Replace curl-pipe-to-shell uv install with pinned pipx version

[Copilot]

curl -LsSf https://astral.sh/uv/install.sh | sh executes an unversioned remote script as root with no integrity check — a supply-chain risk if astral.sh or its DNS/TLS is compromised.

Changes

• Dockerfile: Replace the curl-based uv installer with pipx install "uv==${UV_VERSION}"
  • Pins uv to a specific version via the UV_VERSION build argument (default: 0.10.9)
  • Installs uv into an isolated pipx environment without bypassing PEP 668 system package protections
  • Drops curl from the image entirely
  • Allows the uv version to be overridden at build time with docker build --build-arg UV_VERSION=x.y.z

# Before
RUN apt-get update && apt-get install -y curl ca-certificates libmagic1 \
    && curl -LsSf https://astral.sh/uv/install.sh | sh \
    && apt-get clean && rm -rf /var/lib/apt/lists/* \
    && uv sync --no-dev --frozen

# After
ARG UV_VERSION=0.10.9

RUN apt-get update && apt-get install -y pipx ca-certificates libmagic1 \
    && pipx install "uv==${UV_VERSION}" \
    && apt-get clean && rm -rf /var/lib/apt/lists/* \
    && uv sync --no-dev --frozen

pipx installs uv into its own isolated virtual environment and places the binary at /root/.local/bin/uv, which is already on the PATH via the existing ENV PATH="/root/.local/bin/:$PATH" directive.

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/astral-sh/uv/releases/latest
  • Triggering command: /usr/bin/curl curl -s REDACTED (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[samppanja]

@copilot added https://api.github.com/repos to firewall allowlist

[samppanja]

@copilot consider using pipx for uv installation to not break pip system packages.
pipx install uv

[Copilot]

@copilot consider using pipx for uv installation to not break pip system packages.
pipx install uv

Done in a25eafe. Switched to pipx install "uv==0.6.3" — this keeps uv in an isolated environment without needing --break-system-packages. The existing ENV PATH="/root/.local/bin/:$PATH" already ensures the installed binary is on the path.

[samppanja]

@copilot make the uv version an argument in the Dockerfile for easier editing and overriding.

[Copilot]

@copilot make the uv version an argument in the Dockerfile for easier editing and overriding.

Done in 035f244. Added ARG UV_VERSION=0.6.3 before the RUN layer so the version defaults to 0.6.3 but can be overridden at build time:

docker build --build-arg UV_VERSION=0.7.0 .

[samppanja]

@copilot latest uv version is 0.10.9

[Copilot]

@copilot latest uv version is 0.10.9

Updated the default UV_VERSION to 0.10.9 in 0f7c943.

[samppanja]

@copilot ready to merge