ci: pin sfw uv sync to the locked dependency set on Dependabot review

`sfw uv sync` is the intended way to route uv through Socket Firewall (per
Socket's own uv-wrapper guidance), so the python-sfw-smoke job was already
exercising the firewall -- uv's integration is just quieter than npm/pip
(no "N packages fetched" footer), which made it look like a no-op.

Add `--locked` so the check verifies the exact uv.lock set and fails on
lockfile drift instead of silently re-resolving to newer versions than the
PR locked. This makes the firewall inspect precisely what would be installed
and aligns with the deterministic-verification guidance for uv-based repos.

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

Author: lelia

.github/workflows/dependabot-review.yml

@@ -109,7 +109,13 @@ jobs:
         run: python -m pip install --upgrade pip uv
 
       - name: Sync project through Socket Firewall
-        run: sfw uv sync --extra test --extra dev
+        # `sfw uv sync` is the intended way to route uv through Socket Firewall
+        # (per Socket's own uv wrapper guidance). --locked verifies the exact
+        # uv.lock set and fails on lockfile drift rather than silently
+        # re-resolving, so the firewall inspects precisely what would install.
+        # Note: uv's sfw integration is quieter than npm/pip -- it does not
+        # print the "N packages fetched" footer, but interception is active.
+        run: sfw uv sync --locked --extra test --extra dev
 
       - name: Import smoke test
         run: |