build: add supply chain hardening via uv exclude-newer and pip uploaded-prior-to (#3258)

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: julian-risch

.github/dependabot.yml

@@ -4,3 +4,13 @@ updates:
     directory: '/'
     schedule:
       interval: 'daily'
+    cooldown:
+      default-days: 1
+
+  - package-ecosystem: 'pip'
+    directories:
+      - 'integrations/*'
+    schedule:
+      interval: 'daily'
+    cooldown:
+      default-days: 1

.github/workflows/CI_check_api_ref.yml

@@ -81,7 +81,9 @@ jobs:
 
       - name: Install Hatch
         if: steps.changed.outputs.integrations != '[]'
-        run: pip install hatch
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch --uploaded-prior-to=P1D
 
       - name: Generate API references
         if: steps.changed.outputs.integrations != '[]'

.github/workflows/CI_docusaurus_sync.yml

@@ -32,7 +32,9 @@ jobs:
           python-version: "3.10"
 
       - name: Install Hatch
-        run: pip install hatch
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch --uploaded-prior-to=P1D
 
       - name: Get project folder
         id: pathfinder

.github/workflows/CI_license_compliance.yml

@@ -53,7 +53,8 @@ jobs:
 
       - name: Get direct dependencies from pyproject.toml files
         run: |
-          pip install toml
+          python -m pip install --upgrade pip
+          pip install toml --uploaded-prior-to=P1D
 
           # Determine the list of pyproject.toml files to process
           if [ "${{ github.event_name }}" = "schedule" ] || [ "${{ steps.changed-files.outputs.workflow_any_changed }}" = "true" ]; then

.github/workflows/CI_pypi_release.yml

@@ -38,7 +38,9 @@ jobs:
           python-version: "3.12"
 
       - name: Install dependencies
-        run: pip install hatch requests
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch requests --uploaded-prior-to=P1D
 
       - name: Validate version number
         run: python .github/utils/validate_version.py --tag ${{ github.ref_name }}

.github/workflows/aimlapi.yml

@@ -75,7 +75,9 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       - name: Install Hatch
-        run: pip install hatch
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch --uploaded-prior-to=P1D
 
       - name: Lint
         if: matrix.python-version == '3.10' && runner.os == 'Linux'

.github/workflows/amazon_bedrock.yml

@@ -85,7 +85,9 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       - name: Install Hatch
-        run: pip install hatch
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch --uploaded-prior-to=P1D
 
       - name: Lint
         if: matrix.python-version == '3.10' && runner.os == 'Linux'

.github/workflows/amazon_sagemaker.yml

@@ -74,7 +74,9 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       - name: Install Hatch
-        run: pip install hatch
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch --uploaded-prior-to=P1D
 
       - name: Lint
         if: matrix.python-version == '3.10' && runner.os == 'Linux'

.github/workflows/anthropic.yml

@@ -75,7 +75,9 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       - name: Install Hatch
-        run: pip install hatch
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch --uploaded-prior-to=P1D
 
       - name: Lint
         if: matrix.python-version == '3.10' && runner.os == 'Linux'

.github/workflows/arcadedb.yml

@@ -80,7 +80,9 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       - name: Install Hatch
-        run: pip install hatch
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch --uploaded-prior-to=P1D
 
       - name: Lint
         if: matrix.python-version == '3.10' && runner.os == 'Linux'