ci: add 2-day package install cooldown (supply-chain guard) (1/n) (#21722)

* ci: add 2-day install cooldown via UV_EXCLUDE_NEWER / PIP_UPLOADED_PRIOR_TO

Workflow-level supply-chain guard: when CI installs Python packages,
the resolver refuses any PyPI release published within the last 2 days.
Catches typosquats and malicious uploads that get yanked within ~24h
before they land in our CI image.

- uv-based workflows (ci-tests-*, code-checks, docs-build,
  _legacy-checkpoints): UV_EXCLUDE_NEWER="2 days". Requires
  uv >= 0.10.0; setup-uv@v7 pulls latest uv.
- pip-based workflows (ci-pkg-install, release-pkg, release-nightly):
  PIP_UPLOADED_PRIOR_TO="P2D" plus a pip-upgrade step. Requires
  pip >= 26.1.

Author: bhimrazy

.github/workflows/_legacy-checkpoints.yml

@@ -44,6 +44,8 @@ on:
 env:
   LEGACY_FOLDER: "tests/legacy"
   TORCH_URL: "https://download.pytorch.org/whl/cpu/"
+  # Supply-chain guard: skip PyPI releases newer than this. See https://docs.astral.sh/uv/reference/settings/#exclude-newer
+  UV_EXCLUDE_NEWER: "2 days"
 
 defaults:
   run:
@@ -71,12 +73,15 @@ jobs:
           PACKAGE_NAME: pytorch
           FREEZE_REQUIREMENTS: 1
         timeout-minutes: 20
-        run: uv pip install . --extra-index-url="${TORCH_URL}"
+        # `unsafe-best-match` required: PyTorch extra-index mirrors an older fsspec that
+        # conflicts with lightning's version range under UV_EXCLUDE_NEWER.
+        run: uv pip install . --extra-index-url="${TORCH_URL}" --index-strategy unsafe-best-match
         if: inputs.pl_version == ''
 
       - name: Install PL version
         timeout-minutes: 20
-        run: uv pip install "pytorch-lightning==${{ inputs.pl_version }}" --extra-index-url="${TORCH_URL}"
+        # `unsafe-best-match` required: same fsspec/PyTorch-index conflict as above.
+        run: uv pip install "pytorch-lightning==${{ inputs.pl_version }}" --extra-index-url="${TORCH_URL}" --index-strategy unsafe-best-match
         if: inputs.pl_version != ''
 
       - name: Adjust tests -> PL

.github/workflows/ci-pkg-install.yml

@@ -45,11 +45,16 @@ jobs:
         os: ["ubuntu-22.04", "macOS-14", "windows-2022"]
         pkg-name: ["fabric", "pytorch", "lightning", "notset"]
         python-version: ["3.10", "3.11"]
+    env:
+      # Supply-chain guard: skip PyPI releases newer than this (ISO 8601 duration). See https://pip.pypa.io/en/stable/cli/pip_install/#cmdoption-uploaded-prior-to
+      PIP_UPLOADED_PRIOR_TO: "P2D"
     steps:
       - uses: actions/checkout@v6
       - uses: actions/setup-python@v6
         with:
           python-version: ${{ matrix.python-version }}
+      - name: Upgrade pip (for --uploaded-prior-to, pip >= 26.1)
+        run: python -m pip install --upgrade "pip>=26.1"
       - uses: actions/download-artifact@v8
         with:
           name: dist-packages-${{ github.sha }}

.github/workflows/ci-tests-fabric.yml

@@ -68,6 +68,8 @@ jobs:
       # TODO: Remove this - Enable running MPS tests on this platform
       DISABLE_MPS: ${{ matrix.os == 'macOS-14' && '1' || '0' }}
       UV_TORCH_BACKEND: "cpu"
+      # Supply-chain guard: skip PyPI releases newer than this. See https://docs.astral.sh/uv/reference/settings/#exclude-newer
+      UV_EXCLUDE_NEWER: "2 days"
     steps:
       - uses: actions/checkout@v6
 

.github/workflows/ci-tests-pytorch.yml

@@ -73,6 +73,8 @@ jobs:
       # TODO: Remove this - Enable running MPS tests on this platform
       DISABLE_MPS: ${{ matrix.os == 'macOS-14' && '1' || '0' }}
       UV_TORCH_BACKEND: "cpu"
+      # Supply-chain guard: skip PyPI releases newer than this. See https://docs.astral.sh/uv/reference/settings/#exclude-newer
+      UV_EXCLUDE_NEWER: "2 days"
     steps:
       - uses: actions/checkout@v6
 

.github/workflows/code-checks.yml

@@ -27,6 +27,9 @@ defaults:
 jobs:
   mypy:
     runs-on: ubuntu-22.04
+    env:
+      # Supply-chain guard: skip PyPI releases newer than this. See https://docs.astral.sh/uv/reference/settings/#exclude-newer
+      UV_EXCLUDE_NEWER: "2 days"
     steps:
       - uses: actions/checkout@v6
 

.github/workflows/docs-build.yml

@@ -48,6 +48,8 @@ env:
   FREEZE_REQUIREMENTS: "1"
   TORCH_URL: "https://download.pytorch.org/whl/cpu/"
   PYPI_LOCAL_DIR: "pypi_pkgs/"
+  # Supply-chain guard: skip PyPI releases newer than this. See https://docs.astral.sh/uv/reference/settings/#exclude-newer
+  UV_EXCLUDE_NEWER: "2 days"
 
 jobs:
   docs-make:
@@ -103,9 +105,15 @@ jobs:
 
       - name: Install package & dependencies
         timeout-minutes: 20
+        # `unsafe-best-match` lets uv consider all indexes when resolving a package,
+        # not just the first one it's found on. Required here because the PyTorch CPU
+        # extra-index mirrors an older `fsspec` that conflicts with `lightning[all]`'s
+        # version range under `UV_EXCLUDE_NEWER`; without this flag uv refuses to fall
+        # back to PyPI for a newer compatible version.
         run: |
           uv pip install .[all] -U -r requirements/${{ matrix.pkg-name }}/docs.txt \
-            -f ${PYPI_LOCAL_DIR} --extra-index-url="${TORCH_URL}"
+            -f ${PYPI_LOCAL_DIR} --extra-index-url="${TORCH_URL}" \
+            --index-strategy unsafe-best-match
           uv pip list
 
       - name: Install req. for Notebooks/tutorials
@@ -179,7 +187,7 @@ jobs:
       - name: Inject version selector
         working-directory: docs/build
         run: |
-          pip install -q wget
+          uv pip install -q wget
           python -m wget https://raw.githubusercontent.com/Lightning-AI/utilities/main/scripts/inject-selector-script.py
           python inject-selector-script.py html ${{ matrix.pkg-name }}
 

.github/workflows/release-nightly.yml

@@ -21,12 +21,16 @@ jobs:
     runs-on: ubuntu-22.04
     env:
       PKG_NAME: "lightning"
+      # Supply-chain guard: skip PyPI releases newer than this (ISO 8601 duration). See https://pip.pypa.io/en/stable/cli/pip_install/#cmdoption-uploaded-prior-to
+      PIP_UPLOADED_PRIOR_TO: "P2D"
     steps:
       - uses: actions/checkout@v6
       - uses: actions/setup-python@v6
         with:
           python-version: "3.10"
 
+      - name: Upgrade pip (for --uploaded-prior-to, pip >= 26.1)
+        run: python -m pip install --upgrade "pip>=26.1"
       - name: Convert actual version to nightly
         run: |
           pip install -q -r .actions/requirements.txt