Practical guide to Python supply chain security covering the full stack: dependency pinning with hashes, vulnerability scanning in CI, SBOMs, Trusted Publishing with OIDC, package attestations via Sigstore, and delayed ingestion for organizations. Written from the perspective of both a PyPA maintainer and enterprise package infrastructure operator. Includes real attack case studies (Ultralytics, GhostAction, Shai-Hulud) and a phased roadmap for adoption.