fix(ci): use complete requirements files for --require-hashes pip installs

Author: markuslf

.github/workflows/docs.yml

@@ -18,10 +18,10 @@ jobs:
   build:
     runs-on: 'ubuntu-latest'
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+      - name: 'Harden the runner (Audit all outbound calls)'
+        uses: 'step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594' # v2.16.0
         with:
-          egress-policy: audit
+          egress-policy: 'audit'
 
       - name: 'Checkout repository'
         uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # v6.0.2
@@ -32,9 +32,7 @@ jobs:
           python-version: '3.12'
 
       - name: 'Install dependencies'
-        run: |
-          pip install --require-hashes --requirement /dev/stdin <<< "mkdocs==1.6.1 --hash=sha256:db91759624d1647f3f34aa0c3f327dd2601beae39a366d6e064c03468d35c20e"
-          pip install --require-hashes --requirement /dev/stdin <<< "mkdocs-material==9.7.6 --hash=sha256:71b84353921b8ea1ba84fe11c50912cc512da8fe0881038fcc9a0761c0e635ba"
+        run: 'pip install --require-hashes --requirement docs-requirements.txt'
 
       - name: 'Generate docs structure'
         run: 'python3 tools/build-docs'
@@ -54,10 +52,10 @@ jobs:
       name: 'github-pages'
       url: '${{ steps.deployment.outputs.page_url }}'
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+      - name: 'Harden the runner (Audit all outbound calls)'
+        uses: 'step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594' # v2.16.0
         with:
-          egress-policy: audit
+          egress-policy: 'audit'
 
       - name: 'Deploy to GitHub Pages'
         id: 'deployment'

.github/workflows/lf-build.yml

@@ -27,10 +27,10 @@ jobs:
 
     steps:
 
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+      - name: 'Harden the runner (Audit all outbound calls)'
+        uses: 'step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594' # v2.16.0
         with:
-          egress-policy: audit
+          egress-policy: 'audit'
 
       - name: 'git clone https://github.com/Linuxfabrik/lfops'
         uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # v6.0.2
@@ -71,7 +71,7 @@ jobs:
       - name: 'Install Ansible Builder'
         run: |
           python3 -m pip install --upgrade pip
-          pip install --require-hashes --requirement /dev/stdin <<< "ansible-builder==3.1.1 --hash=sha256:a8246022edb92ca27ea95e87c7af30bcb2752f108dcc75fbf96e77196dff1072"
+          pip install --require-hashes --requirement build-requirements.txt
 
       - name: 'Strip badges from README.md (not rendered correctly on Galaxy)'
         run: |

.github/workflows/lf-release.yml

@@ -16,10 +16,10 @@ jobs:
 
     steps:
 
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+      - name: 'Harden the runner (Audit all outbound calls)'
+        uses: 'step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594' # v2.16.0
         with:
-          egress-policy: audit
+          egress-policy: 'audit'
 
       - name: 'Create GitHub Release for ${{ github.ref_name }}'
         uses: 'softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe' # v2.6.1

.github/workflows/pre-commit-autoupdate.yml

@@ -14,10 +14,10 @@ jobs:
       contents: 'write'
       pull-requests: 'write'
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+      - name: 'Harden the runner (Audit all outbound calls)'
+        uses: 'step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594' # v2.16.0
         with:
-          egress-policy: audit
+          egress-policy: 'audit'
 
       - name: 'Checkout repository'
         uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # v6.0.2
@@ -28,7 +28,7 @@ jobs:
           python-version: '3.12'
 
       - name: 'Install pre-commit'
-        run: 'pip install --require-hashes --requirement /dev/stdin <<< "pre-commit==4.5.1 --hash=sha256:3b3afd891e97337708c1674210f8eba659b52a38ea5f822ff142d10786221f77"'
+        run: 'pip install --require-hashes --requirement pre-commit-requirements.txt'
 
       - name: 'Run pre-commit autoupdate'
         run: 'pre-commit autoupdate'

CHANGELOG.md

@@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+* **ci**: Fix `--require-hashes` pip installs by providing complete requirements files with all transitive dependencies pinned
 * **role:mount**: Fix `when` condition for NFS/CIFS client package installation failing with multiple mounts and when `state` key is undefined
 
 ### Changed