Merge pull request #955 from pnacht/pinned-pip

Hash-pin Python dependencies in CI/CD release workflows
google · Jan 3, 2024 · e7b5260 · e7b5260
2 parents 2909148 + eecae39
commit e7b5260
Show file tree

Hide file tree

Showing 7 changed files with 360 additions and 5 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -13,3 +13,11 @@ updates:
       github-actions:
         patterns:
           - "*"
+  - package-ecosystem: "pip"
+    directory: "/.github/workflows/requirements"
+    schedule:
+      interval: "monthly"
+    groups:
+      build-time-deps:
+        patterns:
+          - "*"
diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml
@@ -60,8 +60,7 @@ jobs:
     - name: Build Python wrapper
       working-directory: ${{github.workspace}}/python
       run: |
-        python -m pip install --upgrade pip
-        pip install setuptools wheel twine
+        python -m pip install --require-hashes --no-dependencies -r ../.github/workflows/requirements/base.txt
         python setup.py test
         python setup.py bdist_wheel
 

diff --git a/.github/workflows/requirements/base.in b/.github/workflows/requirements/base.in
@@ -0,0 +1,4 @@
+pip
+setuptools
+wheel
+twine
diff --git a/.github/workflows/requirements/base.txt b/.github/workflows/requirements/base.txt
diff --git a/.github/workflows/requirements/cibuildwheel.in b/.github/workflows/requirements/cibuildwheel.in
@@ -0,0 +1,2 @@
+-c base.txt
+cibuildwheel
diff --git a/.github/workflows/requirements/cibuildwheel.txt b/.github/workflows/requirements/cibuildwheel.txt
@@ -0,0 +1,36 @@
+#
+# This file is autogenerated by pip-compile with Python 3.11
+# by the following command:
+#
+#    pip-compile --allow-unsafe --generate-hashes .github/workflows/requirements/cibuildwheel.in
+#
+bashlex==0.18 \
+    --hash=sha256:5bb03a01c6d5676338c36fd1028009c8ad07e7d61d8a1ce3f513b7fff52796ee \
+    --hash=sha256:91d73a23a3e51711919c1c899083890cdecffc91d8c088942725ac13e9dcfffa
+    # via cibuildwheel
+bracex==2.4 \
+    --hash=sha256:a27eaf1df42cf561fed58b7a8f3fdf129d1ea16a81e1fadd1d17989bc6384beb \
+    --hash=sha256:efdc71eff95eaff5e0f8cfebe7d01adf2c8637c8c92edaf63ef348c241a82418
+    # via cibuildwheel
+certifi==2023.11.17 \
+    --hash=sha256:9b469f3a900bf28dc19b8cfbf8019bf47f7fdd1a65a1d4ffb98fc14166beb4d1 \
+    --hash=sha256:e036ab49d5b79556f99cfc2d9320b34cfbe5be05c5871b51de9329f0603b0474
+    # via
+    #   -c .github/workflows/requirements/base.txt
+    #   cibuildwheel
+cibuildwheel==2.16.2 \
+    --hash=sha256:0f3472a1b927786f74ed3843e78d7cb368a2daeb904503b2129276a23b22f7be \
+    --hash=sha256:bbc86ca937d81745f43ab28fd378bff1c1eaf390370c2f3a6e8224290a50127e
+    # via -r .github/workflows/requirements/cibuildwheel.in
+filelock==3.13.1 \
+    --hash=sha256:521f5f56c50f8426f5e03ad3b281b490a87ef15bc6c526f168290f0c7148d44e \
+    --hash=sha256:57dbda9b35157b05fb3e58ee91448612eb674172fab98ee235ccb0b5bee19a1c
+    # via cibuildwheel
+packaging==23.2 \
+    --hash=sha256:048fb0e9405036518eaaf48a55953c750c11e1a1b68e0dd1a9d62ed0c092cfc5 \
+    --hash=sha256:8c491190033a9af7e1d931d0b5dacc2ef47509b34dd0de67ed209b5203fc88c7
+    # via cibuildwheel
+platformdirs==4.1.0 \
+    --hash=sha256:11c8f37bcca40db96d8144522d925583bdb7a31f7b0e37e3ed4318400a8e2380 \
+    --hash=sha256:906d548203468492d432bcb294d4bc2fff751bf84971fbb2c10918cc206ee420
+    # via cibuildwheel
diff --git a/.github/workflows/wheel.yml b/.github/workflows/wheel.yml
@@ -57,9 +57,8 @@ jobs:
       - name: Install cibuildwheel
         working-directory: ${{github.workspace}}/python
         run: |
-          python -m pip install --upgrade pip
-          pip install setuptools wheel twine
-          python -m pip install cibuildwheel==2.16.2
+          python -m pip install --require-hashes --no-dependencies -r ../.github/workflows/requirements/base.txt
+          python -m pip install --require-hashes --no-dependencies -r ../.github/workflows/requirements/cibuildwheel.txt
 
       - name: Build wheels
         working-directory: ${{github.workspace}}/python