Pin PyGithub Dependency Using uv Lockfile (#736)

This PR replaces the unpinned `pip install PyGithub` in the tagging
workflow
with `uv run --locked`, which uses a committed lockfile containing
SHA-256
hashes for PyGithub and all its transitive dependencies. This hardens
the
release tagging pipeline against supply chain attacks on PyPI.

Changes:
- Added PEP 723 inline script metadata to `tagging.py`
- Generated `tagging.py.lock` with pinned versions and hashes
- Updated `tagging.yml` to use `uv run --locked` instead of pip

## Review Guide
- **Core**: `tagging.py` preamble + `tagging.yml` workflow change
- **Generated**: `tagging.py.lock` - verify it resolves PyGithub and
deps

Co-authored-by: Omer Lachish <rauchy@users.noreply.github.com>

Author: rauchy

.github/workflows/tagging.yml

@@ -54,14 +54,11 @@ jobs:
           git config user.name "Databricks SDK Release Bot"
           git config user.email "DECO-SDK-Tagging[bot]@users.noreply.github.com"
 
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install PyGithub
+      - name: Install uv
+        uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4.2.0
 
       - name: Run script
         env:
           GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
           GITHUB_REPOSITORY: ${{ github.repository }}
-        run: |
-          python tagging.py
+        run: uv run --locked tagging.py

tagging.py

@@ -1,4 +1,7 @@
 #!/usr/bin/env python3
+# /// script
+# dependencies = ["PyGithub>=2,<3", "pyjwt<2.12.0", "charset-normalizer<3.4.6"]
+# ///
 
 import os
 import re