[git] Add hashes to requirements.txt for extra security (#92305)

https://pip.pypa.io/en/stable/topics/secure-installs/
llvm · May 17, 2024 · 89b83d2 · 89b83d2
1 parent d3d5a30
commit 89b83d2
Show file tree

Hide file tree

Showing 9 changed files with 301 additions and 25 deletions.
diff --git a/.github/workflows/issue-release-workflow.yml b/.github/workflows/issue-release-workflow.yml
@@ -53,7 +53,7 @@ jobs:
 
       - name: Setup Environment
         run: |
-          pip install -r ./llvm/utils/git/requirements.txt
+          pip install --require-hashes -r ./llvm/utils/git/requirements.txt
           ./llvm/utils/git/github-automation.py --token ${{ github.token }} setup-llvmbot-git
 
       - name: Backport Commits

diff --git a/.github/workflows/issue-subscriber.yml b/.github/workflows/issue-subscriber.yml
@@ -22,7 +22,7 @@ jobs:
       - name: Setup Automation Script
         working-directory: ./llvm/utils/git/
         run: |
-          pip install -r requirements.txt
+          pip install --require-hashes -r requirements.txt
 
       - name: Update watchers
         working-directory: ./llvm/utils/git/

diff --git a/.github/workflows/merged-prs.yml b/.github/workflows/merged-prs.yml
@@ -29,7 +29,7 @@ jobs:
       - name: Setup Automation Script
         working-directory: ./llvm/utils/git/
         run: |
-          pip install -r requirements.txt
+          pip install --require-hashes -r requirements.txt
 
       - name: Add Buildbot information comment
         working-directory: ./llvm/utils/git/

diff --git a/.github/workflows/new-prs.yml b/.github/workflows/new-prs.yml
@@ -43,7 +43,7 @@ jobs:
       - name: Setup Automation Script
         working-directory: ./llvm/utils/git/
         run: |
-          pip install -r requirements.txt
+          pip install --require-hashes -r requirements.txt
 
       - name: Greet Author
         working-directory: ./llvm/utils/git/

diff --git a/.github/workflows/pr-request-release-note.yml b/.github/workflows/pr-request-release-note.yml
@@ -29,7 +29,7 @@ jobs:
 
       - name: Install Dependencies
         run: |
-          pip install -r llvm/utils/git/requirements.txt
+          pip install --require-hashes -r llvm/utils/git/requirements.txt
 
       - name: Request Release Note
         env:

diff --git a/.github/workflows/pr-subscriber.yml b/.github/workflows/pr-subscriber.yml
@@ -22,7 +22,7 @@ jobs:
       - name: Setup Automation Script
         working-directory: ./llvm/utils/git/
         run: |
-          pip install -r requirements.txt
+          pip install --require-hashes -r requirements.txt
 
       - name: Update watchers
         working-directory: ./llvm/utils/git/

diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml
@@ -47,7 +47,7 @@ jobs:
 
     - name: Install Dependencies
       run: |
-        pip install -r ./llvm/utils/git/requirements.txt
+        pip install --require-hashes -r ./llvm/utils/git/requirements.txt
 
     - name: Check Permissions
       env:

diff --git a/.github/workflows/version-check.yml b/.github/workflows/version-check.yml
@@ -23,7 +23,7 @@ jobs:
 
       - name: Install dependencies
         run: |
-          pip install -r ./llvm/utils/git/requirements.txt
+          pip install --require-hashes -r ./llvm/utils/git/requirements.txt
 
       - name: Version Check
         run: |

diff --git a/llvm/utils/git/requirements.txt b/llvm/utils/git/requirements.txt