From 0bf9522e5d90a20d94e567e80141d6dfc250bff6 Mon Sep 17 00:00:00 2001
From: Vinta Chen <vinta.chen@gmail.com>
Date: Wed, 22 Apr 2026 02:21:48 +0800
Subject: [PATCH] chore: add uv supply-chain hardening and enforce locked
 installs

- Set exclude-newer to 3 days and only-binary/:all: in pyproject.toml to
  limit dependency freshness window and block source builds
- Switch uv sync to --locked in Makefile, ci.yml, and deploy-website.yml
  to enforce the lockfile rather than re-resolving on each install
- Regenerate uv.lock with exclude-newer snapshot recorded

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .github/workflows/ci.yml             | 2 +-
 .github/workflows/deploy-website.yml | 2 +-
 Makefile                             | 2 +-
 pyproject.toml                       | 7 +++++++
 uv.lock                              | 4 ++++
 5 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f9ba0284..02898b64 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -24,7 +24,7 @@ jobs:
           enable-cache: true
 
       - name: Install dependencies
-        run: uv sync --group build
+        run: uv sync --group build --locked
 
       - name: Run tests
         run: make test
diff --git a/.github/workflows/deploy-website.yml b/.github/workflows/deploy-website.yml
index 8105c3cc..dd748bb5 100644
--- a/.github/workflows/deploy-website.yml
+++ b/.github/workflows/deploy-website.yml
@@ -31,7 +31,7 @@ jobs:
           enable-cache: true
 
       - name: Install dependencies
-        run: uv sync --group build
+        run: uv sync --group build --locked
 
       - name: Run tests
         if: github.event_name == 'schedule'
diff --git a/Makefile b/Makefile
index 8a0905f4..5b782549 100644
--- a/Makefile
+++ b/Makefile
@@ -2,7 +2,7 @@
 export
 
 install:
-	uv sync
+	uv sync --locked
 
 fetch_github_stars:
 	uv run python website/fetch_github_stars.py
diff --git a/pyproject.toml b/pyproject.toml
index 19abd760..06e008be 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -29,3 +29,10 @@ pythonpath = ["website"]
 
 [tool.ruff]
 line-length = 200
+
+[tool.uv]
+exclude-newer = "3 days"
+no-build = true
+
+[tool.uv.pip]
+only-binary = [":all:"]
diff --git a/uv.lock b/uv.lock
index ab136dee..88d2b273 100644
--- a/uv.lock
+++ b/uv.lock
@@ -2,6 +2,10 @@ version = 1
 revision = 3
 requires-python = ">=3.13"
 
+[options]
+exclude-newer = "2026-04-18T18:21:23.412234Z"
+exclude-newer-span = "P3D"
+
 [[package]]
 name = "anyio"
 version = "4.12.1"