chore: add 5-day dependency cooling period for supply-chain hardening (#7718)

.github/workflows/docs.yml

@@ -20,6 +20,10 @@ concurrency:
 jobs:
   build:
     runs-on: ubuntu-latest
+    env:
+      # Install from the committed lockfile; never re-resolve (see pyproject
+      # [tool.uv] exclude-newer cooling window).
+      UV_FROZEN: "1"
     steps:
       - uses: actions/checkout@v6
 

.github/workflows/locale-sync.yml

@@ -14,6 +14,10 @@ permissions:
 jobs:
   sync-locales:
     runs-on: ubuntu-latest
+    env:
+      # Install from the committed lockfile; never re-resolve (see pyproject
+      # [tool.uv] exclude-newer cooling window).
+      UV_FROZEN: "1"
     steps:
       - name: Generate GitHub App Token
         id: app-token

.github/workflows/test-backend.yml

@@ -13,6 +13,10 @@ jobs:
 
     env:
       PRODUCTION: false
+      # Install from the committed lockfile; never re-resolve. The rolling
+      # `exclude-newer` cooling window (pyproject [tool.uv]) would otherwise make
+      # every uv command re-resolve and fail on in-window pins.
+      UV_FROZEN: "1"
 
     strategy:
       fail-fast: true