[Security] Remove pip cooldown (requires pip 26.0+, breaks Python 3.8)

SeanMeyer · SeanMeyer · commit 741c0a5bb59f · 2026-04-01T20:57:53.000Z
The lockfile with SHA-256 hashes already provides supply-chain protection.
The --uploaded-prior-to flag requires pip 26.0+ which is not available on
runners, and Python 3.8 cannot use pip 26.0 at all.
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -27,14 +27,11 @@ jobs:
           python-version: "3.11"
           cache: "pip"
 
-      - name: Set pip cooldown (2 days)
-        run: echo "PIP_UPLOADED_PRIOR_TO=$(date -u -d '2 days ago' +%Y-%m-%dT%H:%M:%SZ)" >> $GITHUB_ENV
-
       - name: Upgrade Python packaging tools
-        run: pip install --disable-pip-version-check --uploaded-prior-to "$PIP_UPLOADED_PRIOR_TO" --upgrade pip setuptools wheel
+        run: pip install --disable-pip-version-check --upgrade pip setuptools wheel
 
       - name: Install tox
-        run: pip install --uploaded-prior-to "$PIP_UPLOADED_PRIOR_TO" tox
+        run: pip install tox
 
       - name: set SPHINX_VERSION
         run: |
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -28,9 +28,6 @@ jobs:
           python-version: "3.11"
           cache: "pip"
 
-      - name: Set pip cooldown (2 days)
-        run: echo "PIP_UPLOADED_PRIOR_TO=$(date -u -d '2 days ago' +%Y-%m-%dT%H:%M:%SZ)" >> $GITHUB_ENV
-
       - name: Releasing tag ${{ github.event.release.tag_name }}
         run: |
           # Get tag name from event
@@ -41,7 +38,7 @@ jobs:
           fi
 
           # Install pypa/build
-          python -m pip install --uploaded-prior-to "$PIP_UPLOADED_PRIOR_TO" build --user
+          python -m pip install build --user
 
           # Build a binary wheel and a source tarball
           python -m build --sdist --wheel --outdir dist/ .
diff --git a/.github/workflows/reusable-examples.yml b/.github/workflows/reusable-examples.yml
@@ -32,14 +32,12 @@ jobs:
         with:
           python-version: ${{ inputs.python-version }}
           cache: "pip"
-      - name: Set pip cooldown (2 days)
-        run: echo "PIP_UPLOADED_PRIOR_TO=$(date -u -d '2 days ago' +%Y-%m-%dT%H:%M:%SZ)" >> $GITHUB_ENV
       - name: Upgrade pip
         run: |
-          python -m pip install --uploaded-prior-to "$PIP_UPLOADED_PRIOR_TO" --upgrade pip
-          pip install --uploaded-prior-to "$PIP_UPLOADED_PRIOR_TO" --upgrade wheel setuptools build
+          python -m pip install --upgrade pip
+          pip install --upgrade wheel setuptools build
       - name: Install
-        run: pip install --disable-pip-version-check --uploaded-prior-to "$PIP_UPLOADED_PRIOR_TO" pyflakes
+        run: pip install --disable-pip-version-check pyflakes
       - name: Check examples
         run: ${{ inputs.examples-script }}
         shell: bash
diff --git a/.github/workflows/reusable-integration-test.yml b/.github/workflows/reusable-integration-test.yml
@@ -108,14 +108,12 @@ jobs:
         with:
           python-version: "3.12"
           cache: "pip"
-      - name: Set pip cooldown (2 days)
-        run: echo "PIP_UPLOADED_PRIOR_TO=$(date -u -d '2 days ago' +%Y-%m-%dT%H:%M:%SZ)" >> $GITHUB_ENV
       - name: Upgrade pip
         run: |
-          python -m pip install --uploaded-prior-to "$PIP_UPLOADED_PRIOR_TO" --upgrade pip
-          pip install --uploaded-prior-to "$PIP_UPLOADED_PRIOR_TO" --upgrade wheel setuptools build
+          python -m pip install --upgrade pip
+          pip install --upgrade wheel setuptools build
       - name: Install
-        run: pip install --disable-pip-version-check --uploaded-prior-to "$PIP_UPLOADED_PRIOR_TO" -e .[apm,tests]
+        run: pip install --disable-pip-version-check -e .[apm,tests]
       - name: Test
         run: ./run-tests.sh
         shell: bash
diff --git a/.github/workflows/reusable-pre-commit.yml b/.github/workflows/reusable-pre-commit.yml
@@ -43,10 +43,8 @@ jobs:
       - uses: actions/setup-python@v4
         with:
           python-version: '3.11'
-      - name: Set pip cooldown (2 days)
-        run: echo "PIP_UPLOADED_PRIOR_TO=$(date -u -d '2 days ago' +%Y-%m-%dT%H:%M:%SZ)" >> $GITHUB_ENV
       - name: Install pre-commit
-        run: python -m pip install --uploaded-prior-to "$PIP_UPLOADED_PRIOR_TO" pre-commit
+        run: python -m pip install pre-commit
       - name: set PY
         run: echo "PY=$(python -c 'import platform;print(platform.python_version())')" >> $GITHUB_ENV
       - uses: actions/cache@v3
diff --git a/.github/workflows/reusable-python-test.yml b/.github/workflows/reusable-python-test.yml
@@ -48,14 +48,12 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
           cache: "pip"
-      - name: Set pip cooldown (2 days)
-        run: echo "PIP_UPLOADED_PRIOR_TO=$(date -u -d '2 days ago' +%Y-%m-%dT%H:%M:%SZ)" >> $GITHUB_ENV
       - name: Upgrade pip
         run: |
-          python -m pip install --uploaded-prior-to "$PIP_UPLOADED_PRIOR_TO" --upgrade pip
-          pip install --uploaded-prior-to "$PIP_UPLOADED_PRIOR_TO" --upgrade wheel setuptools build
+          python -m pip install --upgrade pip
+          pip install --upgrade wheel setuptools build
       - name: Install
-        run: pip install --disable-pip-version-check --uploaded-prior-to "$PIP_UPLOADED_PRIOR_TO" -e .[tests]
+        run: pip install --disable-pip-version-check -e .[tests]
       - name: Test
         run: ./run-tests.sh
         shell: bash
