ci: enforce a frozen uv install and keep uv.lock in sync

Add --locked to the CI sync so the committed uv.lock is the single source of truth and any drift fails the build, matching the frozen installs the other SDK repos already use. The release workflow now relocks and commits uv.lock after the version bump, which is what left the lock stale (it had tracked the package version, not the dependencies). uv has no rolling release-age cooldown, so a verified lockfile plus a frozen install is the supply-chain control for this repo.

Author: ph33nx

.github/workflows/ci.yml

@@ -23,7 +23,7 @@ jobs:
           python-version: ${{ matrix.python }}
           enable-cache: true
 
-      - run: uv sync --all-extras --dev
+      - run: uv sync --locked --all-extras --dev
 
       - name: Codegen drift check
         if: matrix.python == '3.12'

.github/workflows/release.yml

@@ -93,7 +93,8 @@ jobs:
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
           VERSION=$(cat /tmp/new_version.txt)
-          git add pyproject.toml src/roxy_sdk/version.py specs/openapi.json src/roxy_sdk/factory.py
+          uv lock
+          git add pyproject.toml uv.lock src/roxy_sdk/version.py specs/openapi.json src/roxy_sdk/factory.py
           git commit -m "release: v$VERSION"
           git tag "v$VERSION"
           git push --follow-tags