fix(container): bump uv to 0.11.22, remove uv/uvx from runtime

[SudipSinha]

Summary

• Bumps uv from 0.11.1 to 0.11.22 in the Containerfile builder stage (fix version: 0.11.15)
• Explicitly removes uv/uvx binaries from the builder's bin/ directory before copying to the runtime stage — they are not needed at runtime and their presence unnecessarily expands the attack surface

Security

Resolves GHSA-4gg8-gxpx-9rph — arbitrary file write through entry point names in uv < 0.11.15.

Test plan

• Container builds successfully: podman build -t trustyai:test --build-arg EXTRAS="mariadb,protobuf,eval" .
• Verify uv/uvx are absent from runtime: podman run --rm trustyai:test ls -la /opt/app-root/bin/ | grep -E 'uv$|uvx$' should return nothing
• Service starts normally in the container

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated Python build tooling to a newer version, enhancing build reliability and consistency.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 659bdf18-a5cc-436c-aaa7-77630c57fb0b

📥 Commits

Reviewing files that changed from the base of the PR and between eeca7e6 and 7787ff7.

📒 Files selected for processing (1)

• Containerfile

---

📝 Walkthrough

Walkthrough

The Containerfile builder stage's RUN pip install command is updated to pin uv at version 0.11.22 instead of 0.11.1. All other steps — pip upgrade, dependency installation via uv pip, uv uninstall, and binary cleanup — remain unchanged.

uv Version Bump

Layer / File(s)	Summary
uv version pin in builder stage Containerfile	The RUN command in the builder stage changes uv==0.11.1 to uv==0.11.22; the surrounding install/uninstall and cleanup steps are unmodified.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

A tiny version bump, a hop and a skip,
From 0.11.1 to .22 on this trip,
The rabbit checks the Containerfile with care,
New uv installed, old bits gone from there,
🐇 One line changed, the burrow is bright and fair!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main changes: bumping uv to a security patch version and removing uv/uvx binaries from the runtime image.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/container-uv-cve-GHSA-4gg8

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

PR image build and manifest generation completed successfully!

📦 PR image: quay.io/trustyai/trustyai-service-python-ci:7787ff78d3c20a0e9389520162335ee1078df401

🗂️ CI manifests

devFlags:
  manifests:
    - contextDir: config
      sourcePath: ''
      uri: https://api.github.com/repos/trustyai-explainability/trustyai-service-operator-ci/tarball/service-python-7787ff78d3c20a0e9389520162335ee1078df401