[Security] Add pip cooldown (2-day age gate) to CI workflows

SeanMeyer · claude · SeanMeyer · commit bc8ad5b5d2fe · 2026-04-01T20:16:15.000Z
Every CI job now computes a 2-day-old cutoff timestamp and passes
--uploaded-prior-to to all pip install commands. This refuses any
PyPI package published less than 2 days ago, blocking freshly-
published malicious versions from entering CI builds.

Workflows updated:
- reusable-python-test.yml (unit tests)
- reusable-integration-test.yml (integration tests)
- reusable-examples.yml (example checks)
- reusable-pre-commit.yml (pre-commit hooks)
- docs.yml (documentation build)
- publish.yml (release publishing)

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -27,11 +27,14 @@ jobs:
           python-version: "3.11"
           cache: "pip"
 
+      - name: Set pip cooldown (2 days)
+        run: echo "PIP_UPLOADED_PRIOR_TO=$(date -u -d '2 days ago' +%Y-%m-%dT%H:%M:%SZ)" >> $GITHUB_ENV
+
       - name: Upgrade Python packaging tools
-        run: pip install --disable-pip-version-check --upgrade pip setuptools wheel
+        run: pip install --disable-pip-version-check --uploaded-prior-to "$PIP_UPLOADED_PRIOR_TO" --upgrade pip setuptools wheel
 
       - name: Install tox
-        run: pip install tox
+        run: pip install --uploaded-prior-to "$PIP_UPLOADED_PRIOR_TO" tox
 
       - name: set SPHINX_VERSION
         run: |
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -28,6 +28,9 @@ jobs:
           python-version: "3.11"
           cache: "pip"
 
+      - name: Set pip cooldown (2 days)
+        run: echo "PIP_UPLOADED_PRIOR_TO=$(date -u -d '2 days ago' +%Y-%m-%dT%H:%M:%SZ)" >> $GITHUB_ENV
+
       - name: Releasing tag ${{ github.event.release.tag_name }}
         run: |
           # Get tag name from event
@@ -38,7 +41,7 @@ jobs:
           fi
 
           # Install pypa/build
-          python -m pip install build --user
+          python -m pip install --uploaded-prior-to "$PIP_UPLOADED_PRIOR_TO" build --user
 
           # Build a binary wheel and a source tarball
           python -m build --sdist --wheel --outdir dist/ .
diff --git a/.github/workflows/reusable-examples.yml b/.github/workflows/reusable-examples.yml
@@ -32,12 +32,14 @@ jobs:
         with:
           python-version: ${{ inputs.python-version }}
           cache: "pip"
+      - name: Set pip cooldown (2 days)
+        run: echo "PIP_UPLOADED_PRIOR_TO=$(date -u -d '2 days ago' +%Y-%m-%dT%H:%M:%SZ)" >> $GITHUB_ENV
       - name: Upgrade pip
         run: |
-          python -m pip install --upgrade pip
-          pip install --upgrade wheel setuptools build
+          python -m pip install --uploaded-prior-to "$PIP_UPLOADED_PRIOR_TO" --upgrade pip
+          pip install --uploaded-prior-to "$PIP_UPLOADED_PRIOR_TO" --upgrade wheel setuptools build
       - name: Install
-        run: pip install --disable-pip-version-check pyflakes
+        run: pip install --disable-pip-version-check --uploaded-prior-to "$PIP_UPLOADED_PRIOR_TO" pyflakes
       - name: Check examples
         run: ${{ inputs.examples-script }}
         shell: bash
diff --git a/.github/workflows/reusable-integration-test.yml b/.github/workflows/reusable-integration-test.yml
@@ -108,12 +108,14 @@ jobs:
         with:
           python-version: "3.12"
           cache: "pip"
+      - name: Set pip cooldown (2 days)
+        run: echo "PIP_UPLOADED_PRIOR_TO=$(date -u -d '2 days ago' +%Y-%m-%dT%H:%M:%SZ)" >> $GITHUB_ENV
       - name: Upgrade pip
         run: |
-          python -m pip install --upgrade pip
-          pip install --upgrade wheel setuptools build
+          python -m pip install --uploaded-prior-to "$PIP_UPLOADED_PRIOR_TO" --upgrade pip
+          pip install --uploaded-prior-to "$PIP_UPLOADED_PRIOR_TO" --upgrade wheel setuptools build
       - name: Install
-        run: pip install --disable-pip-version-check -e .[apm,tests]
+        run: pip install --disable-pip-version-check --uploaded-prior-to "$PIP_UPLOADED_PRIOR_TO" -e .[apm,tests]
       - name: Test
         run: ./run-tests.sh
         shell: bash
diff --git a/.github/workflows/reusable-pre-commit.yml b/.github/workflows/reusable-pre-commit.yml
@@ -43,8 +43,10 @@ jobs:
       - uses: actions/setup-python@v4
         with:
           python-version: '3.11'
+      - name: Set pip cooldown (2 days)
+        run: echo "PIP_UPLOADED_PRIOR_TO=$(date -u -d '2 days ago' +%Y-%m-%dT%H:%M:%SZ)" >> $GITHUB_ENV
       - name: Install pre-commit
-        run: python -m pip install pre-commit
+        run: python -m pip install --uploaded-prior-to "$PIP_UPLOADED_PRIOR_TO" pre-commit
       - name: set PY
         run: echo "PY=$(python -c 'import platform;print(platform.python_version())')" >> $GITHUB_ENV
       - uses: actions/cache@v3
diff --git a/.github/workflows/reusable-python-test.yml b/.github/workflows/reusable-python-test.yml
@@ -48,12 +48,14 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
           cache: "pip"
+      - name: Set pip cooldown (2 days)
+        run: echo "PIP_UPLOADED_PRIOR_TO=$(date -u -d '2 days ago' +%Y-%m-%dT%H:%M:%SZ)" >> $GITHUB_ENV
       - name: Upgrade pip
         run: |
-          python -m pip install --upgrade pip
-          pip install --upgrade wheel setuptools build
+          python -m pip install --uploaded-prior-to "$PIP_UPLOADED_PRIOR_TO" --upgrade pip
+          pip install --uploaded-prior-to "$PIP_UPLOADED_PRIOR_TO" --upgrade wheel setuptools build
       - name: Install
-        run: pip install --disable-pip-version-check -e .[tests]
+        run: pip install --disable-pip-version-check --uploaded-prior-to "$PIP_UPLOADED_PRIOR_TO" -e .[tests]
       - name: Test
         run: ./run-tests.sh
         shell: bash
