chore: more remediations from oss scorecard

- [x] github action versions via hashes
- [x] switch from pip to pipenv
  - seems to handle hashes better and has a lock file

Signed-off-by: jmeridth <jmeridth@gmail.com>

.github/workflows/linter.yaml

@@ -25,8 +25,9 @@ jobs:
           fetch-depth: 0
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip
-          pip install -r requirements.txt -r requirements-test.txt
+          python -m pip install --upgrade pip pipenv==2023.12.1
+          pipenv --python 3
+          pipenv install
       - name: Lint Code Base
         uses: super-linter/super-linter@4758be622215d0954c8353ee4877ffd60111cf8e
         env:

.github/workflows/major-version-updater.yml

@@ -15,7 +15,7 @@ jobs:
       contents: write
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
       - name: version
         id: version
         run: |

.github/workflows/python-package.yml

@@ -24,13 +24,9 @@ jobs:
         uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d
         with:
           python-version: ${{ matrix.python-version }}
-      - name: Install dependencies
+      - name: Install dependencies and lint and test
         run: |
-          python -m pip install --upgrade pip
-          pip install -r requirements.txt -r requirements-test.txt
-      - name: Lint with flake8 and pylint
-        run: |
-          make lint
-      - name: Test with pytest
-        run: |
-          make test
+          python -m pip install --upgrade pip pipenv==2023.12.1
+          pipenv install
+          pipenv run lint
+          pipenv run test

.github/workflows/release.yml

@@ -62,7 +62,7 @@
             registry: ${{ env.REGISTRY }}
             username: ${{ github.actor }}
             password: ${{ secrets.GITHUB_TOKEN }}
-        - uses: actions/checkout@v4
+        - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
         - name: Push Docker Image
           if: ${{ success() }}
           uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0

.github/workflows/stale.yaml

@@ -11,7 +11,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e
         with:
           stale-issue-message: 'This issue is stale because it has been open 21 days with no activity. Remove stale label or comment or this will be closed in 14 days.'
           close-issue-message: 'This issue was closed because it has been stalled for 35 days with no activity.'

.github/workflows/use-action.yml

@@ -23,7 +23,7 @@ jobs:
       packages: read
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
       - name: Run stale_repos tool
         uses: docker://ghcr.io/github/stale_repos:v1
         env:

Dockerfile

@@ -13,9 +13,9 @@ LABEL com.github.actions.name="stale-repos" \
     org.opencontainers.image.description="Find stale repositories in a GitHub organization."
 
 WORKDIR /action/workspace
-COPY requirements.txt stale_repos.py /action/workspace/
+COPY Pipfile Pipfile.lock stale_repos.py /action/workspace/
 
-RUN python3 -m pip install --no-cache-dir -r requirements.txt \
+RUN python3 -m pip install --no-cache-dir pipenv==2023.12.1 \
     && apt-get -y update \
     && apt-get -y install --no-install-recommends git-all=1:2.39.2-1.1 \
     && rm -rf /var/lib/apt/lists/*

Pipfile

@@ -0,0 +1,26 @@
+[[source]]
+url = "https://pypi.org/simple"
+verify_ssl = true
+name = "pypi"
+
+[scripts]
+test = "make test"
+lint = "make lint"
+clean = "make clean"
+
+[packages]
+"github3.py" = "==4.0.1"
+pyjwt = "==2.8.0"
+python-dotenv = "==1.0.1"
+python-dateutil = "==2.9.0.post0"
+
+[dev-packages]
+black = "==24.4.2"
+flake8 = "==7.0.0"
+mypy = "==1.10.0"
+mypy-extensions = "==1.0.0"
+pylint = "==3.1.0"
+pytest = "==8.2.0"
+pytest-cov = "==5.0.0"
+types-python-dateutil = "==2.9.0.20240316"
+types-requests = "==2.31.0.20240406"

README.md

@@ -256,13 +256,15 @@ jobs:
 1. (Optional) Fill out the `.env` file with the [repository topics](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics) _exempt_topics_ that you want to filter out from the stale repos report. This should be a comma separated list of topics.
 1. (Optional) Fill out the `.env` file with the exact _organization_ that you want to search in
 1. (Optional) Fill out the `.env` file with the exact _URL_ of the GitHub Enterprise that you want to search in. Keep empty if you want to search in the  public `github.com`.
-1. `pip install -r requirements.txt`
+1. `python3 -m pip install pipenv==2023.12.1`
+1. `pipenv shell`
+1. `pipenv install`
 1. Run `python3 ./stale_repos.py`, which will output a list of repositories and the length of their inactivity
 
 ## Local testing without Docker
 
 1. Have Python v3.9 or greater installed
-1. `pip install -r requirements.txt -r requirements-test.txt`
+1. `pip install pipenv==2023.12.1`
 1. `make lint`
 1. `make test`