Skip to content

Bootstrap

Bootstrap #7

name: Check uv.lock for private CodeArtifact references
# Fails if uv.lock leaks `https://*.codeartifact.*.amazonaws.com/...` URLs,
# which happens when someone runs `uv lock` / `uv sync` with
# UV_EXTRA_INDEX_URL pointing at the private hai registry. This repo will
# be public, so any private-registry URL in the lockfile is a leak.
on:
pull_request:
paths:
- "uv.lock"
push:
branches: [main]
paths:
- "uv.lock"
permissions:
contents: read
jobs:
check-private-refs:
runs-on: ubuntu-latest
timeout-minutes: 2
steps:
- uses: actions/checkout@v4
- name: Scan uv.lock
run: |
# Match only real private CodeArtifact URLs, not package names like
# `mypy-boto3-codeartifact` or extras like `boto3-stubs[codeartifact]`.
if grep -qE "codeartifact\.[^\"']*\.amazonaws\.com" uv.lock; then
echo "::error::uv.lock contains private CodeArtifact URLs."
echo ""
echo "Cause: 'uv lock' / 'uv sync' was run with UV_EXTRA_INDEX_URL set."
echo ""
echo "Fix:"
echo " unset UV_EXTRA_INDEX_URL"
echo " uv lock --upgrade"
echo " git add uv.lock && git commit"
echo ""
echo "Offending lines:"
grep -nE "codeartifact\.[^\"']*\.amazonaws\.com" uv.lock | head -20
exit 1
fi
echo "uv.lock is clean."