fix: ensure deterministic and reproducible workflow behavior

[Abhijeet2409]

This PR ensures deterministic and reproducible CI workflows by introducing uv.lock and aligning dependency installation across workflows.

Changes

1. Enable reproducible environments

• Removed uv.lock from .gitignore
• Generated uv.lock and committed it to the repository to ensure it locks exact dependency versions.

2. Enforce frozen installs in CI

Added --frozen to uv sync in:

• pr-check-codecov.yml
• pr-check-examples.yml
• pr-check-secondary-unit-integration-test.yml
• tck-test.yml

Ensures workflows install dependencies from the lockfile (uv.lock) using --frozen.

3. deps-check workflow

• During debugging of the minimum-dependency test setup, added --no-editable to avoid SCM version mismatch during editable installs.
• Ensures standard build installation while validating compatibility with minimum dependency versions.

4. Stabilize publish workflow

• Kept pip (did not switch to uv to avoid introducing potential issues).
• Pinned build dependencies:
  • build==1.5
  • pdm-backend==2.4.8
  • grpcio-tools==1.76.0

5. pyproject.toml adjustments

• Ensured dependency version ranges are compatible with lockfile resolution.
• Minor adjustments during debugging to support reproducible builds.

Testing

1. Dependency Compatibility Check workflow

• Successfully validated via fork
  https://github.com/Abhijeet2409/hiero-sdk-python/actions/runs/24361544442

2. Publish to PyPI workflow

• Validated via local build (pinned dependencies confirmed working)

3. Run Examples workflow

• Successfully validated via fork
  https://github.com/Abhijeet2409/hiero-sdk-python/actions/runs/24361544373/job/71142317974

4. Secondary PR Check – Hiero Solo Integration & Unit Tests workflow

https://github.com/Abhijeet2409/hiero-sdk-python/actions/runs/24361909167/job/71143673219

5. TCK Unit Test workflow

• Workflow successfully triggered; awaiting runner pickup
  https://github.com/Abhijeet2409/hiero-sdk-python/actions/runs/24361909191/job/71143561187

6. Code Coverage workflow

https://github.com/Abhijeet2409/hiero-sdk-python/actions/runs/24361909161/job/71143561091

Fixes #2057

[codacy-production]

Not up to standards ⛔

🔴 Issues 1 critical · 2 medium · 1 minor

Alerts:
⚠ 4 issues (≤ 0 issues of at least minor severity)

Results:
4 new issues

Category	Results
Security	2 medium 1 minor
Complexity	1 critical

View in Codacy

🟢 Metrics 0 complexity

Metric	Results
Complexity	0

View in Codacy

_{TIP This summary will be updated as you push new changes. Give us feedback}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

@@           Coverage Diff           @@
##             main    #2102   +/-   ##
=======================================
  Coverage   93.68%   93.68%           
=======================================
  Files         145      145           
  Lines        9426     9426           
=======================================
  Hits         8831     8831           
  Misses        595      595           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Removed uv.lock from .gitignore, pinned build-system requirements in pyproject.toml, added --frozen (and in one job --no-editable) to several uv sync commands across workflows, enabled full git history in one workflow, and pinned build tool versions in the publish workflow.

Changes

Cohort / File(s)	Summary
Lock file management /.gitignore	Deleted the uv.lock ignore entry so the repository can commit and track the uv lockfile.
Build system configuration pyproject.toml	Pinned entries in [build-system].requires to explicit versions and moved PDM SCM version config to a [tool.pdm.version] table.
Frozen sync enforcement (CI jobs) .github/workflows/pr-check-secondary-unit-integration-test.yml, .github/workflows/pr-check-primary-codecov.yml, .github/workflows/pr-check-secondary-examples.yml, .github/workflows/pr-check-secondary-tck-test.yml	Changed uv sync invocations to include --frozen to enforce using the lockfile; no other job logic altered.
Deps test workflow adjustments .github/workflows/pr-check-secondary-deps-test.yml	Set actions/checkout to fetch-depth: 0 and changed uv sync to add --no-editable for minimum-deps compatibility checks; minor whitespace/indentation tweaks and an explanatory comment added.
Publish workflow tool pinning .github/workflows/publish.yml	Pinned build tooling to explicit versions (build==1.4.2, pdm-backend==2.4.8, grpcio-tools==1.76.0) and added comments noting reproducible builds.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: ensure deterministic and reproducible workflow behavior' accurately reflects the main objective of the PR: making CI workflows deterministic and reproducible by committing uv.lock and using frozen installs.
Linked Issues check	✅ Passed	The PR addresses all primary objectives from issue #2057: removed uv.lock from .gitignore, committed uv.lock to source control, added --frozen to uv sync commands, pinned build dependencies in publish workflow, standardized on uv with lockfile, and provided testing evidence.
Out of Scope Changes check	✅ Passed	All changes directly support the linked issue objectives: workflow YAML updates enforce frozen installs, .gitignore modification enables lockfile tracking, pyproject.toml adjustments support reproducible builds, and publish workflow stabilization pins dependencies. No unrelated changes detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The pull request description clearly outlines the changes made to ensure deterministic and reproducible CI workflows, including specific file modifications, workflow adjustments, and testing validation.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

📋 Issue Planner

Built with CodeRabbit's Coding Plans for faster development and fewer bugs.

View plan used: #2057

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: e9809a5e-f84e-4629-9a97-5f3ec1736765

📥 Commits

Reviewing files that changed from the base of the PR and between 9360ad4 and 348127c.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (9)

• .github/workflows/deps-check.yml
• .github/workflows/pr-check-codecov.yml
• .github/workflows/pr-check-examples.yml
• .github/workflows/pr-check-secondary-unit-integration-test.yml
• .github/workflows/publish.yml
• .github/workflows/tck-test.yml
• .gitignore
• CHANGELOG.md
• pyproject.toml

💤 Files with no reviewable changes (1)

• .gitignore

[exploreriii]

Hi @Abhijeet2409
This is looking pretty good, I left a question.

Could you please rebase, fetching all new content from upstream main.
We have changed some of these workflow names (sorry for the inconvenience) and also deleted the changelog, do you'll no longer need and entry.
Thanks!

[Abhijeet2409]

Hey @exploreriii, thanks for the review. I’ve successfully rebased my commits, resolved conflicts, and updated things accordingly. Happy to make any further changes if needed :)

[exploreriii]

Hi @Abhijeet2409 note your DCO+GPG key signing got mixed up here, please check your signing and try again

[Abhijeet2409]

@Abhijeet2409 sorry about this, you also lost your verified sign status

No issue, I’ll fix that. I’ve been busy traveling lately.

[aceppaluni]

@Abhijeet2409 Please update the branch

[aceppaluni]

@Abhijeet2409 Thank you for this.

The reason the workflow fails is the use of --no-editable

This flag needs to exist in each workflow, not jsut pr-check-secondary-deps-test.yml.

So sections where you see something like

- name: Install dependencies
        run: |
          uv sync --all-extras --dev --frozen

Need to inclide this flag. So it changes to

- name: Install dependencies
        run: |
          uv sync --all-extras --dev --frozen --no-editable

What are your thoughts on this change?

[Abhijeet2409]

@aceppaluni I agree with your suggestion. I checked the related workflows/tests to see if switching all uv sync installs to --no-editable could introduce any issues, but I did not find any workflow that appears to depend on editable-install behavior.

Using --no-editable consistently across the workflows will also help avoid the SCM/editable metadata path that caused the earlier failures.

Since publish.yml already follows a standard non-editable build flow, this should also make the CI workflows more consistent overall.

I’ll proceed with adding --no-editable in the remaining workflows.

[Abhijeet2409]

After applying --no-editable across the remaining uv sync workflows, the failures now seem to consistently point to package version metadata mismatches.
I’m trying to resolve the failures and will update shortly.

[aceppaluni]

After applying --no-editable across the remaining uv sync workflows, the failures now seem to consistently point to package version metadata mismatches. I’m trying to resolve the failures and will update shortly.

Thank you for the update

[exploreriii]

Hi I think this is pretty good, just have a couple questions

[exploreriii]

i think this is now 1.5?
https://github.com/pypa/build/releases

[Abhijeet2409]

Yes, build version is 1.5 now, so updating accordingly.

[exploreriii]

i know we had these in build, but unsure if they all need to be here? have you tested, as you are now narrowing the windows?
maybe grpcio-tools & setuptools (are we usin gthis?) can be moved to dependencies
cc @manishdait

[manishdait]

setuptools is needed we do use them because pdm-backend relies on it to resolve to dynamic = ["version"], for grpcio-tools, I'll verify if the build passes without it and drop a comment

[manishdait]

Hi @Abhijeet2409, can you update this to uv sync --frozen --all-groups --all-packages --all-extras same for rest