chore: switch to Renovate and pin uv image

.github/workflows/docker-publish.yml

@@ -197,7 +197,7 @@ jobs:
       # Vulnerability scanning
       - name: Run Trivy vulnerability scanner
         if: "!(github.event_name == 'schedule' && steps.get-version.outputs.skip == 'true')"
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
         with:
           image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.image-tag.outputs.tag }}
           format: "sarif"

.release-please-manifest.json

@@ -1,3 +1,3 @@
 {
-  ".": "0.2.10"
+  ".": "0.2.11"
 }

AGENTS.md

@@ -254,6 +254,7 @@ Example: `fix(charts): prevent crash when no data points available`
 2. release-please creates/updates a "Release PR" with:
    - Updated `CHANGELOG.md`
    - Updated version in `src/meshmon/__init__.py`
+   - Updated `uv.lock` (project version entry)
 3. When the Release PR is merged:
    - A GitHub Release is created
    - A git tag (e.g., `v0.2.0`) is created
@@ -368,7 +369,7 @@ Jobs configured in `docker/ofelia.ini`:
 
 **Nightly rebuilds** ensure version tags always include the latest OS security patches. This is a common pattern used by official Docker images (nginx, postgres, node). Users needing reproducibility should pin by SHA digest or use dated nightly tags.
 
-All GitHub Actions are pinned by full SHA for security. Dependabot can be configured to update these automatically.
+All GitHub Actions are pinned by full SHA for security. Renovate is configured in `renovate.json` to update dependencies and maintain lockfiles.
 
 The test and lint workflow (`.github/workflows/test.yml`) installs dependencies with uv (`uv sync --locked --extra dev`) and runs commands via `uv run`, using `uv.lock` as the source of truth.
 

CHANGELOG.md

@@ -4,6 +4,18 @@ All notable changes to this project will be documented in this file.
 
 This changelog is automatically generated by [release-please](https://github.com/googleapis/release-please) based on [Conventional Commits](https://www.conventionalcommits.org/).
 
+## [0.2.11](https://github.com/jorijn/meshcore-stats/compare/v0.2.10...v0.2.11) (2026-01-08)
+
+
+### Bug Fixes
+
+* **docker:** skip project install in uv sync ([#35](https://github.com/jorijn/meshcore-stats/issues/35)) ([26d5125](https://github.com/jorijn/meshcore-stats/commit/26d5125e15a78fd7b3fddd09292b4aff6efd23b7))
+
+
+### Miscellaneous Chores
+
+* **release:** track uv.lock in release-please ([#33](https://github.com/jorijn/meshcore-stats/issues/33)) ([fb627fd](https://github.com/jorijn/meshcore-stats/commit/fb627fdacd1b58d0c8fc10b8d3d8738a1bdce799))
+
 ## [0.2.10](https://github.com/jorijn/meshcore-stats/compare/v0.2.9...v0.2.10) (2026-01-08)
 
 

Dockerfile

@@ -1,3 +1,8 @@
+# =============================================================================
+# Stage 0: uv binary
+# =============================================================================
+FROM ghcr.io/astral-sh/uv:0.9.9@sha256:f6e3549ed287fee0ddde2460a2a74a2d74366f84b04aaa34c1f19fec40da8652 AS uv
+
 # =============================================================================
 # Stage 1: Build dependencies
 # =============================================================================
@@ -37,10 +42,13 @@ RUN python -m venv /opt/venv
 ENV PATH="/opt/venv/bin:$PATH" \
     UV_PROJECT_ENVIRONMENT=/opt/venv
 
+# Copy uv binary from pinned image
+COPY --from=uv /uv /usr/local/bin/uv
+
 # Install Python dependencies
 COPY pyproject.toml uv.lock ./
-RUN pip install --no-cache-dir --upgrade pip uv && \
-    uv sync --frozen --no-dev
+RUN pip install --no-cache-dir --upgrade pip && \
+    uv sync --frozen --no-dev --no-install-project
 
 # =============================================================================
 # Stage 2: Runtime

docker-compose.yml

@@ -15,7 +15,7 @@ services:
   # MeshCore Stats - Data collection and rendering
   # ==========================================================================
   meshcore-stats:
-    image: ghcr.io/jorijn/meshcore-stats:0.2.10 # x-release-please-version
+    image: ghcr.io/jorijn/meshcore-stats:0.2.11 # x-release-please-version
     container_name: meshcore-stats
     restart: unless-stopped
 

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "meshcore-stats"
-version = "0.2.10"
+version = "0.2.11"
 description = "MeshCore LoRa mesh network monitoring and statistics"
 readme = "README.md"
 requires-python = ">=3.11"

release-please-config.json

@@ -14,6 +14,11 @@
           "type": "generic",
           "path": "docker-compose.yml",
           "glob": false
+        },
+        {
+          "jsonpath": "$.package[?(@.name.value=='meshcore-stats')].version",
+          "path": "uv.lock",
+          "type": "toml"
         }
       ],
       "changelog-sections": [

renovate.json

@@ -0,0 +1,10 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ],
+  "lockFileMaintenance": {
+    "enabled": true
+  },
+  "dependencyDashboard": true
+}

src/meshmon/__init__.py

@@ -1,3 +1,3 @@
 """MeshCore network monitoring library."""
 
-__version__ = "0.2.10"  # x-release-please-version
+__version__ = "0.2.11"  # x-release-please-version

uv.lock

@@ -752,7 +752,7 @@ wheels = [
 
 [[package]]
 name = "meshcore-stats"
-version = "0.2.10"
+version = "0.2.11"
 source = { editable = "." }
 dependencies = [
     { name = "jinja2" },