aedelon/uv-workflow
skills/uv-workflow/SKILL.md
Master uv package manager for Python: project setup, dependency management, virtual environments, lockfiles, CI/CD integration, Docker builds, and migration from pip/poetry. MUST BE USED when user mentions: "uv", "uv add", "uv run", "uv sync", "uv init", "uv lock", "uv venv", "uv pip", "pyproject.toml", "python project setup", "python dependencies", "virtual environment", "venv", "pip install", "poetry to uv", "migrate from pip", "lockfile python", "requirements.txt", "setup.py", "pip freeze", "uv tool", "install package", "add dependency", "python environment", "new python project", "package manager python", "create project", "uv export", "uv cache", "uv python". 10-100x faster than pip. Covers init, add, sync, lock, run, Docker, CI/CD. NOT for npm/pnpm/yarn (JS toolchain), Rust cargo, or deployment (use deployment-assistant).
$ install --global
skillsauthnpx skillsauth add aedelon/claude-code-blueprint uv-workflowInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 29, 2026, 12:20 PM36.5s1 file scanned
SKILL.md
- name:
- uv-workflow
- description:
- |-
- Master uv package manager for Python:
- project setup, dependency management, virtual environments,
- MUST BE USED when user mentions:
- uv", "uv add", "uv run", "uv sync", "uv init", "uv lock",
UV Package Manager
Ultra-fast Python package installer and resolver written in Rust. 10-100x faster than pip.
Quick Reference
# Project lifecycle
uv init my-project # Create project
uv add requests pandas # Add deps
uv add --dev pytest ruff # Add dev deps
uv remove package # Remove
uv sync # Install all from pyproject.toml
uv lock # Generate/update lockfile
uv run pytest # Run in venv (no activation needed)
# Virtual environments
uv venv # Create .venv
uv venv --python 3.12 # With specific Python
uv python install 3.12 # Install Python version
uv python pin 3.12 # Pin for project
# pip-compatible
uv pip install -r requirements.txt
uv pip freeze > requirements.txt
Project Setup Pattern
uv init my-project && cd my-project
uv python pin 3.12
uv add fastapi uvicorn pydantic
uv add --dev pytest ruff mypy black
mkdir -p src/my_project tests
uv run pytest
Creates: pyproject.toml, .python-version, uv.lock, .venv/
pyproject.toml Standard
[project]
name = "my-project"
version = "0.1.0"
requires-python = ">=3.10"
dependencies = [
"requests>=2.31.0",
"pydantic>=2.0.0",
]
[project.optional-dependencies]
dev = [
"pytest>=7.4.0",
"ruff>=0.1.0",
"mypy>=1.5.0",
]
[build-system]
requires = ["hatchling"]
build-backend = "hatchling.build"
[tool.uv]
dev-dependencies = []
[tool.uv.workspace]
members = ["packages/*"] # For monorepos
Lockfile Workflow
uv lock # Create/update uv.lock
uv sync --frozen # Install exact versions (CI)
uv lock --upgrade # Upgrade all
uv lock --upgrade-package requests # Upgrade one
uv lock --check # Verify lockfile is current
uv export --format requirements-txt > requirements.txt # Export
Rule: Always commit uv.lock to version control.
Docker Integration
FROM python:3.12-slim AS builder
COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv
WORKDIR /app
COPY pyproject.toml uv.lock ./
RUN uv sync --frozen --no-dev --no-editable
FROM python:3.12-slim
WORKDIR /app
COPY --from=builder /app/.venv .venv
COPY . .
ENV PATH="/app/.venv/bin:$PATH"
CMD ["python", "app.py"]
CI/CD (GitHub Actions)
name: Tests
on: [push, pull_request]
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: astral-sh/setup-uv@v2
with:
enable-cache: true
- run: uv python install 3.12
- run: uv sync --all-extras --dev
- run: uv run pytest
- run: uv run ruff check .
Migration Guides
From pip
# Before: pip install -r requirements.txt
# After:
uv init
uv add -r requirements.txt
From poetry
# Before: poetry install
# After: uv already reads pyproject.toml
uv sync
From pip-tools
# Before: pip-compile && pip-sync
# After:
uv lock && uv sync --frozen
Key Commands
| Command | Purpose |
|---------|---------|
| uv init | Initialize project |
| uv add PKG | Add dependency |
| uv add --dev PKG | Add dev dependency |
| uv remove PKG | Remove dependency |
| uv sync | Install all deps |
| uv sync --frozen | Install exact (CI) |
| uv lock | Create/update lockfile |
| uv run CMD | Run in venv |
| uv venv | Create venv |
| uv python install | Install Python |
| uv python pin | Pin Python version |
| uv cache clean | Clear cache |
Best Practices
- Always use
uv runinstead of activating venv - Commit
uv.lockto git - Use
--frozenin CI for reproducible builds - Pin Python version with
.python-version - Separate dev deps from production deps
- Use workspaces for monorepos
- Export
requirements.txtfor compatibility when needed
Related Skills
aedelon/security-audit
development
VerifiedTrustedCommunity
Proactive security audit: OWASP top 10, dependency vulnerabilities, secrets detection, input validation, auth patterns, and secure defaults. MUST BE USED when user mentions: "security", "vulnerability", "audit", "OWASP", "CVE", "security review", "pentest", "injection", "XSS", "CSRF", "authentication", "authorization", "secrets", "hardcoded password", "secure", "npm audit", "pip-audit", "check security", "is this secure", "security risk", "data leak", "SQL injection", "command injection", "path traversal", "SSRF", "RCE", "privilege escalation", "supply chain", "dependency scan", "snyk", "trivy", "semgrep", "bandit". Scans code for vulnerabilities, checks dependencies, verifies auth patterns. NOT for explaining security concepts (use pedagogical-explain), or general code review (use code-review).
53SKILL.mdUpdated Mar 27, 2026
aedelon/research-protocol
development
VerifiedTrustedCommunity
Conduct rigorous research with proper citations (DOI, arXiv, PMID) and source triangulation. MUST BE USED when user asks: "what is SOTA", "recent developments", "compare X vs Y", "is it true that", "research says", "latest papers on", "scientific evidence", "studies show", "state of the art", "literature review", "find papers", "academic research", "benchmark results", "who published", "when was X released", "current best", "what does the research say", "evidence for", "peer reviewed". Searches multiple sources, evaluates reliability, states confidence level. NOT for verifying API signatures (use anti-hallucination) or general web search (use WebSearch directly).
53SKILL.mdUpdated Mar 27, 2026
aedelon/core-protocols
development
VerifiedTrustedCommunity
Debug errors systematically by searching first, then analyzing, then proposing verified solutions. MUST BE USED when user reports: "error", "bug", "doesn't work", "fails", "crash", stack traces, exception messages, or any troubleshooting scenario. Triggers: "TypeError", "ImportError", "undefined is not a function", "segfault", "panic", "broken", "not working", "unexpected behavior", "regression", "failing", "exception", "traceback", "stack trace", "debug this", "why does this fail", "help me fix". Also enforces confidence levels and output templates. Prevents guessing solutions without research.
53SKILL.mdUpdated Mar 27, 2026
aedelon/commit-message
development
VerifiedTrustedCommunity
Ship workflow: review changes, generate conventional commit messages, push, and create PRs. MUST BE USED when user says: "commit", "git commit", "commit this", "save changes", "commit message", "ship", "ship it", "push", "create PR", "pull request", "ready to merge", "deploy this", "stage changes", "what changed", "review my changes", "conventional commit", or after completing a coding task. Reviews changes, generates commit, optionally pushes and creates PR. NOT for git branching/rebasing (use git-workflow), code review (use review command), or deployment configuration (use deployment-assistant).
53SKILL.mdUpdated Mar 27, 2026