Migrate from uv to Poetry for dependency management

Replaced uv with Poetry for dependency management and updated related documentation, Makefile targets, and CI workflows. Added poetry.lock, removed MANIFEST.in and constraints.txt, and updated .gitignore. Enhanced Dependabot and GitHub Actions to support Poetry. Updated CHANGELOG and README to reflect the new build and install process.

Author: kyhau

.codecov.yml

@@ -10,6 +10,3 @@ coverage:
 comment:
   layout: "header, diff"
   behavior: default
-ignore:
-  - "**/file_io.py"
-  - "**/selector.py"

.github/dependabot.yml

@@ -22,3 +22,16 @@ updates:
       time: "09:00"
       timezone: Australia/Melbourne
     open-pull-requests-limit: 1
+
+  - package-ecosystem: poetry
+    directory: "/"
+    groups:
+      all-dependencies:
+        patterns:
+          - "*"
+    schedule:
+      interval: weekly
+      time: "09:30"
+      timezone: Australia/Melbourne
+    open-pull-requests-limit: 1
+    

.github/workflows/build-and-test.yml

@@ -28,7 +28,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: [3.13, 3.12, 3.11]
+        python-version: ["3.11", "3.12", "3.13"]
 
     steps:
       - name: Checkout source
@@ -42,6 +42,15 @@ jobs:
       - name: Install dependencies
         run: make install-test-deps
 
-      - name: Run tests with Makefile
-        run: |
-          make test-coverage
+      - name: Run tests with coverage
+        run: make test-coverage
+
+      - name: Upload coverage to Codecov
+        if: matrix.python-version == '3.13'
+        uses: codecov/codecov-action@v5
+        with:
+          file: ./coverage.xml
+          flags: unittests
+          name: codecov-umbrella
+          fail_ci_if_error: false
+          token: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/codeql-analysis.yml

@@ -13,23 +13,13 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@master
-        with:
-          # We must fetch at least the immediate parents so that if this is
-          # a pull request then we can checkout the head.
-          fetch-depth: 2
-
-      # If this run was triggered by a pull request event, then checkout
-      # the head of the pull request instead of the merge commit.
-      - run: git checkout HEAD^2
-        if: ${{ github.event_name == 'pull_request' }}
+        uses: actions/checkout@v5
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
-        # Override language selection by uncommenting this and choosing your languages
-        # with:
-        #   languages: go, javascript, csharp, python, cpp, java
+        with:
+          languages: python
 
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)

.github/workflows/dependabot-auto-approve-merge.yml

@@ -12,7 +12,7 @@ jobs:
     steps:
       - name: Dependabot metadata
         id: metadata
-        uses: dependabot/fetch-metadata@v2.4.0
+        uses: dependabot/fetch-metadata@v2
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
 
@@ -23,8 +23,8 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Enable auto-merge for Dependabot PRs
-        # if: ${{contains(steps.metadata.outputs.dependency-names, 'my-dependency') && steps.metadata.outputs.update-type == 'version-update:semver-patch'}}
-        run: gh pr merge --auto --merge "$PR_URL"
+        # Auto-merge will wait for required status checks (tests) to pass
+        run: gh pr merge --auto --squash "$PR_URL"
         env:
           PR_URL: ${{ github.event.pull_request.html_url }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -1,93 +1,51 @@
-# Byte-compiled / optimized / DLL files
+# Python
 __pycache__/
 *.py[cod]
 *$py.class
-
-# C extensions
 *.so
 
-# Distribution / packaging
-.Python
-env/
+# Virtual Environments
+.venv/
+venv/
+
+# Distribution / Packaging
 build/
-develop-eggs/
 dist/
-downloads/
 eggs/
 .eggs/
-lib/
-lib64/
-parts/
-sdist/
-var/
 *.egg-info/
-.installed.cfg
 *.egg
 
-# PyInstaller
-#  Usually these files are written by a python script from a template
-#  before PyInstaller builds the exe, so as to inject date/other infos into it.
-*.manifest
-*.spec
-
-# Installer logs
-pip-log.txt
-pip-delete-this-directory.txt
-
-# Unit test / coverage reports
-htmlcov/
-.tox/
+# Testing
+.pytest_cache/
 .coverage
 .coverage.*
-.cache
-nosetests.xml
-coverage-*.xml
-*,cover
-.hypothesis/
-junit-*.xml
-
-# Translations
-*.mo
-*.pot
+htmlcov/
+coverage.xml
+junit.xml
 
-# Django stuff:
+# Logs
 *.log
-local_settings.py
-
-# Flask stuff:
-instance/
-.webassets-cache
 
-# Scrapy stuff:
-.scrapy
-
-# Sphinx documentation
-docs/_build/
-
-# PyBuilder
-target/
-
-# IPython Notebook
-.ipynb_checkpoints
-
-# pyenv
-.python-version
-
-# celery beat schedule file
-celerybeat-schedule
-
-# dotenv
+# Environment Variables (Security)
 .env
+.env.*
+!.env.example
 
-# virtualenv
-venv/
-ENV/
+# Python Version Management
+.python-version
 
-# Spyder project settings
-.spyderproject
+# Poetry
+poetry.toml
+__pypackages__/
 
-# Rope project settings
-.ropeproject
+# IDE
 .idea/
-junit.xml
-coverage.xml
+.vscode/
+*.swp
+*.swo
+*~
+
+# OS
+.DS_Store
+Thumbs.db

CHANGELOG.md

@@ -1,6 +1,12 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
+1.1.1 - 2025-10-12
+==================
+- Migrated from `uv` to Poetry for dependency management to enable Dependabot support
+- Added `make update-deps` and `make lock` targets for dependency management
+- Updated build system to use Poetry while maintaining setuptools compatibility
+
 1.1.0 - 2024-12-21
 ==================
 - Supported new option `--browser-autofill|-b` to enable browser-autofill in saml2aws

MANIFEST.in

@@ -1,44 +1,49 @@
 # saml2aws-multi Makefile - Unit Testing Focus
 # Provides targets for running unit tests locally
 
-.PHONY: help test test-coverage clean install-test-deps yamllint build check-uv
+.PHONY: help test test-coverage clean clean-all install-test-deps yamllint build check-poetry setup-venv update-deps lock
 
 # Default target
 help: ## Show this help message
 	@echo "Available targets:"
 	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "  \033[36m%-20s\033[0m %s\n", $$1, $$2}'
 
 # Variables
-UV := uv
-PYTHON := $(UV) run python
-PIP := $(UV) run pip
-PYTEST := $(UV) run pytest
-BUILD := $(UV) run python -m build
+POETRY := poetry
+PYTHON := $(POETRY) run python
+PYTEST := $(POETRY) run pytest
+BUILD := $(POETRY) build
 
-# Check if uv is available, install if not
-check-uv:
-	@which uv > /dev/null || (echo "Installing uv..." && pip install uv)
+# Check if poetry is available, install if not
+check-poetry:
+	@which poetry > /dev/null || (echo "Installing Poetry..." && pip install --user poetry && echo "Poetry installed successfully!")
+
+# Configure Poetry to use project-local venv (run once)
+setup-venv: check-poetry ## Configure Poetry to use .venv in project directory
+	@echo "Configuring Poetry for project-local virtualenv..."
+	$(POETRY) config virtualenvs.in-project true
+	@echo "Poetry will now create .venv/ in the project directory"
+	@echo "This isolates dependencies from your global Python environment"
 
 # Installation targets
-install-test-deps: check-uv ## Install test dependencies
+install-test-deps: check-poetry ## Install test dependencies
 	@echo "Installing test dependencies..."
-	$(PIP) install -e ".[test]"
+	$(POETRY) install --with test
 	@echo "Dependencies installed."
 
-install-deps: check-uv ## Install project dependencies
+install-deps: check-poetry ## Install project dependencies
 	@echo "Installing project dependencies..."
-	$(PIP) install -e .
+	$(POETRY) install
 	@echo "Dependencies installed."
 
 # Build targets
-build: check-uv ## Build the package
+build: check-poetry ## Build the package
 	@echo "Building package..."
 	$(BUILD)
 	@echo "Package built successfully."
 
 # Run targets (removed - awslogin is an interactive CLI tool)
 
-
 # Testing targets
 test: install-test-deps ## Run unit tests without coverage
 	@echo "Running unit tests..."
@@ -52,6 +57,17 @@ test-coverage: install-test-deps ## Run unit tests with coverage reporting
 yamllint: ## Run yamllint on GitHub workflow files
 	yamllint -c .github/linters/.yaml-lint.yaml .github/
 
+# Dependency management
+update-deps: check-poetry ## Update dependencies to latest compatible versions
+	@echo "Updating dependencies..."
+	$(POETRY) update
+	@echo "Dependencies updated in poetry.lock"
+
+lock: check-poetry ## Regenerate poetry.lock from pyproject.toml
+	@echo "Regenerating lock file..."
+	$(POETRY) lock --no-update
+	@echo "Lock file regenerated"
+
 # Cleanup targets
 clean: ## Clean test artifacts, build artifacts and temporary files
 	rm -rf .coverage*
@@ -60,9 +76,17 @@ clean: ## Clean test artifacts, build artifacts and temporary files
 	rm -rf htmlcov/
 	rm -rf build/
 	rm -rf dist/
+	rm -rf eggs/
+	rm -rf .eggs/
 	rm -rf *.egg-info/
+	rm -rf *.egg
+	rm -rf .pytest_cache/
 	find . -type d -name __pycache__ -exec rm -rf {} +
-	find . -type f -name "*.pyc" -delete
+	find . -type f -name "*.py[cod]" -delete
+
+clean-all: ## Clean everything including virtual environment
+	$(MAKE) clean
+	rm -rf .venv/
 
 # Default target when no target is specified
 .DEFAULT_GOAL := help