chore: more remediations from oss scorecard

- [x] github action versions via hashes
- [x] switch from pip to pipenv
  - seems to handle hashes better and has a lock file

Signed-off-by: jmeridth <jmeridth@gmail.com>

.github/workflows/linter.yaml

@@ -25,8 +25,9 @@ jobs:
           fetch-depth: 0
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip
-          pip install -r requirements.txt -r requirements-test.txt
+          python -m pip install pip==24.0 --hash=sha256:ba0d021a166865d2265246961bec0152ff124de910c5cc39f1156ce3fa7c69dc \
+            pipenv==2023.12.1 --hash=sha256:96c8af7c36691fbc648959f3f631954212398246c8cfcfa529ec09bc5d0bfd01
+          pipenv install --deploy --dev --system
       - name: Lint Code Base
         uses: super-linter/super-linter@4758be622215d0954c8353ee4877ffd60111cf8e
         env:

.github/workflows/python-package.yml

@@ -26,11 +26,12 @@ jobs:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip
-          pip install -r requirements.txt -r requirements-test.txt
-      - name: Lint with flake8 and pylint
+          python -m pip install pip==24.0 --hash=sha256:ba0d021a166865d2265246961bec0152ff124de910c5cc39f1156ce3fa7c69dc \
+            pipenv==2023.12.1 --hash=sha256:96c8af7c36691fbc648959f3f631954212398246c8cfcfa529ec09bc5d0bfd01
+          pipenv install --deploy --dev --system
+      - name: Lint with super-linter
         run: |
-          make lint
+          pipenv run lint
       - name: Test with pytest
         run: |
-          make test
+          pipenv run test

.github/workflows/scorecard.yml

@@ -12,12 +12,30 @@ on:
     - cron: '29 11 * * 6'
   push:
     branches: ["main"]
+  pull_request:
+    branches: ["main"]
 
 permissions: read-all
 
 jobs:
-  analysis:
-    name: Scorecard analysis
+  pull-request-analysis:
+    if : github.event_name == 'pull_request'
+    name: Pull Request Scorecard analysis
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: false
+  merge-to-main-analysis:
+    if : github.event_name == 'push' && github.ref == 'refs/heads/main'
+    name: Merge to Main Scorecard analysis
     runs-on: ubuntu-latest
     permissions:
       security-events: write

Dockerfile

@@ -13,9 +13,9 @@ LABEL com.github.actions.name="stale-repos" \
     org.opencontainers.image.description="Find stale repositories in a GitHub organization."
 
 WORKDIR /action/workspace
-COPY requirements.txt stale_repos.py /action/workspace/
+COPY Pipfile Pipfile.lock stale_repos.py /action/workspace/
 
-RUN python3 -m pip install --no-cache-dir -r requirements.txt \
+RUN python3 -m pip install --no-cache-dir pipenv==2023.12.1 --hash=sha256:96c8af7c36691fbc648959f3f631954212398246c8cfcfa529ec09bc5d0bfd01 \
     && apt-get -y update \
     && apt-get -y install --no-install-recommends git-all=1:2.39.2-1.1 \
     && rm -rf /var/lib/apt/lists/*

Pipfile

@@ -0,0 +1,30 @@
+[[source]]
+url = "https://pypi.org/simple"
+verify_ssl = true
+name = "pypi"
+
+[scripts]
+test = "make test"
+lint = "make lint"
+clean = "make clean"
+
+[packages]
+"github3.py" = "==4.0.1"
+pyjwt = "==2.8.0"
+python-dotenv = "==1.0.1"
+python-dateutil = "==2.9.0.post0"
+
+[dev-packages]
+black = "==24.4.2"
+dill = "==0.3.8"
+exceptiongroup = "==1.2.1"
+flake8 = "==7.0.0"
+mypy = "==1.10.0"
+mypy-extensions = "==1.0.0"
+pylint = "==3.1.0"
+pytest = "==8.2.0"
+pytest-cov = "==5.0.0"
+tomli = "==2.0.1"
+typing-extensions = "==4.11.0"
+types-python-dateutil = "==2.9.0.20240316"
+types-requests = "==2.31.0.20240406"

README.md

@@ -256,15 +256,19 @@ jobs:
 1. (Optional) Fill out the `.env` file with the [repository topics](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics) _exempt_topics_ that you want to filter out from the stale repos report. This should be a comma separated list of topics.
 1. (Optional) Fill out the `.env` file with the exact _organization_ that you want to search in
 1. (Optional) Fill out the `.env` file with the exact _URL_ of the GitHub Enterprise that you want to search in. Keep empty if you want to search in the  public `github.com`.
-1. `pip install -r requirements.txt`
+1. `python3 -m pip install pipenv==2023.12.1`
+1. `pipenv shell`
+1. `pipenv install`
 1. Run `python3 ./stale_repos.py`, which will output a list of repositories and the length of their inactivity
 
 ## Local testing without Docker
 
 1. Have Python v3.9 or greater installed
-1. `pip install -r requirements.txt -r requirements-test.txt`
-1. `make lint`
-1. `make test`
+1. `pip install pipenv==2023.12.1`
+1. `pipenv shell`
+1. `pipenv install --dev`
+1. `pipenv run lint`
+1. `pipenv run test`
 
 ## License