ci: Enforce pinned pip dependencies

rettichschnidi · rettichschnidi · commit f5b929fa568e · 2024-11-15T23:49:32.000+01:00
This should give us a 10/10 OpenSSF rating for pinned dependencies.
diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml
@@ -56,7 +56,7 @@ jobs:
 
     - name: Install dependencies
       run: |
-          pip install -r tests/integration/requirements.txt
+          pip install --require-hashes -r tests/integration/requirements.txt
 
     - name: Execute integration tests
       run: |
diff --git a/.github/workflows/compliance.yaml b/.github/workflows/compliance.yaml
@@ -17,7 +17,7 @@ jobs:
       run: |
         sudo apt update
         sudo apt -qy --no-install-recommends install clang-format-14
-        pip3 install -r tools/requirements-compliance.txt
+        pip3 install --require-hashes -r tools/requirements-compliance.txt
 
     - name: Check commits with gitlint
       run: |
