chore: regenerate uv.lock with hashes, use lockfile in setup (#2812)

Browse Source

- Regenerate uv.lock with sha256 hashes for all 2965 package artifacts
- Add python_version marker to yc-bench (requires >=3.12)
- Update setup-hermes.sh to prefer 'uv sync --locked' for hash-verified
  installs, with fallback to 'uv pip install' when lockfile is stale

This completes the supply chain hardening: pyproject.toml bounds the
version ranges, and uv.lock pins exact versions with cryptographic
hashes so tampered packages are rejected at install time.

...

This commit is contained in:

Teknium

2026-03-24 08:42:45 -07:00

committed by GitHub

parent 177e43259f

commit 624e4a8e7a

3 changed files with 2509 additions and 455 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download Patch File Download Diff File Expand all files Collapse all files

2945

uv.lock generated

File diff suppressed because it is too large Load Diff