ci: Enforce pinned pip dependencies

rettichschnidi · rettichschnidi · commit 17d1b00da005 · 2024-11-17T12:29:37.000+01:00
This should give us a 10/10 OpenSSF rating for pinned dependencies.
diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml
@@ -56,7 +56,7 @@ jobs:
 
     - name: Install dependencies
       run: |
-          pip install -r tests/integration/requirements.txt
+          pip install --require-hashes -r tests/integration/requirements.txt
 
     - name: Execute integration tests
       run: |
diff --git a/.github/workflows/compliance.yaml b/.github/workflows/compliance.yaml
@@ -17,7 +17,7 @@ jobs:
       run: |
         sudo apt update
         sudo apt -qy --no-install-recommends install clang-format-14
-        pip3 install -r tools/requirements-compliance.txt
+        pip3 install --require-hashes -r tools/requirements-compliance.txt
 
     - name: Check commits with gitlint
       run: |
diff --git a/tests/integration/requirements.txt b/tests/integration/requirements.txt
@@ -1,2 +1,2 @@
-pexpect==4.9.0
-pytest==8.3.3
+pexpect==4.9.0 --hash=sha256:7236d1e080e4936be2dc3e326cec0af72acf9212a7e1d060210e70a47e253523
+pytest==8.3.3 --hash=sha256:a6853c7375b2663155079443d2e45de913a911a11d669df02a50814944db57b2
diff --git a/tools/requirements-compliance.txt b/tools/requirements-compliance.txt
@@ -1,4 +1,4 @@
-cmake-format==0.6.13
-gitlint==0.19
-pylint==3.3.1
+cmake-format==0.6.13 --hash=sha256:ec7ed949101e5f0b7bc19317d122b83ccbc28fd766c41c93094845719667c56e
+gitlint==0.19 --hash=sha256:3a566c6f641e054be26ecf67210c237e4fe45472f6606761c9fea7b44e570d3c
+pylint==3.3.1 --hash=sha256:2f846a466dd023513240bc140ad2dd73bfc080a5d85a710afdb728c420a5a2b9
 -r ../tests/integration/requirements.txt
