fix: prevent dev dependency downloads at runtime

[zkoppert]

Problem

The Dockerfile ENTRYPOINT uses uv run without --no-dev, causing it to re-sync the environment and download ~15MB of CI-only tools on every action invocation:

Downloading pygments (1.2MiB)
Downloading black (1.7MiB)
Downloading mypy (13.0MiB)

The build step correctly uses uv sync --frozen --no-dev, but uv run ignores that and resolves the full dependency graph including [dependency-groups] dev.

Fix

One-line change - add --no-dev to the entrypoint:

ENTRYPOINT ["uv", "run", "--no-dev", "--project", "/action/workspace"]

Context

Same fix as github-community-projects/pr-conflict-detector#41

[Copilot]

Pull request overview

This PR updates the GitHub Action container runtime invocation to avoid re-resolving and downloading development-only dependency groups when the action is executed.

Changes:

• Add --no-dev to the Docker ENTRYPOINT uv run command so runtime execution excludes dev dependencies.

---

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Pull request overview

This PR aims to reduce unnecessary dependency downloads during GitHub Action runtime by preventing uv run from including dev dependency groups, while also applying workflow-level maintenance updates (concurrency controls, action pin bumps, and metadata clarifications).

Changes:

• Update the Docker image entrypoint to run uv with --no-dev to avoid resolving/downloading dev dependencies at action runtime.
• Add workflow concurrency configuration across multiple GitHub Actions workflows to reduce overlapping runs.
• Refresh workflow housekeeping (update step-security/harden-runner pin, add job names, and annotate permissions/quoting in a few steps).

Reviewed changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
Dockerfile	Adds --no-dev to uv run entrypoint to prevent dev dependency sync/download at runtime.
.github/workflows/stale.yaml	Adds concurrency config; updates harden-runner pin and clarifies job name/permissions.
.github/workflows/scorecard.yml	Adds concurrency config; updates harden-runner pin and clarifies permissions.
.github/workflows/release.yml	Adds inline “required” comments for job permissions (documentation/clarity only).
.github/workflows/python-package.yml	Adds job name; updates harden-runner pin; uses env var + quoting for Python version in uv steps.
.github/workflows/pr-title.yml	Adds inline “required” comments for permissions (clarity only).
.github/workflows/mark-ready-when-ready.yml	Updates harden-runner pin; updates mark-ready-when-ready action pin to a versioned SHA.
.github/workflows/linter.yaml	Updates harden-runner pin and annotates permissions.
.github/workflows/docker-image.yml	Adds concurrency config; updates harden-runner pin; adds job name.
.github/workflows/dependency-review.yml	Adds concurrency config; updates harden-runner pin; adds job name.
.github/workflows/copilot-setup-steps.yml	Adds concurrency config; updates harden-runner pin; adds job name.
.github/workflows/contributor_report.yaml	Adds concurrency config; updates harden-runner pin; annotates permissions.
.github/workflows/codeql.yml	Adds concurrency config; updates harden-runner pin; annotates permissions.
.github/workflows/auto-labeler.yml	Adds inline “required” comments for permissions (clarity only).

---

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Pull request overview

This PR updates the GitHub Action’s container entrypoint to prevent uv run from syncing and downloading dev-only dependency groups at runtime, aligning runtime behavior with the image build step (uv sync --no-dev).

Changes:

• Add --no-dev to the Dockerfile ENTRYPOINT uv run invocation to avoid resolving/installing dev dependencies when the action runs.

---

You can also share your feedback on Copilot code review. Take the survey.