diff --git a/.github/workflows/api-container-build-push.yml b/.github/workflows/api-container-build-push.yml index 0c45471600..ab0725b891 100644 --- a/.github/workflows/api-container-build-push.yml +++ b/.github/workflows/api-container-build-push.yml @@ -133,11 +133,17 @@ jobs: with: persist-credentials: false - - name: Pin prowler SDK to latest master commit + - name: Pin prowler SDK to latest master commit and refresh lockfile if: github.event_name == 'push' run: | + set -e LATEST_SHA=$(git ls-remote https://github.com/prowler-cloud/prowler.git refs/heads/master | cut -f1) sed -i "s|prowler-cloud/prowler.git@master|prowler-cloud/prowler.git@${LATEST_SHA}|" api/pyproject.toml + # Refresh api/uv.lock so it matches the pinned SHA above; the API + # Dockerfile runs `uv sync --locked`, which aborts on any drift + # between pyproject.toml and uv.lock. + pip install --no-cache-dir "uv==0.11.14" + (cd api && uv lock) - name: Login to DockerHub uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 diff --git a/api/Dockerfile b/api/Dockerfile index e7b758f4b8..2851b0a35b 100644 --- a/api/Dockerfile +++ b/api/Dockerfile @@ -89,7 +89,7 @@ WORKDIR /home/prowler # Ensure output directory exists RUN mkdir -p /tmp/prowler_api_output -COPY pyproject.toml uv.lock ./ +COPY --chown=prowler:prowler pyproject.toml uv.lock ./ RUN pip install --no-cache-dir --upgrade pip && \ pip install --no-cache-dir uv==0.11.14 @@ -97,7 +97,7 @@ RUN pip install --no-cache-dir --upgrade pip && \ ENV PATH="/home/prowler/.local/bin:$PATH" # Add `--no-install-project` to avoid installing the current project as a package -RUN uv sync --no-install-project && \ +RUN uv sync --locked --no-install-project && \ rm -rf ~/.cache/uv RUN .venv/bin/python .venv/lib/python3.12/site-packages/prowler/providers/m365/lib/powershell/m365_powershell.py