fix(uv): grapher not preferring lockfile

[jakecoffman]

What are you trying to accomplish?

Dependabot must match Dependency Graph behavior and prefer the lockfile over the manifest. It was already parsing the lockfile, we just needed to return it in this method as well.

Anything you want to highlight for special attention from reviewers?

Pretty straight forward.

How will you know you've accomplished your goal?

I was expecting to see the uv smoke test failing due to this change but looks like uv's smoke tests were never set up. I will create a PR for that afterwards.

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[Ahmed3lmallah]

👍

[Copilot]

Pull request overview

Updates the UV dependency grapher to align with GitHub Dependency Graph conventions by preferring uv.lock over pyproject.toml when selecting the “relevant” dependency file for dependency snapshot submissions.

Changes:

• Update Dependabot::Uv::DependencyGrapher#relevant_dependency_file to return uv.lock when present, otherwise fall back to pyproject.toml.
• Expand the UV dependency grapher spec to cover both lockfile-present and lockfile-absent scenarios.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
uv/lib/dependabot/uv/dependency_grapher.rb	Prefer uv.lock as the relevant dependency file, with a clear error if neither file exists.
uv/spec/dependabot/uv/dependency_grapher_spec.rb	Add coverage asserting uv.lock is preferred when present, otherwise pyproject.toml is used.