From 72b410c7efb7de642ce938c282b4e53e12860154 Mon Sep 17 00:00:00 2001
From: JacobPEvans <20714140+JacobPEvans@users.noreply.github.com>
Date: Mon, 27 Apr 2026 07:59:59 -0400
Subject: [PATCH] fix(pip-audit): run uv lock before export to handle version
 bumps

release-please bumps the version in pyproject.toml without running
uv lock, leaving the lock file stale. uv export --locked then fails
with "lockfile needs to be updated". Adding uv lock before the export
makes the step a no-op when the lock is current, and fixes it when
only the package version changed (no dependency updates).

(claude)
---
 scripts/run-pip-audit.sh | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/scripts/run-pip-audit.sh b/scripts/run-pip-audit.sh
index 7b6628e..17a7d83 100755
--- a/scripts/run-pip-audit.sh
+++ b/scripts/run-pip-audit.sh
@@ -21,6 +21,10 @@ for dir in $PYTHON_DIRS; do
     echo "::group::Scanning $dir"
     trap 'echo "::endgroup::"' EXIT
     cd "$GITHUB_WORKSPACE/$dir"
+    # Sync lock file in case pyproject.toml version was bumped (e.g. by
+    # release-please) without a corresponding `uv lock` run. This is a
+    # no-op when the lock file is already up to date.
+    uv lock
     # --no-emit-project avoids exporting the local project as an editable
     # requirement when hashes are present, which would cause pip / pip-audit
     # to fail with "editable requirement cannot be installed when requiring