[MISC] Switch to uv

[sinclert-canonical]

This PR changes the tool used for dependency management from poetry to uv, following this PG-Bouncer example. Some of the main changes are:

• Migrated from poetry-specific pyproject.toml syntax to standard Python project one.
• Migrated from poetry-specific carrot specifier (^) to standard compatible release specifier (~=).
• Renamed dependency groups main to charm and charm-libs to just libs (revertible upon request).

Differences from PG-Bouncer PR:

• The uv binary is installed via pip, instead of via snap (both @paulomach and myself prefer that way).
• The tox_uv.toml file to cherry pick when dependencies are installed from pre-built packages has been ignored. Instead, all tox environments use pre-built packages, only installing from source when the charm gets packed.

Additional changes

• Bumped ruff target python version to 3.10 + updated Python files format.

[carlcsaposs-canonical]

This will cause Dependabot vulnerability alerts to stop working, which Renovate uses to segment security updates from normal PRs (and to open security update PRs immediately, instead of waiting for the weekly schedule)

[dragomirp]

This will cause Dependabot vulnerability alerts to stop working, which Renovate uses to segment security updates from normal PRs (and to open security update PRs immediately, instead of waiting for the weekly schedule)

There's a experimental feature in renovate osvvulnerabilityalerts that seems to work with uv. But IMHO, without a pressing need to switch (focal support), it might be best to discuss further at the sprint.

[carlcsaposs-canonical]

There's a experimental feature in renovate osvvulnerabilityalerts that seems to work with uv. But IMHO, without a pressing need to switch (focal support), it might be best to discuss further at the sprint.

good to know

the docs for that feature mention

You will only get OSV-based vulnerability alerts for direct dependencies.

which might be an issue—I'm not sure what renovate considers a direct dependency in this context. Would guess it would not include lockfile deps, but not sure

[sinclert-canonical]

There's a experimental feature in renovate osvvulnerabilityalerts that seems to dragomirp/pgbouncer-operator#10 with uv.

Will take a look. Thanks Drago!

IMHO, without a pressing need to switch (focal support), it might be best to discuss further at the sprint.

I somewhat agree.

I recognize the value of simplifying the charmcraft.yaml file (which IMHO is confusing and bloated at the moment), but I think migrating the dependency management tooling is one of those changes where either we are convince enough to migrate all our projects, or we do not migrate any at all. Leaving some of them with poetry and some of them with uv will only make things worse long term.

As you said: let's discuss during the Sprint. Paulo told me John wants to foster the usage of uv.

[sinclert-canonical]

Depends on canonical/data-platform#38.