges. However, transitive
+dependencies are deliberately not upgraded automatically.
+
+.. code-block:: bash
+
+   $ python update-requirements.py
 
 Documentation
 =============
 
 Documentation for the latest version is `available online <https://iqm-finland.github.io/iqm-client/>`_. 
 You can build documentation for any older version locally by cloning the Git repository, checking out the 
-corresponding tag, and running the docs builder. For example, to build the documentation for version ``15.4``:
+corresponding tag, and running the docs builder. For example, to build the documentation for version ``20.12``:
 
 .. code-block:: bash
 
     $ git clone git@github.com:iqm-finland/iqm-client.git
     $ cd iqm-client
-    $ git checkout 15.4
-    $ tox run -e docs
+    $ git checkout 20.12
+    $ ./docbuild
 
 (Unless you need to build documentation for multiple versions, consider passing ``git clone`` options to
 only clone the commit for the specific version tag, e.g. ``--branch 15.4 --depth 1`` for version ``15.4``.
 This will be much faster than cloning the full repository, because some large files have been stored
 in the commit history.)
 
-``tox run -e docs`` will build the documentation at ``./build/sphinx/html``. This command requires the ``tox,``, ``sphinx`` and
+``./docbuild`` will build the documentation at ``./build/sphinx/html``. This command requires the ``sphinx`` and
 ``sphinx-book-theme`` Python packages (see the ``docs`` optional dependency in ``pyproject.toml``); 
-you can install the necessary packages with ``pip install -e ".[dev,docs]"``
+you can install the necessary packages with e.g. ``uv pip install -e ".[dev,docs]"``
 
 Copyright
 =========

docbuild

@@ -0,0 +1 @@
+sphinx-build -b html docs/ build/sphinx/html -W 

format

@@ -0,0 +1,2 @@
+python -m black src tests
+python -m isort src tests

pyproject.toml

@@ -1,5 +1,12 @@
 [build-system]
-requires = ["setuptools>=65.4.1", "setuptools_scm[toml]>=7"]
+requires = [
+    # NOTE: including build deps in the lockfile not yet directly by uv. Working around this by duplicating build deps
+    #       in project dependencies doesn't work either since using them via the lockfile requires
+    #       `--no-build-isolation` while installing, which itself requires setuptools.
+    #       See https://github.com/astral-sh/uv/issues/5190.
+    "setuptools>=65.4.1",
+    "setuptools_scm[toml]>=7",
+]
 build-backend = "setuptools.build_meta"
 
 [project]
@@ -16,10 +23,10 @@ classifiers = [
     "Intended Audience :: Science/Research",
     "License :: OSI Approved :: Apache Software License",
 ]
-requires-python = ">=3.9, <3.13"
+requires-python = ">=3.10, <3.13"
 dependencies = [
-    "numpy",
-    "packaging",
+    "numpy >= 2.2.1, < 3.0",
+    "packaging >= 24.2, < 25.0",
     "requests >= 2.28.2, < 3.0",
     "pydantic >= 2.4.2, < 3.0",
 ]
@@ -29,11 +36,6 @@ Homepage = "https://github.com/iqm-finland/iqm-client"
 Documentation = "https://iqm-finland.github.io/iqm-client"
 
 [project.optional-dependencies]
-# Add here additional requirements for extra features, to install with:
-# `pip install iqm-client[dev]`
-dev = [
-    "tox == 4.11.3",
-]
 testing = [
     "black == 23.11.0",
     "isort == 5.12.0",
@@ -53,6 +55,10 @@ docs = [
     "sphinx == 7.2.6",
     "sphinx-book-theme == 1.1.2",
 ]
+cicd = [
+    "build == 1.0.3",
+    "pip-licenses == 5.0.0",
+]
 
 
 [tool.setuptools_scm]