Skip to content

build: add pip supply-chain hardening to CI workflows#2

Merged
julian-risch merged 1 commit into
mainfrom
build/supply-chain-hardening
May 22, 2026
Merged

build: add pip supply-chain hardening to CI workflows#2
julian-risch merged 1 commit into
mainfrom
build/supply-chain-hardening

Conversation

@julian-risch
Copy link
Copy Markdown
Member

@julian-risch julian-risch commented May 21, 2026

Related Issues

Proposed Changes:

  • In .github/workflows/test.yml and .github/workflows/release.yml, upgrade pip and pass --uploaded-prior-to=P1D (pip 26.1 relative duration) to the pip install hatch step. This skips packages published within the last 24 hours, mitigating the short-window exposure window seen in recent PyPI compromises (e.g. mistralai 2.4.6, uploaded and removed within ~3 hours).

How did you test it?

Notes for the reviewer

Checklist

  • I've used one of the conventional commit types for my PR title: fix:, feat:, build:, chore:, ci:, docs:, style:, refactor:, perf:, test:.

@julian-risch @claude
build: add pip supply-chain hardening to CI workflows
b52592f 
Upgrade pip and pass --uploaded-prior-to=P1D to the hatch install
step in both test.yml and release.yml. This skips packages published
within the last 24 hours, mitigating the short-window exposure seen
in recent PyPI compromises. Mirrors the pattern applied across
deepset-ai/haystack-core-integrations in
deepset-ai/haystack-core-integrations#3258.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@julian-risch julian-risch merged commit fc9a6f7 into main May 22, 2026
2 checks passed
@julian-risch julian-risch deleted the build/supply-chain-hardening branch May 22, 2026 09:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@julian-risch