use allow-unsafe in pip-compile call, not pip call

.github/workflows/bump-version.yml

@@ -80,7 +80,7 @@ jobs:
           echo "CURRENT_VERSION=${CURRENT_VERSION}" >> $GITHUB_ENV
       - name: Install CI libraries
         run: |
-          python -m pip install --require-hashes --allow-unsafe -r CI/requirements_ci.txt
+          python -m pip install --require-hashes -r CI/requirements_ci.txt
       - name: Conditional Bump Version
         run: |
           if [[ ${{ env.CURRENT_VERSION }} =~ -dev(\.\d+)? ]]; then

.github/workflows/main.yml

@@ -47,7 +47,7 @@ jobs:
           cache: pip
       - name: Install CI libraries
         run: |
-          python -m pip install --require-hashes --allow-unsafe -r CI/requirements_ci.txt
+          python -m pip install --require-hashes -r CI/requirements_ci.txt
       - name: Run linting suite
         run: |
           python -m tox -e lint
@@ -81,7 +81,6 @@ jobs:
           environment-name: xscen-pypi
           create-args: >-
             esmf=${{ env.esmf-version }}
-            mamba
             python=${{ matrix.python-version }}
             tox
       - name: Environment Caching

.github/workflows/publish-pypi.yml

@@ -35,7 +35,7 @@ jobs:
           python-version: "3.x"
       - name: Install CI libraries
         run: |
-          python -m pip install --require-hashes --allow-unsafe -r CI/requirements_ci.txt
+          python -m pip install --require-hashes -r CI/requirements_ci.txt
       - name: Build a binary wheel and a source tarball
         run: |
           python -m build --sdist --wheel

.github/workflows/tag-testpypi.yml

@@ -59,7 +59,7 @@ jobs:
           python-version: "3.x"
       - name: Install CI libraries
         run: |
-          python -m pip install --require-hashes --allow-unsafe -r CI/requirements_ci.txt
+          python -m pip install --require-hashes -r CI/requirements_ci.txt
       - name: Build a binary wheel and a source tarball
         run: |
           python -m build --sdist --wheel

CI/requirements_ci.txt

@@ -2,7 +2,7 @@
 # This file is autogenerated by pip-compile with Python 3.9
 # by the following command:
 #
-#    pip-compile --generate-hashes --output-file=CI/requirements_ci.txt CI/requirements_ci.in
+#    pip-compile --allow-unsafe --generate-hashes --output-file=CI/requirements_ci.txt CI/requirements_ci.in
 #
 annotated-types==0.7.0 \
     --hash=sha256:1f02e8b43a8fbbc3f3e0d4f0f4bfc8131bcb4eebe8849b8e5c773f3a1c582a53 \
@@ -424,8 +424,14 @@ zipp==3.20.1 \
     --hash=sha256:c22b14cc4763c5a5b04134207736c107db42e9d3ef2d9779d465f5f1bcba572b
     # via importlib-metadata
 
-# WARNING: The following packages were not pinned, but pip requires them to be
-# pinned when the requirements file includes hashes and the requirement is not
-# satisfied by a package already installed. Consider using the --allow-unsafe flag.
-# pip
-# setuptools
+# The following packages are considered to be unsafe in a requirements file:
+pip==24.2 \
+    --hash=sha256:2cd581cf58ab7fcfca4ce8efa6dcacd0de5bf8d0a3eb9ec927e07405f4d9e2a2 \
+    --hash=sha256:5b5e490b5e9cb275c879595064adce9ebd31b854e3e803740b72f9ccf34a45b8
+    # via -r CI/requirements_ci.in
+setuptools==65.0.0 \
+    --hash=sha256:d73f8cd714a1a6691f5eb5abeeacbf313242b7aa2f5eba93776542c1aad90c6f \
+    --hash=sha256:fe9a97f68b064a6ddd4bacfb0b4b93a4c65a556d97ce906255540439d0c35cef
+    # via
+    #   -r CI/requirements_ci.in
+    #   setuptools-scm