chore: more remediations from oss scorecard

- [x] github action versions via hashes
- [x] switch from pip to pipenv
  - seems to handle hashes better and has a lock file

Signed-off-by: jmeridth <jmeridth@gmail.com>

.github/workflows/linter.yaml

@@ -25,8 +25,9 @@ jobs:
           fetch-depth: 0
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip
-          pip install -r requirements.txt -r requirements-test.txt
+          python -m pip install pip==24.0 --hash=sha256:ba0d021a166865d2265246961bec0152ff124de910c5cc39f1156ce3fa7c69dc \
+            pipenv==2023.12.1 --hash=sha256:96c8af7c36691fbc648959f3f631954212398246c8cfcfa529ec09bc5d0bfd01
+          pipenv install --deploy --dev --system
       - name: Lint Code Base
         uses: super-linter/super-linter@4758be622215d0954c8353ee4877ffd60111cf8e
         env:

.github/workflows/major-version-updater.yml

@@ -15,7 +15,7 @@ jobs:
       contents: write
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
       - name: version
         id: version
         run: |

.github/workflows/python-package.yml

@@ -26,11 +26,12 @@ jobs:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip
-          pip install -r requirements.txt -r requirements-test.txt
-      - name: Lint with flake8 and pylint
+          python -m pip install pip==24.0 --hash=sha256:ba0d021a166865d2265246961bec0152ff124de910c5cc39f1156ce3fa7c69dc \
+            pipenv==2023.12.1 --hash=sha256:96c8af7c36691fbc648959f3f631954212398246c8cfcfa529ec09bc5d0bfd01
+          pipenv install --deploy --dev --system
+      - name: Lint with super-linter
         run: |
-          make lint
+          pipenv run lint
       - name: Test with pytest
         run: |
-          make test
+          pipenv run test

.github/workflows/release.yml

@@ -62,7 +62,7 @@
             registry: ${{ env.REGISTRY }}
             username: ${{ github.actor }}
             password: ${{ secrets.GITHUB_TOKEN }}
-        - uses: actions/checkout@v4
+        - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
         - name: Push Docker Image
           if: ${{ success() }}
           uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0

.github/workflows/scorecard.yml

@@ -12,12 +12,30 @@ on:
     - cron: '29 11 * * 6'
   push:
     branches: ["main"]
+  pull_request:
+    branches: ["main"]
 
 permissions: read-all
 
 jobs:
-  analysis:
-    name: Scorecard analysis
+  pull-request-analysis:
+    if : github.event_name == 'pull_request'
+    name: Pull Request Scorecard analysis
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: false
+  merge-to-main-analysis:
+    if : github.event_name == 'push' && github.ref == 'refs/heads/main'
+    name: Merge to Main Scorecard analysis
     runs-on: ubuntu-latest
     permissions:
       security-events: write

.github/workflows/stale.yaml

@@ -11,7 +11,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e
         with:
           stale-issue-message: 'This issue is stale because it has been open 21 days with no activity. Remove stale label or comment or this will be closed in 14 days.'
           close-issue-message: 'This issue was closed because it has been stalled for 35 days with no activity.'

.github/workflows/use-action.yml

@@ -23,7 +23,7 @@ jobs:
       packages: read
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
       - name: Run stale_repos tool
         uses: docker://ghcr.io/github/stale_repos:v1
         env:

Dockerfile

@@ -13,9 +13,9 @@ LABEL com.github.actions.name="stale-repos" \
     org.opencontainers.image.description="Find stale repositories in a GitHub organization."
 
 WORKDIR /action/workspace
-COPY requirements.txt stale_repos.py /action/workspace/
+COPY Pipfile Pipfile.lock stale_repos.py /action/workspace/
 
-RUN python3 -m pip install --no-cache-dir -r requirements.txt \
+RUN python3 -m pip install --no-cache-dir pipenv==2023.12.1 --hash=sha256:96c8af7c36691fbc648959f3f631954212398246c8cfcfa529ec09bc5d0bfd01 \
     && apt-get -y update \
     && apt-get -y install --no-install-recommends git-all=1:2.39.2-1.1 \
     && rm -rf /var/lib/apt/lists/*

Pipfile

@@ -0,0 +1,30 @@
+[[source]]
+url = "https://pypi.org/simple"
+verify_ssl = true
+name = "pypi"
+
+[scripts]
+test = "make test"
+lint = "make lint"
+clean = "make clean"
+
+[packages]
+"github3.py" = "==4.0.1"
+pyjwt = "==2.8.0"
+python-dotenv = "==1.0.1"
+python-dateutil = "==2.9.0.post0"
+
+[dev-packages]
+black = "==24.4.2"
+dill = "==0.3.8"
+exceptiongroup = "==1.2.1"
+flake8 = "==7.0.0"
+mypy = "==1.10.0"
+mypy-extensions = "==1.0.0"
+pylint = "==3.1.0"
+pytest = "==8.2.0"
+pytest-cov = "==5.0.0"
+tomli = "==2.0.1"
+typing-extensions = "==4.11.0"
+types-python-dateutil = "==2.9.0.20240316"
+types-requests = "==2.31.0.20240406"