From f0e7df54d49f2ea034798b95bcb94d108291a918 Mon Sep 17 00:00:00 2001
From: thePR0M3TH3AN <53631862+PR0M3TH3AN@users.noreply.github.com>
Date: Tue, 19 Aug 2025 09:14:41 -0400
Subject: [PATCH] ci: add uv lockfile verification

---
 .github/workflows/python-ci.yml | 34 +++++++++++++++++++++++----------
 1 file changed, 24 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/python-ci.yml b/.github/workflows/python-ci.yml
index ac31272..c4acf39 100644
--- a/.github/workflows/python-ci.yml
+++ b/.github/workflows/python-ci.yml
@@ -23,7 +23,22 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITLEAKS_CONFIG: .gitleaks.toml
 
+  lock-check:
+    name: Lock Check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install uv
+        run: |
+          curl -LsSf https://astral.sh/uv/install.sh | sh
+          echo "$HOME/.cargo/bin" >> $GITHUB_PATH
+      - name: Compile lockfile
+        run: uv pip compile --python-version 3.11 --emit-index-url src/requirements.txt -o requirements.lock
+      - name: Verify lockfile
+        run: git diff --exit-code requirements.lock
+
   build:
+    needs: lock-check
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest, macos-latest]
@@ -69,20 +84,19 @@ jobs:
         if: runner.os == 'Windows'
         shell: bash
         run: echo "${{ steps.msys.outputs.msys2-location }}/mingw64/bin" >> $GITHUB_PATH
-      - name: Cache pip
+      - name: Cache dependencies
         uses: actions/cache@v3
         with:
-          path: ~/.cache/pip
-          key: ${{ runner.os }}-pip-${{ hashFiles('requirements.lock') }}
+          path: ~/.cache/uv
+          key: ${{ runner.os }}-uv-${{ hashFiles('requirements.lock') }}
           restore-keys: |
-            ${{ runner.os }}-pip-
-      - name: Verify lockfile and install dependencies
+            ${{ runner.os }}-uv-
+      - name: Install uv
         run: |
-          python -m pip install --upgrade pip
-          pip install pip-tools
-          pip-compile --generate-hashes --output-file=requirements.lock src/requirements.txt
-          git diff --exit-code requirements.lock
-          pip install --require-hashes -r requirements.lock
+          curl -LsSf https://astral.sh/uv/install.sh | sh
+          echo "$HOME/.cargo/bin" >> $GITHUB_PATH
+      - name: Sync dependencies
+        run: uv pip sync --frozen requirements.lock
       - name: Run dependency scan
         run: scripts/dependency_scan.sh --ignore-vuln GHSA-wj6h-64fc-37mp
       - name: Determine stress args