Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Check uv.lock for private CodeArtifact references | |
| # Fails if uv.lock leaks `https://*.codeartifact.*.amazonaws.com/...` URLs, | |
| # which happens when someone runs `uv lock` / `uv sync` with | |
| # UV_EXTRA_INDEX_URL pointing at the private hai registry. This repo will | |
| # be public, so any private-registry URL in the lockfile is a leak. | |
| on: | |
| pull_request: | |
| paths: | |
| - "uv.lock" | |
| push: | |
| branches: [main] | |
| paths: | |
| - "uv.lock" | |
| permissions: | |
| contents: read | |
| jobs: | |
| check-private-refs: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 2 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Scan uv.lock | |
| run: | | |
| # Match only real private CodeArtifact URLs, not package names like | |
| # `mypy-boto3-codeartifact` or extras like `boto3-stubs[codeartifact]`. | |
| if grep -qE "codeartifact\.[^\"']*\.amazonaws\.com" uv.lock; then | |
| echo "::error::uv.lock contains private CodeArtifact URLs." | |
| echo "" | |
| echo "Cause: 'uv lock' / 'uv sync' was run with UV_EXTRA_INDEX_URL set." | |
| echo "" | |
| echo "Fix:" | |
| echo " unset UV_EXTRA_INDEX_URL" | |
| echo " uv lock --upgrade" | |
| echo " git add uv.lock && git commit" | |
| echo "" | |
| echo "Offending lines:" | |
| grep -nE "codeartifact\.[^\"']*\.amazonaws\.com" uv.lock | head -20 | |
| exit 1 | |
| fi | |
| echo "uv.lock is clean." |