use hashed pip install and brew for mac

soswow · soswow · commit 484870e7639d · 2026-04-30T21:05:51.000+10:00
Assisted-by: Cursor/Composer-2

Signed-off-by: Aleksandr Motsjonov &lt;soswow@gmail.com&gt;
diff --git a/.github/workflows/build-steps.yml b/.github/workflows/build-steps.yml
@@ -88,8 +88,6 @@ on:
         type: string
       build_local_deps:
         type: string
-      # When set (e.g. `both`), CMake builds pybind11 and/or nanobind per OIIO
-      # docs; dependency scripts install the `nanobind` pip package when needed.
       oiio_python_bindings_backend:
         type: string
         default: ''
diff --git a/src/build-scripts/ci-requirements-nanobind.txt b/src/build-scripts/ci-requirements-nanobind.txt
@@ -0,0 +1,6 @@
+# CI-only: nanobind for CMake (`python -m nanobind --cmake_dir`). Used on Linux
+# (gh-installdeps) and Windows (gh-win-installdeps) with pip --require-hashes.
+# macOS CI uses `brew install nanobind` instead (install_homebrew_deps.bash).
+# When bumping pip pin: https://pypi.org/pypi/nanobind/<ver>/json → wheel sha256.
+nanobind==2.12.0 \
+    --hash=sha256:a10d3d88e691dcdf22696f9acd893fda3c5a05635763aea238829d274fcad480
diff --git a/src/build-scripts/gh-installdeps.bash b/src/build-scripts/gh-installdeps.bash
@@ -231,11 +231,13 @@ df -h .
 df -h /host/root || true
 
 # nanobind's CMake config is discovered via `python -m nanobind --cmake_dir`.
+# Version + wheel hash: src/build-scripts/ci-requirements-nanobind.txt (CodeQL / supply chain).
 if [[ "${OIIO_PYTHON_BINDINGS_BACKEND:-}" == "both" || "${OIIO_PYTHON_BINDINGS_BACKEND:-}" == "nanobind" ]] ; then
+    _oiio_nanobind_requirements_file="$PWD/src/build-scripts/ci-requirements-nanobind.txt"
     if [[ "$ASWF_ORG" != ""  ]] ; then
-        time pip3 install nanobind || true
+        time pip3 install -r "$_oiio_nanobind_requirements_file" --require-hashes || true
     else
-        time pip3${PIP_SUFFIX} install nanobind
+        time pip3${PIP_SUFFIX} install -r "$_oiio_nanobind_requirements_file" --require-hashes
     fi
 fi
 
diff --git a/src/build-scripts/gh-win-installdeps.bash b/src/build-scripts/gh-win-installdeps.bash
@@ -40,7 +40,8 @@ fi
 pip install numpy
 
 if [[ "${OIIO_PYTHON_BINDINGS_BACKEND:-}" == "both" || "${OIIO_PYTHON_BINDINGS_BACKEND:-}" == "nanobind" ]] ; then
-    "${Python_EXECUTABLE:-python}" -m pip install nanobind
+    _oiio_nanobind_requirements_file="$PWD/src/build-scripts/ci-requirements-nanobind.txt"
+    "${Python_EXECUTABLE:-python}" -m pip install -r "$_oiio_nanobind_requirements_file" --require-hashes
 fi
 
 
diff --git a/src/build-scripts/install_homebrew_deps.bash b/src/build-scripts/install_homebrew_deps.bash
@@ -57,17 +57,16 @@ if [[ "$OIIO_BREW_INSTALL_PACKAGES" == "" ]] ; then
     if [[ "${USE_QT:=1}" != "0" ]] && [[ "${INSTALL_QT:=1}" != "0" ]] ; then
         OIIO_BREW_INSTALL_PACKAGES+=" qt${QT_VERSION}"
     fi
+    if [[ "${OIIO_PYTHON_BINDINGS_BACKEND:-}" == "both" || "${OIIO_PYTHON_BINDINGS_BACKEND:-}" == "nanobind" ]] ; then
+        OIIO_BREW_INSTALL_PACKAGES+=" nanobind"
+    fi
 fi
 brew install --display-times -q $OIIO_BREW_INSTALL_PACKAGES $OIIO_BREW_EXTRA_INSTALL_PACKAGES || true
 
 echo ""
 echo "After brew installs:"
 brew list --versions
 
-if [[ "${OIIO_PYTHON_BINDINGS_BACKEND:-}" == "both" || "${OIIO_PYTHON_BINDINGS_BACKEND:-}" == "nanobind" ]] ; then
-    python3 -m pip install nanobind
-fi
-
 # Set up paths. These will only affect the caller if this script is
 # run with 'source' rather than in a separate shell.
 export PATH=${HOMEBREW_PREFIX}/opt/qt5/bin:$PATH
