chore: add uv supply-chain hardening and enforce locked installs

- Set exclude-newer to 3 days and only-binary/:all: in pyproject.toml to limit dependency freshness window and block source builds - Switch uv sync to --locked in Makefile, ci.yml, and deploy-website.yml to enforce the lockfile rather than re-resolving on each install - Regenerate uv.lock with exclude-newer snapshot recorded Co-Authored-By: Claude <noreply@anthropic.com>
2026-05-09 22:53:49 +08:00 · 2026-04-22 02:21:48 +08:00
parent 99d883c00d
commit 0bf9522e5d
5 changed files with 14 additions and 3 deletions
@@ -29,3 +29,10 @@ pythonpath = ["website"]

 [tool.ruff]
 line-length = 200
+
+[tool.uv]
+exclude-newer = "3 days"
+no-build = true
+
+[tool.uv.pip]
+only-binary = [":all:"]