feat: migrate to uv with lockfile for supply chain security

.github/workflows/pre-commit.yml

@@ -14,16 +14,11 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Set up Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: "3.12"
+      - name: Install uv
+        uses: astral-sh/setup-uv@e58605a9b6da7c637471fab8847a5e5a6b8df081 # v5
 
       - name: Install dependencies
-        run: |
-          python -m pip install pip==26.0.1
-          pip install -e ".[dev]"
+        run: uv sync --frozen --extra dev
 
       - name: Run pre-commit
-        run: |
-          pre-commit run --all-files --show-diff-on-failure
+        run: uv run pre-commit run --all-files --show-diff-on-failure

.github/workflows/test.yml

@@ -9,26 +9,14 @@ on:
 jobs:
   test:
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        python-version: ["3.12"]
-
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: ${{ matrix.python-version }}
-
-      - name: Install dependencies
-        run: |
-          python -m pip install pip==26.0.1
-          pip install -e ".[test]"
+      - name: Install uv
+        uses: astral-sh/setup-uv@e58605a9b6da7c637471fab8847a5e5a6b8df081 # v5
 
       - name: Run tests
-        run: |
-          pytest -xv -m "not slow and not performance" --cov=src --cov-report=xml --cov-report=html
+        run: uv run --frozen --extra test pytest -xv -m "not slow and not performance" --cov=src --cov-report=xml --cov-report=html
 
       - name: Upload coverage to Codecov
         uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
@@ -43,13 +31,8 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - name: Set up Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: "3.12"
+      - name: Install uv
+        uses: astral-sh/setup-uv@e58605a9b6da7c637471fab8847a5e5a6b8df081 # v5
 
       - name: Audit dependencies for known vulnerabilities
-        run: |
-          python -m pip install pip==26.0.1
-          pip install -e ".[dev,test,performance]"
-          pip-audit
+        run: uv run --frozen --extra dev --extra test --extra performance pip-audit

.pre-commit-config.yaml

@@ -62,3 +62,10 @@ repos:
         types: [python]
         pass_filenames: true
         exclude: ^(src/inference_endpoint/openai/openai_types_gen.py)$
+
+      - id: uv-lock-check
+        name: Check uv.lock is up-to-date
+        entry: uv lock --check
+        language: system
+        pass_filenames: false
+        files: ^pyproject\.toml$

.python-version

@@ -0,0 +1 @@
+3.12

AGENTS.md

@@ -9,7 +9,11 @@ High-performance benchmarking tool for LLM inference endpoints targeting 50k+ QP
 ## Common Commands
 
 ```bash
-# Development setup
+# Development setup (uv — recommended)
+uv sync --extra dev --extra test
+uv run pre-commit install
+
+# Development setup (pip — still works)
 python3.12 -m venv venv && source venv/bin/activate
 pip install -e ".[dev,test]"
 pre-commit install
@@ -32,6 +36,9 @@ inference-endpoint probe --endpoints http://localhost:8765 --model test-model
 inference-endpoint benchmark offline --endpoints URL --model NAME --dataset PATH
 inference-endpoint benchmark online --endpoints URL --model NAME --dataset PATH --load-pattern poisson --target-qps 100
 inference-endpoint benchmark from-config --config config.yaml
+
+# Or with uv (auto-creates venv, uses lockfile)
+uv run inference-endpoint benchmark offline --endpoints URL --model NAME --dataset PATH
 ```
 
 ## Architecture
@@ -347,5 +354,5 @@ Known failure modes when AI tools generate code for this project. Reference thes
 
 ### Dependency & Environment
 
-- **Adding new dependencies without justification**: AI may `pip install` or add imports for packages not in `pyproject.toml`. Any new dependency must be justified, added to the correct optional group, and pinned to an exact version (`==`). After adding a dependency, run `pip-audit` (included in `dev` extras) to verify it has no known vulnerabilities.
+- **Adding new dependencies without justification**: AI may `pip install` or add imports for packages not in `pyproject.toml`. Any new dependency must be justified, added to the correct optional group, and pinned to an exact version (`==`). After adding a dependency, run `pip-audit` (included in `dev` extras) to verify it has no known vulnerabilities. When adding dependencies, use `uv add <package>==<version>` to update both `pyproject.toml` and `uv.lock` atomically, then run `uv run pip-audit` to check for vulnerabilities.
 - **Using `requests`/`aiohttp` for HTTP**: This project has its own HTTP client (`endpoint_client/http.py`) using `httptools`. AI defaults to `requests` or `aiohttp` — these should not appear in production code (test dependencies are fine).

README.md

@@ -13,7 +13,27 @@ A high-performance benchmarking tool for LLM endpoints.
 # Note: This repo will be migrated to https://github.com/mlcommons/endpoints
 git clone https://github.com/mlcommons/endpoints.git
 cd endpoints
+```
+
+**Option A: uv (recommended)** — faster, lockfile-verified dependencies
+
+```bash
+# As a user
+uv sync
+
+# As a developer (with development and test extras)
+uv sync --extra dev --extra test
+uv run pre-commit install
 
+# Activate the venv to use python/pytest/etc. directly (optional)
+source .venv/bin/activate
+pytest -m "not performance and not run_explicitly"
+inference-endpoint --help
+```
+
+**Option B: pip + venv**
+
+```bash
 # Create virtual environment
 python3.12 -m venv venv
 source venv/bin/activate
@@ -83,10 +103,11 @@ See [Local Testing Guide](docs/LOCAL_TESTING.md) for detailed instructions.
 ### Running Tests and Examples
 
 ```bash
-# Install test dependencies
-pip install ".[test]"
+# With uv (after uv sync --extra test)
+uv run pytest -m "not performance and not run_explicitly"
 
-# Run tests (excluding performance and explicit-run tests)
+# With pip (activate venv first)
+pip install ".[test]"
 pytest -m "not performance and not run_explicitly"
 
 # Run examples: follow instructions in examples/*/README.md

pyproject.toml

@@ -1,6 +1,20 @@
 [build-system]
-requires = ["setuptools==78.1.1", "wheel==0.46.3"]
-build-backend = "setuptools.build_meta"
+requires = ["uv_build>=0.7.6,<0.8"]
+build-backend = "uv_build"
+
+[tool.uv]
+index-url = "https://pypi.org/simple"
+environments = [
+    "sys_platform == 'linux' and platform_machine == 'x86_64'",
+    "sys_platform == 'linux' and platform_machine == 'aarch64'",
+    "sys_platform == 'darwin' and platform_machine == 'x86_64'",
+    "sys_platform == 'darwin' and platform_machine == 'arm64'",
+]
+
+[tool.uv.build]
+module-root = "src"
+data = {"inference_endpoint" = ["config/templates/*.yaml"]}
+exclude = ["evaluation/livecodebench/_server.py"]
 
 [project]
 name = "inference-endpoint"
@@ -112,21 +126,6 @@ Documentation = "https://github.com/mlperf/inference-endpoint#readme"
 Repository = "https://github.com/mlperf/inference-endpoint.git"
 Issues = "https://github.com/mlperf/inference-endpoint/issues"
 
-[tool.setuptools.packages.find]
-where = ["src"]
-
-[tool.setuptools.package-dir]
-"" = "src"
-
-[tool.setuptools.package-data]
-inference_endpoint = ["config/templates/*.yaml"]
-
-[tool.setuptools.exclude-package-data]
-"inference_endpoint.evaluation.livecodebench" = ["_server.py"]
-
-[tool.autopep8]
-max_line_length = 88
-
 [tool.ruff]
 target-version = "py312"
 line-length = 88

scripts/Dockerfile.dev

@@ -5,20 +5,25 @@
 
 FROM python:3.12.11-slim
 
+# Copy uv binary from official image
+COPY --from=ghcr.io/astral-sh/uv:0.7.6 /uv /uvx /bin/
+
 # Set environment variables
 ENV PYTHONUNBUFFERED=1 \
     PYTHONDONTWRITEBYTECODE=1 \
-    PIP_NO_CACHE_DIR=1 \
-    PIP_DISABLE_PIP_VERSION_CHECK=1
+    UV_COMPILE_BYTECODE=1 \
+    UV_LINK_MODE=copy
 
 # Install system dependencies
 RUN apt-get update && \
-    apt-get install -y  --no-install-recommends build-essential procps \
+    apt-get install -y --no-install-recommends build-essential procps \
     && rm -rf /var/lib/apt/lists/*
 
 RUN mkdir /mnt/inference-endpoint
 WORKDIR /mnt/inference-endpoint
-COPY pyproject.toml .
+
+# Copy lockfile + project metadata first for Docker layer caching
+COPY pyproject.toml uv.lock .python-version ./
 COPY src/ ./src/
 
 # Create a non-root user for security
@@ -33,4 +38,4 @@ RUN if ! getent group ${GROUP_ID}; then \
 USER appuser
 ENV PATH="/home/appuser/.local/bin:$PATH"
 
-RUN pip install -e .[dev,test]
+RUN uv sync --frozen --extra dev --extra test