Skip to content

ci: pin pip installs by hash to clear Scorecard Pinned-Dependencies#220

Merged
bomly-guy merged 1 commit into
mainfrom
ci/pin-pip-hashes
Jun 30, 2026
Merged

ci: pin pip installs by hash to clear Scorecard Pinned-Dependencies#220
bomly-guy merged 1 commit into
mainfrom
ci/pin-pip-hashes

Conversation

@bomly-guy

Copy link
Copy Markdown
Collaborator

Summary

Follow-up to #217. The OpenSSF Scorecard Pinned-Dependencies check still flagged two remaining unpinned spots after the GitHub Actions SHA pinning landed:

Warn: pipCommand not pinned by hash: .github/workflows/smoke.yml:115
Warn: pipCommand not pinned by hash: .github/workflows/update-smoke-goldens.yml:76

Both lines were an inline python -m pip install --upgrade pip pipenv poetry. Per Scorecard's own guidance, the fix is a hash-locked requirements file installed with --require-hashes, not just version pinning.

  • Added .github/requirements-ci-tools.in (top-level pins: pip==26.1.2, pipenv==2026.6.2, poetry==2.4.1) and .github/requirements-ci-tools.txt, generated via pip-compile --allow-unsafe --generate-hashes. This resolves and hash-pins the full transitive dependency graph (45 packages total), since --require-hashes requires every installed package — not just the top-level ones — to carry a hash.
  • Updated smoke.yml and update-smoke-goldens.yml to run pip install --require-hashes -r .github/requirements-ci-tools.txt instead of the inline install.
  • Documented the lockfile and its regeneration command in dev-docs/CI.md.

Verification

  • Generated the lockfile under Python 3.12 (matching the workflows' setup-python version) so the resolved wheel hashes match what the Linux CI runner will actually fetch.
  • Test-installed the lockfile into a clean venv with pip install --require-hashes -r .github/requirements-ci-tools.txt — succeeds, installs pip/pipenv/poetry plus all 42 transitive deps.
  • Spot-checked platform-sensitive packages (e.g. xattr, cffi) have manylinux wheels published for cp312, so the same lockfile resolves correctly on ubuntu-latest.

Test plan

  • Lockfile installs cleanly with --require-hashes in a fresh venv
  • Workflow YAML parses correctly
  • Smoke and Update Smoke Goldens workflows succeed on this PR / next dispatch
  • Next weekly Scorecard run shows Pinned-Dependencies at a full 10/10

🤖 Generated with Claude Code

The Scorecard report still flagged the inline `pip install --upgrade
pip pipenv poetry` in smoke.yml and update-smoke-goldens.yml as
unpinned. Replace it with a hash-locked, fully-resolved requirements
file (pip-compile --generate-hashes) installed via `pip install
--require-hashes`, covering pip/pipenv/poetry and their full
transitive dependency graph (45 packages). Verified the lockfile
installs cleanly under Python 3.12 with --require-hashes and that the
resolved wheels include manylinux builds for the Linux CI runner.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Warning

Review limit reached

@bomly-guy, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 6 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: a796631a-e820-4983-9b94-bda6233186e3

📥 Commits

Reviewing files that changed from the base of the PR and between 9e7ce2e and 9b200ae.

📒 Files selected for processing (5)
  • .github/requirements-ci-tools.in
  • .github/requirements-ci-tools.txt
  • .github/workflows/smoke.yml
  • .github/workflows/update-smoke-goldens.yml
  • dev-docs/CI.md
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/pin-pip-hashes

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

Copy link
Copy Markdown
Contributor

Bomly Diff Summary

Compared 1d1112efaeccdfdbce5e88a5acc3f2b9e9f3e041 to 9b200aedc9e373d3e398f2e8744336d13425656c.

Overview

Status Manifests Dependencies Findings Duration
✅ Pass +0 / ~0 / -0 +0 / ~0 / -0 0 introduced / 0 persisted / 0 resolved 1m 0s

Dependency Changes

✅ No dependency changes.

Vulnerabilities

✅ No vulnerability changes.

License Changes

✅ No license changes.

Project Posture

✅ No project posture changes (--matchers +scorecard was not selected).

Policy Findings

✅ No policy differences were identified.

@bomly-guy bomly-guy merged commit b8d988e into main Jun 30, 2026
13 checks passed
@bomly-guy bomly-guy deleted the ci/pin-pip-hashes branch June 30, 2026 06:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant