fix(dependency-review): use runner Python, forbid uv interpreter download

.python-version pins 3.12.7; setup-python provides 3.12.13, so `uv sync`
tried to download the exact managed CPython from GitHub, which Socket
Firewall's TLS interception blocked (UnknownIssuer). Set UV_PYTHON=3.12 +
UV_PYTHON_DOWNLOADS=never so uv uses the runner interpreter and only PyPI
package fetches route through sfw.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: lelia

.github/workflows/dependency-review.yml

@@ -136,6 +136,14 @@ jobs:
         # re-resolving, so the firewall inspects precisely what would install.
         # Note: uv's sfw integration is quieter than npm/pip -- it does not
         # print the "N packages fetched" footer, but interception is active.
+        #
+        # Use the runner's setup-python interpreter and forbid managed-Python
+        # downloads: .python-version pins an exact patch (3.12.7) that uv would
+        # otherwise fetch from GitHub, which the firewall's TLS interception
+        # blocks. The firewall is here to vet PyPI installs, not the toolchain.
+        env:
+          UV_PYTHON: "3.12"
+          UV_PYTHON_DOWNLOADS: never
         run: sfw uv sync --locked --extra test --extra dev
 
       - name: Import smoke test