devcontainer: install pre-commit via uv, drop pip from the flow#129
Merged
Conversation
Dockerfile installs pre-commit through `uv tool install` alongside ruff/ty, so the devcontainer has a single Python package manager (uv) — no more `pip install --user` in post-create. Sets UV_PYTHON_INSTALL_DIR to a world-readable path; uv's default ($HOME/.local/share/uv/python) is under /root mode 700 when install runs as root, and a pre-commit shebang resolving into that path makes `pre-commit` fail with "bad interpreter: Permission denied" for the vscode user. ruff and ty are standalone binaries and don't actually invoke the symlinked Python, which is why this only surfaces with pure-Python tools. post-create.sh swaps `$HOME/.local/bin/pre-commit install` for plain `pre-commit install` since the binary is on PATH at image-build time.
README: "What's inside" now lists uv/ruff/ty alongside the older tools, the ty CI row reflects the pinned `uvx ty@<pin> check` invocation, and the Renovate paragraph names the actual groups (Bazel, Go, GitHub Actions, language SDKs, ruff) plus the ungrouped tracked deps (ty, pre-commit, buildifier, bazelisk, uv image tag). pyproject.toml: drops the "as it is added in later PRs" forward-looking phrasing now that ruff and ty are both present, and removes the inaccurate "Strict mode" line on [tool.ty] (the actual block leaves rule severities at ty's defaults — the contradiction was a leftover from the first draft). meta/scripts/smoke_py/BUILD.bazel: corrects the DELETE TRIGGER from "PR-1 followup" to "when gazelle_python is wired (B4)", matching the canonical pointer in docs/future-considerations.md.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Final piece of the Python tooling bootstrap (continuation plan PR 5). Replaces the host-style
pip install --user pre-commitinpost-create.shwith a system-leveluv tool install pre-commitin the Dockerfile, so the devcontainer carries one Python package manager (uv) instead of two.Dockerfile: chainsuv tool install pre-commitafter the existing ruff + ty installs.PRE_COMMIT_VERSIONis Renovate-tracked (pypi).Dockerfile: setsUV_PYTHON_INSTALL_DIR=/usr/local/share/uv-pythonso uv's managed Python interpreter lands in a world-readable location. Without this, uv's default ($HOME/.local/share/uv/python) is/root/.local/...(mode 700) when install runs as root. Pre-commit's per-tool venv has abin/pythonsymlink into that path; the pre-commit launcher's shebang then targets a directory the vscode user can't traverse and fails withbad interpreter: Permission denied. ruff and ty avoid this because they're standalone binaries that don't actually invoke the symlinked Python.post-create.sh: drops thepip install --user --no-warn-script-location pre-commitline; the"$HOME/.local/bin/pre-commit" installinvocation becomes plainpre-commit installsince the binary is on PATH at image-build time.pipno longer appears in any imperative line of the devcontainer flow — only in prose comments and shellset -euo pipefail.uv sync(added in PR #126) stays as the editor-LSP enabler.Test plan
Performed in a freshly recreated container (
--build-no-cache,docker rm -fof the prior container —devcontainer upalone reuses a running container even with--build-no-cache):which pre-commit→/usr/local/bin/pre-commit(was/home/vscode/.local/bin/pre-commitpreviously)pre-commit --version→ 4.6.0ruff format --check .cleanruff check .cleanty checkcleanpython3 meta/scripts/check_modules.pyreports consistentbazel test //...— 11/11 passbazel run //:gazelle -- -mode=diffcleanpre-commit run --all-filescleanOut of scope
rules_python_gazelle_pluginrelease.