From 0f90938ed521d51dcd2e8ab0429e5b8909ab6e91 Mon Sep 17 00:00:00 2001
From: Becky Smith <becky.smith@thedatalab.org>
Date: Tue, 20 Jan 2026 17:04:45 +0000
Subject: [PATCH] uv for security updates and uvmirror-check workflow

Add uv dependabot config for security updates only

Add a GHA workflow to ensure uvmirror file is consistent with uv.lock

Ensures that the uvmirror requirements file has not been updated
independently of the pyproject.toml and uv.lock files. This will fail
any dependabot security update PRs that modify only the mirror file,
and will prompt us to fix the PRs with the correct uv updates.
---
 .github/dependabot.yml               |  7 +++++++
 .github/workflows/uvmirror-check.yml | 24 ++++++++++++++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100644 .github/workflows/uvmirror-check.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index c20df2e..3dca800 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -8,3 +8,10 @@ updates:
       interval: "monthly"
     cooldown:
       default-days: 7
+
+  - package-ecosystem: "uv"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    # Security updates only
+    open-pull-requests-limit: 0
diff --git a/.github/workflows/uvmirror-check.yml b/.github/workflows/uvmirror-check.yml
new file mode 100644
index 0000000..62d29df
--- /dev/null
+++ b/.github/workflows/uvmirror-check.yml
@@ -0,0 +1,24 @@
+---
+name: Check uvmirror
+
+permissions:
+  contents: read
+
+on:
+  push:
+  workflow_dispatch:
+
+jobs:
+  check-uvmirror:
+    runs-on: ubuntu-24.04
+
+    steps:
+      - uses: actions/checkout@v6
+      - uses: opensafely-core/setup-action@v1
+        with:
+          install-just: true
+          install-uv: true
+          cache: uv
+
+      - name: Ensure requirements.uvmirror.txt is consistent with uv.lock
+        run: just uvmirror && git diff -s --exit-code