ci: Update uv.lock on release-please PRs

[aborgna-q]

uv 0.6.6 adds a hard error when the version of the package in uv.lock does not match the one declared in the editable wheel: astral-sh/uv#12235.

release-please doesn't update the lock files automatically, so release PRs needed a manual lock update.
This PR adds the lockfile as an extra-file, to avoid this manual step.

Note that the jsonpath in the config is not technically correct, as release-please's json array filters don't quite work for toml files. See googleapis/release-please#2455, which includes this hacky workaround.

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 93.19%. Comparing base (37b8b80) to head (e0e813c).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #870   +/-   ##
=======================================
  Coverage   93.19%   93.19%           
=======================================
  Files          74       74           
  Lines        8786     8786           
=======================================
  Hits         8188     8188           
  Misses        598      598           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ss2165]

pls wait for release before merging (I know it shouldn't matter but paranoia)

[konstin]

I wasn't expecting astral-sh/uv#12235 to break any existing workflows or require manual edits to uv.lock, do you mind sharing what your release workflow is / how this PR broke it?

[aborgna-q]

@konstin Hi! Sorry for the noisy back-links.

The workflow here is running googleapis/release-please to automatically create release PRs with including changelog entries and bumped package versions.

The version update logic is quite simple, and manually edits the version in a couple pre-determined places (pyproject.toml, package.__version__, etc.) but does not include uv.lock. This seems similar to the issue with dependabot mentioned in your PR.

I rolled back this change in a fork and updated uv to show the error.
See this automatically-generated release PR: aborgna-q#4
And failing CI check.

Note that the check workflow only fails if we run uv with --locked. We instead use --frozen in some places, and that doesn't raise issues.