ci: pin pip installs by hash to clear Scorecard Pinned-Dependencies#220
Conversation
The Scorecard report still flagged the inline `pip install --upgrade pip pipenv poetry` in smoke.yml and update-smoke-goldens.yml as unpinned. Replace it with a hash-locked, fully-resolved requirements file (pip-compile --generate-hashes) installed via `pip install --require-hashes`, covering pip/pipenv/poetry and their full transitive dependency graph (45 packages). Verified the lockfile installs cleanly under Python 3.12 with --require-hashes and that the resolved wheels include manylinux builds for the Linux CI runner. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Warning Review limit reached
Next review available in: 6 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (5)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Bomly Diff SummaryCompared Overview
Dependency Changes✅ No dependency changes. Vulnerabilities✅ No vulnerability changes. License Changes✅ No license changes. Project Posture✅ No project posture changes ( Policy Findings✅ No policy differences were identified. |
Summary
Follow-up to #217. The OpenSSF Scorecard Pinned-Dependencies check still flagged two remaining unpinned spots after the GitHub Actions SHA pinning landed:
Both lines were an inline
python -m pip install --upgrade pip pipenv poetry. Per Scorecard's own guidance, the fix is a hash-locked requirements file installed with--require-hashes, not just version pinning..github/requirements-ci-tools.in(top-level pins:pip==26.1.2,pipenv==2026.6.2,poetry==2.4.1) and.github/requirements-ci-tools.txt, generated viapip-compile --allow-unsafe --generate-hashes. This resolves and hash-pins the full transitive dependency graph (45 packages total), since--require-hashesrequires every installed package — not just the top-level ones — to carry a hash.smoke.ymlandupdate-smoke-goldens.ymlto runpip install --require-hashes -r .github/requirements-ci-tools.txtinstead of the inline install.dev-docs/CI.md.Verification
setup-pythonversion) so the resolved wheel hashes match what the Linux CI runner will actually fetch.pip install --require-hashes -r .github/requirements-ci-tools.txt— succeeds, installs pip/pipenv/poetry plus all 42 transitive deps.xattr,cffi) have manylinux wheels published for cp312, so the same lockfile resolves correctly onubuntu-latest.Test plan
--require-hashesin a fresh venvSmokeandUpdate Smoke Goldensworkflows succeed on this PR / next dispatch🤖 Generated with Claude Code