chore: add uv supply-chain hardening and enforce locked installs

- Set exclude-newer to 3 days and only-binary/:all: in pyproject.toml to limit dependency freshness window and block source builds - Switch uv sync to --locked in Makefile, ci.yml, and deploy-website.yml to enforce the lockfile rather than re-resolving on each install - Regenerate uv.lock with exclude-newer snapshot recorded Co-Authored-By: Claude <noreply@anthropic.com>
2026-05-07 08:20:21 -05:00 · 2026-04-22 02:21:48 +08:00
parent 99d883c00d
commit 0bf9522e5d
5 changed files with 14 additions and 3 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -24,7 +24,7 @@ jobs:
          enable-cache: true

      - name: Install dependencies
-        run: uv sync --group build
+        run: uv sync --group build --locked

      - name: Run tests
        run: make test
--- a/.github/workflows/deploy-website.yml
+++ b/.github/workflows/deploy-website.yml
@@ -31,7 +31,7 @@ jobs:
          enable-cache: true

      - name: Install dependencies
-        run: uv sync --group build
+        run: uv sync --group build --locked

      - name: Run tests
        if: github.event_name == 'schedule'
--- a/2
+++ b/2
@@ -2,7 +2,7 @@
 export

 install:
-	uv sync
+	uv sync --locked

 fetch_github_stars:
 	uv run python website/fetch_github_stars.py
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -29,3 +29,10 @@ pythonpath = ["website"]

 [tool.ruff]
 line-length = 200
+
+[tool.uv]
+exclude-newer = "3 days"
+no-build = true
+
+[tool.uv.pip]
+only-binary = [":all:"]
--- a/uv.lock
+++ b/uv.lock
@@ -2,6 +2,10 @@ version = 1
 revision = 3
 requires-python = ">=3.13"

+[options]
+exclude-newer = "2026-04-18T18:21:23.412234Z"
+exclude-newer-span = "P3D"
+
 [[package]]
 name = "anyio"
 version = "4.12.1"