feat: resolve PyPI packages through Cisco Artifactory for supply-chain safety

[oboehmer]

Description

Route all PyPI dependency resolution through Cisco's Artifactory instance (artifactory.devhub-cloud.cisco.com) to protect against supply-chain attacks. Fork PRs automatically fall back to pypi.org since GitHub does not expose repository secrets to forks.

Closes

• Fixes Use Cisco Artifactory as pypi index #739

Related Issue(s)

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Refactoring / Technical debt (internal improvements with no user-facing changes)
• Documentation update
• Chore (build process, CI, tooling, dependencies)
• Other (please describe):

Test Framework Affected

• PyATS
• Robot Framework
• Both
• N/A (not test-framework specific)

Network as Code (NaC) Architecture Affected

• ACI (APIC)
• NDO (Nexus Dashboard Orchestrator)
• NDFC / VXLAN-EVPN (Nexus Dashboard Fabric Controller)
• Catalyst SD-WAN (SDWAN Manager / vManage)
• Catalyst Center (DNA Center)
• ISE (Identity Services Engine)
• FMC (Firepower Management Center)
• Meraki (Cloud-managed)
• NX-OS (Nexus Direct-to-Device)
• IOS-XE (Direct-to-Device)
• IOS-XR (Direct-to-Device)
• Hyperfabric
• All architectures
• N/A (architecture-agnostic)

Platform Tested

• macOS (version tested: Sequoia)
• Linux (distro/version tested: ubuntu-latest via GitHub Actions)

Key Changes

• pyproject.toml: Added [[tool.uv.index]] with default = true pointing to Cisco Artifactory, replacing PyPI as the default package index for project-scoped uv commands (sync, lock, run).
• test.yml: Added UV_DEFAULT_INDEX env var with name=url syntax so uv tool install (bandit, mypy) also routes through Artifactory with proper credential pairing. Added per-job "Configure package index" fallback steps that override back to pypi.org when credentials are empty (fork PRs).
• test.yml: Pinned actions/checkout and astral-sh/setup-uv to commit SHAs.
• README.md: Added "Artifactory Authentication (Cisco Developers)" section with instructions for generating an identity token and three credential configuration options (uv auth login, ~/.netrc, env vars).

Testing Done

• Unit tests added/updated
• Integration tests performed
• Manual testing performed:
  • PyATS tests executed successfully
  • Robot Framework tests executed successfully
  • D2D/SSH tests executed successfully (if applicable)
  • HTML reports generated correctly
• All existing tests pass (pytest / pre-commit run -a)

Test Commands Used

# Verified pipeline passes with credentials (same-repo push)
# Verified pipeline passes with empty credentials (simulated fork PR fallback)
# Verified uv tool install routes through Artifactory (checked job logs for index URLs)

Checklist

• Code follows project style guidelines (pre-commit run -a passes)
• Self-review of code completed
• Code is commented where necessary (especially complex logic)
• Documentation updated (if applicable)
• No new warnings introduced
• Changes work on both macOS and Linux
• CHANGELOG.md updated (if applicable)

Screenshots (if applicable)

N/A

Additional Notes

• uv tool install does not read tool.uv.index from pyproject.toml -- it only respects UV_DEFAULT_INDEX. The name=url syntax (cisco-artifactory-devhub=https://...) is required so uv can pair the index with the UV_INDEX_CISCO_ARTIFACTORY_DEVHUB_* credential env vars.
• Dependency cooldown via exclude-newer = "3 days" was evaluated but deferred -- Cisco Artifactory does not provide PEP 700 upload-time metadata, causing uv to emit warnings for every package. Can revisit once Artifactory adds support.
• The uv.lock diff is large because the lock file was regenerated against the new index, but all package versions remain the same.

[oboehmer]

@aitestino , please also review, I agreed with @danischm that we would trial this approach with nac-test to gather experience before discussing with the wider team. Local development will now require authentication for uv sync operations (see README)