build: add supply chain hardening via uv exclude-newer and pip uploaded-prior-to

[julian-risch]

Related Issues

• Similar to Haystack PR build: add uv exclude-newer, pip uploaded-prior-to and Dependabot cooldown as supply chain guardrails haystack#11170
• Similar to Haystack Core Integrations PR build: add supply chain hardening via uv exclude-newer and pip uploaded-prior-to haystack-core-integrations#3258

Given the short time window of typical supply-chain attacks, we should use uv exclude-newer and pip --uploaded-prior-to to improve security

Changes

pyproject.toml — uv exclude-newer guardrail:

• Adds exclude-newer = "24 hours" under [tool.uv], which tells uv to ignore any package version published within the last 24 hours during resolution.
• Adds exclude-newer-package exemption for haystack-pydoc-tools (first-party package) so freshly-published releases are always resolvable.

.github/dependabot.yml — Dependabot cooldown:

• Adds cooldown.default-days: 1 to github-actions entries, so Dependabot won't open bump PRs for versions published less than 1 day ago.

--uploaded-prior-to — pip guardrail:

• Upgrades pip before each pip install step and adds --uploaded-prior-to=P1D to all direct pip install commands in CI workflows (pip 26.1+).

How did you test it?

Checklist

• I have read the contributors guidelines and the code of conduct.
• I have updated the related issue with new insights and changes.
• I added unit tests and updated the docstrings.
• I've used one of the conventional commit types for my PR title: fix:, feat:, build:, chore:, ci:, docs:, style:, refactor:, perf:, test:.

🤖 Generated with Claude Code

[davidsbatista]

Looks good!l