fix(ci): bump Dockerfile uv pin to 0.11.7 to match pyproject uv>=0.11.6 [PYSDK-98]

[helmut-hoffer-von-ankershoffen]

🛡️ Resolves PYSDK-98 following PR-SOP-01 Problem Resolution and Non-Conforming Products, part of our ISO 13485-certified QMS | Ketryx Project

Summary

• Bump ghcr.io/astral-sh/uv in Dockerfile from 0.9.18 to 0.11.7
• Fixes CI on main failing across ubuntu-latest, macos-latest, windows-latest, ubuntu-24.04-arm

Root cause

PYSDK-93 (PR #580) bumped uv>=0.11.6 in pyproject.toml for GHSA-pjjw-68hj-v9mw and regenerated uv.lock with uv 0.11.x lockfile syntax. The Dockerfile was not updated in the same PR, so the 0.9.18 uv inside the build container cannot parse the newer lockfile. Every uv sync --frozen inside Docker tests now fails with exit code 2.

0.11.7 matches what CI auto-installs on the host (visible in run 24910447088 logs) and satisfies the >=0.11.6 lower bound.

Test plan

• CI green on ubuntu-latest
• CI green on macos-latest
• CI green on windows-latest
• CI green on ubuntu-24.04-arm

🤖 Generated with Claude Code

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[claude]

Claude finished @helmut-hoffer-von-ankershoffen's task in 2m 13s —— View job

---

PR Review: fix(ci): bump Dockerfile uv pin to 0.11.7 ✅

Status: MERGED • Verdict: APPROVED - Excellent fix

---

Review Checklist

• Read repository documentation (CLAUDE.md, .github/CLAUDE.md)
• Review Dockerfile change
• Verify pyproject.toml uv constraint consistency
• Check commit message format
• Verify completeness of the fix
• Provide comprehensive review feedback

---

Summary

This PR correctly fixes a critical CI failure by bumping the uv version in the Dockerfile from 0.9.18 to 0.11.7. The fix is minimal, precise, and well-justified.

✅ Critical Checks (All Passed)

1. Root Cause Analysis - Excellent

• Problem: PR chore(deps): sweep Renovate/Dependabot bumps into pyproject.toml lower bounds [PYSDK-93] #580 (PYSDK-93) bumped pyproject.toml to uv>=0.11.6 and regenerated uv.lock with 0.11.x syntax
• Impact: Old uv 0.9.18 in Dockerfile couldn't parse new lockfile → uv sync --frozen exit code 2
• Solution: Bump to 0.11.7 (matches what CI auto-installs on host)
• Verification: ✅ pyproject.toml line 219 shows uv>=0.11.6 - the 0.11.7 pin satisfies this constraint

2. Commit Message - Perfect

fix(ci): bump Dockerfile uv pin to 0.11.7 to match pyproject.toml >=0.11.6 PYSDK-98

• ✅ Type: fix (correct - fixes broken CI)
• ✅ Scope: ci (appropriate for CI/CD infrastructure)
• ✅ Description: Clear and references both versions
• ✅ Ticket: PYSDK-98 referenced
• ✅ Follows conventional commits standard

3. Change Verification - Dockerfile:8

COPY --from=ghcr.io/astral-sh/uv:0.11.7 /uv /bin/uv

• ✅ Version 0.11.7 satisfies >=0.11.6 constraint from pyproject.toml
• ✅ Matches CI host version (visible in run logs)
• ✅ Single line change - minimal impact, maximum clarity

4. Testing - Complete

Per PR description, CI verified on:

• ✅ ubuntu-latest
• ✅ macos-latest
• ✅ windows-latest
• ✅ ubuntu-24.04-arm

SonarQube Quality Gate: PASSED ✅

5. Architecture Compliance - N/A

• Infrastructure change only, no code architecture impact
• No breaking changes
• No test changes needed

6. Documentation - Excellent

• PR description clearly explains root cause
• Links to Ketryx ticket (PYSDK-98)
• Links to Jira issue with proper QMS references
• Includes test plan

---

💡 Suggestions for Future Improvements (Optional)

While this PR is perfect as-is, here are some ideas for future hardening:

1. Add explanatory comment in Dockerfile (line 8):

   # Copy in UV - version must satisfy pyproject.toml constraint (currently >=0.11.6)
   COPY --from=ghcr.io/astral-sh/uv:0.11.7 /uv /bin/uv

2. Add CI check to prevent recurrence:
   Consider adding a workflow step that validates the Dockerfile uv version satisfies pyproject.toml constraint. This would catch similar issues automatically.

   Example check:

   # Extract versions and verify compatibility
   DOCKERFILE_UV=$(grep -oP 'ghcr.io/astral-sh/uv:\K[0-9.]+' Dockerfile)
   PYPROJECT_UV=$(grep -oP 'uv>=\K[0-9.]+' pyproject.toml)
   # Then validate DOCKERFILE_UV >= PYPROJECT_UV

---

🎯 Final Assessment

Blocking Issues: 0
Suggestions: 2 (optional, for future hardening)

This is a textbook example of a well-executed fix:

• ✅ Minimal change (single line)
• ✅ Clear root cause analysis
• ✅ Proper version selection (justified choice)
• ✅ Comprehensive testing
• ✅ Excellent documentation
• ✅ Follows all repo standards

The fix directly addresses the issue without introducing any side effects. Well done! 🎉

---

[Copilot]

Pull request overview

Updates the Docker build environment to use a newer uv version so Docker-based CI steps can parse the uv.lock format generated by uv 0.11.x.

Changes:

• Bump ghcr.io/astral-sh/uv in Dockerfile from 0.9.18 to 0.11.7.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.
see 20 files with indirect coverage changes