Skip to content

ci: install workflow tools from hash-pinned requirements#31

Merged
markuslf merged 1 commit into
mainfrom
ci/hash-pin-workflow-pip-installs
Jul 10, 2026
Merged

ci: install workflow tools from hash-pinned requirements#31
markuslf merged 1 commit into
mainfrom
ci/hash-pin-workflow-pip-installs

Conversation

@markuslf

Copy link
Copy Markdown
Member

Resolves the two PinnedDependenciesID Scorecard alerts (#3, #8).

docs.yml and release.yml installed mkdocs, mkdocs-material and build by version only. A version pin does not protect against a yanked and re-uploaded artifact, which is why Scorecard scores pipCommand not pinned by hash at 8/10.

Both workflows now install with pip install --require-hashes, from files compiled with pip-compile --generate-hashes --strip-extras against the interpreter each workflow actually runs:

file compiled with consumed by
.github/docs/requirements.txt Python 3.12 docs.yml
.github/release/requirements.txt Python 3.14 release.yml

This mirrors the existing .github/pre-commit/requirements.txt. Dependabot already maintains that hash-pinned file (see Linuxfabrik/monitoring-plugins#1094, Linuxfabrik/lfops#234), so the "--require-hashes blocks Dependabot" concern does not apply. Watchpoints for both new directories are added to .github/dependabot.yml.

Verification

Both jobs were run end-to-end in containers after a --require-hashes install:

  • mkdocs build --strict under UBI9/python-312 - exit 0
  • python -m build under Fedora 44 (Python 3.14.6) - exit 0, produces sdist and wheel

actionlint is clean on both workflows.

`docs.yml` and `release.yml` installed mkdocs, mkdocs-material and build
by version only. OpenSSF Scorecard flags both as PinnedDependenciesID
(alerts #3, #8), and a version pin does not protect against a yanked and
re-uploaded artifact.

Both now install with `pip install --require-hashes`, from files compiled
with `pip-compile --generate-hashes` against the Python each workflow
runs (3.12 for docs, 3.14 for release). This mirrors the existing
`.github/pre-commit/requirements.txt`, which Dependabot already keeps up
to date, so the hashes stay maintained. Watchpoints for the two new
directories are added to `dependabot.yml`.

Verified in containers: `mkdocs build --strict` under UBI9/python-312 and
`python -m build` under Fedora 44 (Python 3.14.6), both after a
`--require-hashes` install.
@markuslf markuslf merged commit 728d153 into main Jul 10, 2026
6 checks passed
@markuslf markuslf deleted the ci/hash-pin-workflow-pip-installs branch July 10, 2026 14:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant