adds integration for tox-uv and updates workflows to use tox-uv

[RobotSail]

The existing codebase uses tox to handle various scripting workflows under-the-hood, but this leads to slow CI runs and other things.

But tox uses the native python system instead of uv even when a user is using uv. This PR changes the behavior so tox uses uv under the hood.

Summary by CodeRabbit

• Chores
  • Updated internal CI/CD build infrastructure to use streamlined package management tools.
  • Modified development environment setup and testing configuration.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The changes migrate build and test workflows from pip and Python venv to uv for package management and virtual environment creation. This includes updating GitHub Actions workflows, dependency constraints, and tox configuration to use uv commands and the tox-uv plugin instead of tox-current-env.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Updates .github/actions/run-smoke/action.yml, .github/workflows/lint.yml, .github/workflows/unit.yaml	Add astral-sh/setup-uv@v4 step with caching enabled; replace python -m venv with uv venv; replace pip install with uv pip install; remove tox-current-env references; update step titles to reflect uv-based flow.
Dependency Constraints constraints-dev.txt	Replace tox-current-env with tox-uv; add type stub packages (types-python-dateutil, types-pyyaml, types-requests, types-tqdm); add triton and trl dependencies.
Development Requirements requirements-dev.txt	Replace tox>=4.4.2 and tox-current-env with tox>=4 and tox-uv.
Tox Configuration tox.ini	Add requires = tox>=4, tox-uv; set runner = uv-venv-runner and uv_seed = true; change install_command to use uv pip install; add PATH to passenv; set basepython = python3.11 for py3-unit and py3-smoke testenvs.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~20 minutes

• Note: Changes follow a consistent pattern of replacing pip/venv tooling with uv across multiple files. While spread across several configuration types, the modifications are largely homogeneous and mechanical (tool substitution rather than logic changes).

Poem

🐰 A speedy uv emerges bright,
Where pip and venv once did fight,
Faster builds in morning light,
Constraints and tox now dance just right!
🚀 The workflows zoom with pure delight!

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: integration of tox-uv and updating workflows to use it, which directly aligns with all the file modifications across GitHub Actions and tox configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

tox.ini (1)

30-37: Consider consistent indentation style.

The passenv section uses tab indentation (lines 34-37), while other parts of the file may use spaces. While tox.ini can handle both, consistent indentation improves readability and prevents potential parsing issues.

🔎 Check indentation consistency across the file

#!/bin/bash
# Check for mixed tab/space indentation in tox.ini
echo "=== Lines with tabs ==="
grep -n $'\t' tox.ini | head -20

echo -e "\n=== Lines with leading spaces ==="
grep -n '^[[:space:]]' tox.ini | grep -v $'\t' | head -20

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 638a753 and 49da70e.

📒 Files selected for processing (6)

• .github/actions/run-smoke/action.yml (3 hunks)
• .github/workflows/lint.yml (1 hunks)
• .github/workflows/unit.yaml (1 hunks)
• constraints-dev.txt (1 hunks)
• requirements-dev.txt (1 hunks)
• tox.ini (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Summary

🔇 Additional comments (15)

.github/workflows/unit.yaml (2)

74-74: LGTM: UV venv creation.

The migration from python -m venv --upgrade-deps to uv venv is correct. UV manages its own dependency resolution, so the --upgrade-deps flag is no longer needed.

---

76-76: LGTM: UV-based package installation.

The installation command correctly uses uv pip install and includes both tox and tox-uv with the constraints file.

.github/workflows/lint.yml (2)

80-82: LGTM: UV-based environment setup.

The migration to UV for virtual environment creation and package installation is correctly implemented.

---

86-86: LGTM: Virtual environment activation added.

Adding the explicit venv activation ensures that the lint commands run in the correct environment.

tox.ini (5)

4-6: LGTM: Tox plugin requirements added.

The requires section correctly declares the tox-uv plugin dependency, ensuring it's available when tox runs.

---

21-23: LGTM: Install command migrated to UV.

The install_command correctly uses uv pip install with the constraints file, maintaining the existing line continuation format.

---

24-25: LGTM: PATH added to passenv.

Adding PATH to passenv ensures UV can locate system binaries and Python installations correctly.

---

52-58: LGTM: Smoke test environment configuration updated.

The basepython and PATH additions are consistent with the unit test environment configuration and support the UV-based workflow.

---

15-17: Both tox-uv configuration options are correct and valid.

The uv-venv-runner is the correct ID for the tox environments runner for environments not using a lock file. The uv_seed option controls whether pip, setuptools, and wheel are injected into the virtual environment. Both settings are properly configured for standard uv-based venv management without lock files.

.github/actions/run-smoke/action.yml (4)

35-37: LGTM: UV-based venv creation with Python version.

The venv creation correctly uses UV with the --python flag to specify the Python version from inputs, and the package installation uses uv pip install.

---

49-49: LGTM: Torch dependencies installation migrated to UV.

The torch and build dependencies installation correctly uses uv pip install with the constraints file.

---

69-69: LGTM: Removed --current-env flag.

The --current-env flag is correctly removed since tox-uv handles environment management differently than the previous tox-current-env plugin.

---

56-57: The --no-build-isolation usage on line 56 is appropriate and necessary for this workflow. As an escape hatch, you can preinstall a package's build dependencies, then run uv pip install with --no-build-isolation, which is exactly what this code does. Line 49 pre-installs torch, packaging, setuptools, wheel, and other dependencies needed by flash-attn, and the code comments (lines 39-43) explain that flash-attn requires this approach due to a bug in its setup.py. The pattern is correctly implemented and follows uv's recommended approach for handling packages with undeclared build-time dependencies.

requirements-dev.txt (1)

13-14: The changes align with official tox guidance. Official tox documentation indicates that tox>=4 and tox-uv>=1 are automatically provisioned together, confirming that relaxing the tox constraint to >=4 is compatible with tox-uv. Consider pinning tox-uv to a minimum version (e.g., tox-uv>=1) for better reproducibility, though this is optional.

constraints-dev.txt (1)

188-189: Pinned versions are compatible and stable.

tox-uv 1.25.0 is a tox 4.x plugin compatible with tox 4.29.0, and tox 4.29.0 is a stable release from August 29, 2025. No further action needed.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Pin the third-party action to a commit SHA for security.

The astral-sh/setup-uv@v4 action uses a mutable tag reference. For security best practices, pin it to a specific commit SHA to ensure immutable and auditable dependencies.

🔎 Verification script to find the latest commit SHA for v4

#!/bin/bash
# Fetch the latest commit SHA for the v4 tag of astral-sh/setup-uv
gh api repos/astral-sh/setup-uv/git/refs/tags/v4 --jq '.object.sha // .object.url' | \
  xargs -I {} sh -c 'if [[ {} == https://* ]]; then gh api {} --jq .object.sha; else echo {}; fi'

🤖 Prompt for AI Agents

.github/actions/run-smoke/action.yml around lines 25 to 28: the workflow is
referencing the third‑party action using a mutable tag (astral-sh/setup-uv@v4);
replace the tag with the specific commit SHA for the v4 release to pin the
action immutably. Determine the correct commit SHA for the v4 tag (for example
via the provided gh api snippet), then update the uses line to use
astral-sh/setup-uv@<commit-sha> and keep the existing with: enable-cache: true
unchanged.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Pin the third-party action to a commit SHA for security.

The astral-sh/setup-uv@v4 action uses a mutable tag reference. For consistency with other actions in this workflow (lines 63, 69) and security best practices, pin it to a specific commit SHA.

🔎 Verification script to find the latest commit SHA for v4

#!/bin/bash
# Fetch the latest commit SHA for the v4 tag of astral-sh/setup-uv
gh api repos/astral-sh/setup-uv/git/refs/tags/v4 --jq '.object.sha // .object.url' | \
  xargs -I {} sh -c 'if [[ {} == https://* ]]; then gh api {} --jq .object.sha; else echo {}; fi'

🤖 Prompt for AI Agents

.github/workflows/lint.yml lines 73 to 76: the workflow references the external
action using a mutable tag `astral-sh/setup-uv@v4`; replace this with the action
pinned to the specific commit SHA for the v4 tag (e.g.,
`astral-sh/setup-uv@<commit-sha>`). Obtain the latest commit SHA for the v4 tag
(using the provided verification script or `gh`/GitHub API), then update the
`uses:` line to use that SHA so the action is immutable and consistent with
other pinned actions in the file.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Pin the third-party action to a commit SHA for security.

The astral-sh/setup-uv@v4 action uses a mutable tag reference. For consistency with other actions in this workflow (lines 56, 61) and security best practices, pin it to a specific commit SHA.

🔎 Verification script to find the latest commit SHA for v4

#!/bin/bash
# Fetch the latest commit SHA for the v4 tag of astral-sh/setup-uv
gh api repos/astral-sh/setup-uv/git/refs/tags/v4 --jq '.object.sha // .object.url' | \
  xargs -I {} sh -c 'if [[ {} == https://* ]]; then gh api {} --jq .object.sha; else echo {}; fi'

🤖 Prompt for AI Agents

.github/workflows/unit.yaml lines 65-68: the workflow pins astral-sh/setup-uv to
the mutable tag v4; replace the tag with the specific commit SHA (e.g.,
astral-sh/setup-uv@<commit-sha>) to avoid mutable references — run the provided
gh script to fetch the current v4 commit SHA, update the uses field to that SHA,
and ensure formatting matches the surrounding actions pinned earlier in the
file.