feat(python-sdk): Move to packaging with pyproject.toml

[abhiaagarwal]

Description

Migrates to modern packaging for the OpenFGA python client. Mostly done to get rid of the transitive dependencies of setuptools and build that the current package installs.

References

Closes #548

Review Checklist

• I have clicked on "allow edits by maintainers".
• I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev [Provide a link to any relevant PRs in the references section above]
• The correct base branch is being used, if not main
• I have added tests to validate that the change in functionality is working as expected

Summary by CodeRabbit

• Chores
  • Updated Python client build and test processes to use a new toolchain and Docker image.
  • Adjusted configuration to use a templated project file for Python clients.
  • Updated ignore rules to prevent certain files from being overwritten during code generation.
• Refactor
  • Replaced multiple static configuration and requirements files with a unified, templated project configuration.
• Cleanup
  • Removed legacy setup, requirements, and test requirements templates from the Python client configuration.

[evansims]

Hey @abhiaagarwal thanks a lot for taking a stab at this! Would this change have any effect on downstream users installing the package we may need to consider?

[Siddhant-K-code]

@evansims No breaking changes for downstream users. Modern pip versions (19.0+) fully support pyproject.toml, and the API/imports remain identical.

The main benefit is eliminating transitive setuptools and build dependencies that currently get installed unnecessarily. Users will see cleaner dependency resolution and faster installs.

Only consideration is users with very old pip (<18.1 from 2018) would need to upgrade, but this affects a negligible user base.

[abhiaagarwal]

I would be very surprised to see any breaking changes, this is only affects packaging. It will built/published as a wheel that any pip can install without any knowledge of pyproject.toml.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

The changes migrate the Python client SDK's packaging and build system from legacy setup.py/requirements.txt-based workflows to a modern, pyproject.toml-based approach using the uv toolchain. The Makefile, configuration, and template files are updated to eliminate old dependency files and scripts, and to introduce a mustache-templated pyproject.toml for project configuration.

Changes

File(s)	Change Summary
Makefile	Updated Python client build/test targets to use uv toolchain and Alpine-based image.
config/clients/python/.openapi-generator-ignore	Added setup.py, requirements.txt, and test-requirements.txt to ignore list.
config/clients/python/config.overrides.json	Switched from static pyproject.toml to templated pyproject.toml.mustache for SDK generation.
config/clients/python/template/pyproject.toml	Deleted static pyproject.toml configuration file.
config/clients/python/template/pyproject.toml.mustache	Added templated pyproject.toml with project metadata, dependencies, and tool configs.
config/clients/python/template/requirements.mustache	Deleted requirements template file.
config/clients/python/template/setup.mustache	Deleted setuptools setup.py template.
config/clients/python/template/test-requirements.mustache	Deleted test requirements template file.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer
    participant Make as Makefile
    participant Docker as Docker (uv image)
    participant uv as uv toolchain

    Dev->>Make: make build-client-python / test-client-python
    Make->>Docker: Run uv-based Alpine image
    Docker->>uv: uv sync (install deps)
    Docker->>uv: uv run ruff check/format, pytest, build, etc.
    uv-->>Docker: Output results
    Docker-->>Dev: Build/test artifacts and reports

Loading

Assessment against linked issues

Objective	Addressed	Explanation
Migrate Python SDK to modern packaging using a dependency tool (uv/poetry) instead of requirements.txt/setup.py (#548)	✅
Remove unnecessary dependencies like build and setuptools from the runtime dependency tree (#548)	✅
Use pyproject.toml for configuration and dependency management (#548)	✅

Assessment against linked issues: Out-of-scope changes

No out-of-scope changes were found.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d75e112 and 803cd91.

📒 Files selected for processing (8)

• Makefile (1 hunks)
• config/clients/python/.openapi-generator-ignore (1 hunks)
• config/clients/python/config.overrides.json (1 hunks)
• config/clients/python/template/pyproject.toml (0 hunks)
• config/clients/python/template/pyproject.toml.mustache (1 hunks)
• config/clients/python/template/requirements.mustache (0 hunks)
• config/clients/python/template/setup.mustache (0 hunks)
• config/clients/python/template/test-requirements.mustache (0 hunks)

💤 Files with no reviewable changes (4)

• config/clients/python/template/test-requirements.mustache
• config/clients/python/template/requirements.mustache
• config/clients/python/template/setup.mustache
• config/clients/python/template/pyproject.toml

⏰ Context from checks skipped due to timeout of 90000ms (3)

• GitHub Check: build-and-test-go-sdk
• GitHub Check: build-and-test-java-sdk
• GitHub Check: build-and-test-dotnet-sdk

🔇 Additional comments (10)

config/clients/python/.openapi-generator-ignore (1)

18-20: LGTM - Correctly ignoring legacy packaging files.

The addition of setup.py, requirements.txt, and test-requirements.txt to the ignore patterns correctly prevents the OpenAPI generator from overwriting these legacy files, which aligns with the migration to pyproject.toml-based packaging.

config/clients/python/config.overrides.json (1)

17-19: LGTM - Properly configured templated pyproject.toml generation.

The configuration correctly replaces the static pyproject.toml with a mustache template that will generate the final pyproject.toml file dynamically, enabling project-specific customization.

config/clients/python/template/pyproject.toml.mustache (6)

22-55: LGTM - Well-structured project metadata section.

The project configuration properly uses mustache templating for dynamic values and includes comprehensive metadata including classifiers, keywords, and license information.

---

56-64: LGTM - Comprehensive development dependencies.

The development dependencies include all necessary tools for testing, linting, and type checking. The version constraints are appropriately set to ensure compatibility.

---

66-68: LGTM - Modern build system configuration.

Using hatchling as the build backend is a good choice for modern Python packaging, providing better performance and fewer dependencies compared to setuptools.

---

71-136: LGTM - Well-configured development tools.

The ruff configuration is comprehensive with appropriate exclusions, linting rules, and formatting settings. The line length of 88 and Python 3.10 target version align with modern Python practices.

---

137-146: LGTM - Comprehensive test configuration.

The pytest configuration properly sets up test paths, coverage reporting, and asyncio settings, which are essential for testing the async Python SDK.

---

46-51: Verify dependency versions for security and compatibility.

The runtime dependencies look reasonable, but please verify that these versions are current and secure:

• aiohttp>=3.9.3
• python-dateutil>=2.9.0
• opentelemetry-api>=1.25.0
• urllib3>=1.26.19,<3

#!/bin/bash
# Check for latest versions and security advisories for core dependencies

echo "Checking aiohttp..."
curl -s https://pypi.org/pypi/aiohttp/json | jq '.info.version'

echo "Checking python-dateutil..."
curl -s https://pypi.org/pypi/python-dateutil/json | jq '.info.version'

echo "Checking opentelemetry-api..."
curl -s https://pypi.org/pypi/opentelemetry-api/json | jq '.info.version'

echo "Checking urllib3..."
curl -s https://pypi.org/pypi/urllib3/json | jq '.info.version'

# Check for security advisories
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: PIP, package: "aiohttp") {
    nodes {
      advisory { summary severity publishedAt }
      vulnerableVersionRange
      firstPatchedVersion { identifier }
    }
  }
}'

gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: PIP, package: "urllib3") {
    nodes {
      advisory { summary severity publishedAt }
      vulnerableVersionRange  
      firstPatchedVersion { identifier }
    }
  }
}'

Makefile (2)

125-129: LGTM - Modernized Python build process.

The migration to uv toolchain with the Alpine-based image is an excellent improvement. The UV_LINK_MODE=copy environment variable and sequential commands (uv sync, uv run ruff, uv build) properly implement the modern Python packaging workflow.

---

133-136: LGTM - Updated test workflow to use uv.

The test target correctly uses the same uv-based approach with proper dependency synchronization and tool execution. The pytest command maintains the existing coverage reporting requirements.

[evansims]

Sounds good, and makes total sense — thank you @abhiaagarwal and @Siddhant-K-code! Bandwidth has been a little tight this week, but give me a few to give this the attention it deserves and we'll follow up with you. Appreciate it!

[evansims]

LGTM! Updated to clear up a merge conflict and fix some formatting issues with the pyproject.toml output. Thanks very much for your contribution!