diff --git a/.github/workflows/api-container-build-push.yml b/.github/workflows/api-container-build-push.yml index 3329be93e2..d4835db7d5 100644 --- a/.github/workflows/api-container-build-push.yml +++ b/.github/workflows/api-container-build-push.yml @@ -133,37 +133,15 @@ jobs: with: persist-credentials: false - - name: Pin prowler SDK to latest master commit and refresh lockfile - if: github.event_name == 'push' + - name: Refresh prowler SDK pin to current branch tip run: | - set -e - LATEST_SHA=$(git ls-remote https://github.com/prowler-cloud/prowler.git refs/heads/master | cut -f1) - sed -i "s|prowler-cloud/prowler.git@master|prowler-cloud/prowler.git@${LATEST_SHA}|" api/pyproject.toml - # Refresh api/uv.lock so it matches the pinned SHA above; the API - # Dockerfile runs `uv sync --locked`, which aborts on any drift - # between pyproject.toml and uv.lock. + # api/pyproject.toml has `@master` on master and `@v5.X` on release + # branches (set by prepare-release.yml). uv lock --upgrade-package + # re-resolves whichever ref is present against the current branch tip + # and writes the SHA into api/uv.lock. The Dockerfile runs + # `uv sync --locked`, which is what actually drives the install. pip install --no-cache-dir "uv==0.11.14" - (cd api && uv lock) - - - name: Pin prowler SDK to latest release branch (v5.Y) commit and refresh lockfile - if: github.event_name == 'release' || github.event_name == 'workflow_dispatch' - run: | - set -e - # RELEASE_TAG looks like "5.14.0"; the SDK release branch is "v5.14". - VERSION="${RELEASE_TAG#v}" - VERSION_BRANCH="v$(echo "${VERSION}" | cut -d. -f1,2)" - LATEST_SHA=$(git ls-remote https://github.com/prowler-cloud/prowler.git "refs/heads/${VERSION_BRANCH}" | cut -f1) - if [ -z "${LATEST_SHA}" ]; then - echo "ERROR: release branch ${VERSION_BRANCH} not found in prowler-cloud/prowler" - exit 1 - fi - echo "Pinning SDK to ${VERSION_BRANCH}@${LATEST_SHA}" - sed -i "s|prowler-cloud/prowler.git@master|prowler-cloud/prowler.git@${LATEST_SHA}|" api/pyproject.toml - # Refresh api/uv.lock so it matches the pinned SHA above; the API - # Dockerfile runs `uv sync --locked`, which aborts on any drift - # between pyproject.toml and uv.lock. - pip install --no-cache-dir "uv==0.11.14" - (cd api && uv lock) + (cd api && uv lock --upgrade-package prowler) - name: Login to DockerHub uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0