ci: add 2-day package install cooldown (supply-chain guard) (1/n) (#21722)
* ci: add 2-day install cooldown via UV_EXCLUDE_NEWER / PIP_UPLOADED_PRIOR_TO
Workflow-level supply-chain guard: when CI installs Python packages,
the resolver refuses any PyPI release published within the last 2 days.
Catches typosquats and malicious uploads that get yanked within ~24h
before they land in our CI image.
- uv-based workflows (ci-tests-*, code-checks, docs-build,
_legacy-checkpoints): UV_EXCLUDE_NEWER="2 days". Requires
uv >= 0.10.0; setup-uv@v7 pulls latest uv.
- pip-based workflows (ci-pkg-install, release-pkg, release-nightly):
PIP_UPLOADED_PRIOR_TO="P2D" plus a pip-upgrade step. Requires
pip >= 26.1.
pytorch-lightning
0d6ad3e3 - ci: add 2-day package install cooldown (supply-chain guard) (1/n) (#21722)
