Skip to content

build: add pip supply-chain hardening to CI workflows#2

Open
julian-risch wants to merge 1 commit into
mainfrom
build/supply-chain-hardening
Open

build: add pip supply-chain hardening to CI workflows#2
julian-risch wants to merge 1 commit into
mainfrom
build/supply-chain-hardening

Conversation

@julian-risch
Copy link
Copy Markdown
Member

@julian-risch julian-risch commented May 21, 2026

Related Issues

Proposed Changes:

  • In .github/workflows/test.yml and .github/workflows/release.yml, upgrade pip and pass --uploaded-prior-to=P1D (pip 26.1 relative duration) to the pip install hatch step. This skips packages published within the last 24 hours, mitigating the short-window exposure window seen in recent PyPI compromises (e.g. mistralai 2.4.6, uploaded and removed within ~3 hours).

How did you test it?

Notes for the reviewer

Checklist

  • I've used one of the conventional commit types for my PR title: fix:, feat:, build:, chore:, ci:, docs:, style:, refactor:, perf:, test:.

@julian-risch @claude
build: add pip supply-chain hardening to CI workflows
b52592f 
Upgrade pip and pass --uploaded-prior-to=P1D to the hatch install
step in both test.yml and release.yml. This skips packages published
within the last 24 hours, mitigating the short-window exposure seen
in recent PyPI compromises. Mirrors the pattern applied across
deepset-ai/haystack-core-integrations in
deepset-ai/haystack-core-integrations#3258.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@julian-risch