ci: install the docs toolchain from a hash-pinned requirements file#1361
Merged
Conversation
`docs.yml` ran `pip install mkdocs mkdocs-material` with no pin at all. Scorecard flags it as PinnedDependenciesID (dismissed alert #67). That dismissal reads "--require-hashes blocks Dependabot from maintaining hashes automatically", which no longer holds: `pre-commit-autoupdate.yml` in this repo already installs with `--require-hashes` from `.github/pre-commit/requirements.txt`, and Dependabot keeps that file current (#1094). The same mechanism now covers the docs toolchain, with a watchpoint for `/.github/docs`. Verified under UBI9/python-312: `--require-hashes` install, then `tools/build-docs` and `mkdocs build --strict`, all exit 0.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes the last unpinned
pip installin this repository (ScorecardPinnedDependenciesID, dismissed alert #67).docs.ymlranpip install mkdocs mkdocs-materialwith no version pin at all, so every documentation build resolved whatever was newest on PyPI at that moment.Why the existing dismissal no longer applies
Alert #67 was dismissed with:
That is no longer true, and this repository already contradicts it:
pre-commit-autoupdate.ymlinstalls withpip install --require-hashes --requirement .github/pre-commit/requirements.txt, and Dependabot maintains that hash-pinned file (see #1094). The second dismissedPinnedDependenciesIDalert, #56, points at exactly that workflow and is stale.This change applies the same mechanism to the docs toolchain and adds a
/.github/docswatchpoint todependabot.yml, matching what Linuxfabrik/mcp-server-icinga#31 just did.Verification
Under UBI9/python-312, against a clean checkout:
pip install --require-hashes --requirement .github/docs/requirements.txt- exit 0python3 tools/build-docs- exit 0, generatesmkdocs.ymlmkdocs build --strict- exit 0actionlintis clean.