Pin PyGithub Dependency Using uv Lockfile (#4835)

This PR replaces the unpinned `pip install PyGithub` in the tagging
workflow
with `uv run --locked`, which uses a committed lockfile containing
SHA-256
hashes for PyGithub and all its transitive dependencies. This hardens
the
release tagging pipeline against supply chain attacks on PyPI.

Changes:
- Added PEP 723 inline script metadata to `internal/genkit/tagging.py`
- Generated `internal/genkit/tagging.py.lock` with pinned versions and
hashes
- Updated `tagging.yml` to use `uv run --locked` instead of pip

## Review Guide
- **Core**: `internal/genkit/tagging.py` preamble + `tagging.yml`
workflow change
- **Generated**: `internal/genkit/tagging.py.lock` - verify it resolves
PyGithub and deps

Co-authored-by: Omer Lachish <rauchy@users.noreply.github.com>

Author: rauchy

.github/workflows/tagging.yml

@@ -51,14 +51,11 @@ jobs:
           git config user.name "Databricks SDK Release Bot"
           git config user.email "DECO-SDK-Tagging[bot]@users.noreply.github.com"
 
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install PyGithub
+      - name: Install uv
+        uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4.2.0
 
       - name: Run script
         env:
           GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
           GITHUB_REPOSITORY: ${{ github.repository }}
-        run: |-
-          python internal/genkit/tagging.py
+        run: uv run --locked internal/genkit/tagging.py

internal/genkit/tagging.py

@@ -1,5 +1,9 @@
 #!/usr/bin/env python3
 
+# /// script
+# dependencies = ["PyGithub>=2,<3", "pyjwt<2.12.0", "charset-normalizer<3.4.6"]
+# ///
+
 import os
 import re
 import argparse