chore: add supply chain hardening via uv exclude-newer and pip cooldowns

- Add uv.toml with exclude-newer = "24 hours" so all uv pip installs
  skip packages published within the last day
- Add Dependabot cooldown (default-days: 1) for github-actions and pip
- Upgrade pip before each pip install step and add --uploaded-prior-to=P1D
  (pip 26.1 relative duration) to all direct pip install commands in CI

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: julian-risch

.github/dependabot.yml

@@ -4,3 +4,12 @@ updates:
     directory: '/'
     schedule:
       interval: 'daily'
+    cooldown:
+      default-days: 1
+
+  - package-ecosystem: 'pip'
+    directory: '/'
+    schedule:
+      interval: 'daily'
+    cooldown:
+      default-days: 1

.github/workflows/CI_check_api_ref.yml

@@ -81,7 +81,9 @@ jobs:
 
       - name: Install Hatch
         if: steps.changed.outputs.integrations != '[]'
-        run: pip install hatch
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch --uploaded-prior-to=P1D
 
       - name: Generate API references
         if: steps.changed.outputs.integrations != '[]'

.github/workflows/CI_coverage_comment.yml

@@ -15,6 +15,7 @@ on:
       - "Test / chroma"
       - "Test / cohere"
       - "Test / cometapi"
+      - "Test / db2"
       - "Test / deepeval"
       - "Test / dspy"
       - "Test / elasticsearch"

.github/workflows/CI_docusaurus_sync.yml

@@ -32,7 +32,9 @@ jobs:
           python-version: "3.10"
 
       - name: Install Hatch
-        run: pip install hatch
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch --uploaded-prior-to=P1D
 
       - name: Get project folder
         id: pathfinder

.github/workflows/CI_license_compliance.yml

@@ -53,7 +53,8 @@ jobs:
 
       - name: Get direct dependencies from pyproject.toml files
         run: |
-          pip install toml
+          python -m pip install --upgrade pip
+          pip install toml --uploaded-prior-to=P1D
 
           # Determine the list of pyproject.toml files to process
           if [ "${{ github.event_name }}" = "schedule" ] || [ "${{ steps.changed-files.outputs.workflow_any_changed }}" = "true" ]; then

.github/workflows/CI_pypi_release.yml

@@ -38,7 +38,9 @@ jobs:
           python-version: "3.12"
 
       - name: Install dependencies
-        run: pip install hatch requests
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch requests --uploaded-prior-to=P1D
 
       - name: Validate version number
         run: python .github/utils/validate_version.py --tag ${{ github.ref_name }}

.github/workflows/aimlapi.yml

@@ -75,7 +75,9 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       - name: Install Hatch
-        run: pip install hatch
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch --uploaded-prior-to=P1D
 
       - name: Lint
         if: matrix.python-version == '3.10' && runner.os == 'Linux'

.github/workflows/amazon_bedrock.yml

@@ -85,7 +85,9 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       - name: Install Hatch
-        run: pip install hatch
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch --uploaded-prior-to=P1D
 
       - name: Lint
         if: matrix.python-version == '3.10' && runner.os == 'Linux'

.github/workflows/amazon_sagemaker.yml

@@ -74,7 +74,9 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       - name: Install Hatch
-        run: pip install hatch
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch --uploaded-prior-to=P1D
 
       - name: Lint
         if: matrix.python-version == '3.10' && runner.os == 'Linux'

.github/workflows/anthropic.yml

@@ -75,7 +75,9 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       - name: Install Hatch
-        run: pip install hatch
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch --uploaded-prior-to=P1D
 
       - name: Lint
         if: matrix.python-version == '3.10' && runner.os == 'Linux'