From b52592f0b328e536298b3105cba9422df403bad1 Mon Sep 17 00:00:00 2001
From: Julian Risch <julian.risch@deepset.ai>
Date: Thu, 21 May 2026 13:58:31 +0200
Subject: [PATCH] build: add pip supply-chain hardening to CI workflows

Upgrade pip and pass --uploaded-prior-to=P1D to the hatch install
step in both test.yml and release.yml. This skips packages published
within the last 24 hours, mitigating the short-window exposure seen
in recent PyPI compromises. Mirrors the pattern applied across
deepset-ai/haystack-core-integrations in
https://github.com/deepset-ai/haystack-core-integrations/pull/3258.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 4 +++-
 .github/workflows/test.yml    | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7596153..5c16f97 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -24,7 +24,9 @@ jobs:
           python-version: "3.13"
 
       - name: Install Hatch
-        run: pip install hatch
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch --uploaded-prior-to=P1D
 
       - name: Build
         run: hatch build
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 1fa286d..b338f3a 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -36,7 +36,9 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       - name: Install Hatch
-        run: pip install hatch
+        run: |
+          python -m pip install --upgrade pip
+          pip install hatch --uploaded-prior-to=P1D
 
       - name: Lint
         if: matrix.python-version == '3.10' && runner.os == 'Linux'