fix: harden pip install against supply chain attacks

- Expand requirements.txt via pip-compile to pin all transitive dependencies
- Add --no-deps to Dockerfile pip install to prevent runtime dep resolution

Resolves pip-install-no-hash-check security alert.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: zkoppert

Dockerfile

@@ -16,7 +16,7 @@ LABEL com.github.actions.name="contributors" \
 WORKDIR /action/workspace
 COPY requirements.txt *.py /action/workspace/
 
-RUN python3 -m pip install --no-cache-dir -r requirements.txt \
+RUN python3 -m pip install --no-cache-dir --no-deps -r requirements.txt \
     && apt-get -y update \
     && apt-get -y install --no-install-recommends git=1:2.47.3-0+deb13u1 \
     && rm -rf /var/lib/apt/lists/*

requirements.txt

@@ -1,3 +1,30 @@
-github3.py==4.0.1
+certifi==2026.2.25
+    # via requests
+cffi==2.0.0
+    # via cryptography
+charset-normalizer==3.4.4
+    # via requests
+cryptography==46.0.5
+    # via pyjwt
+github3-py==4.0.1
+    # via -r requirements.txt
+idna==3.11
+    # via requests
+pycparser==3.0
+    # via cffi
+pyjwt==2.11.0
+    # via github3-py
+python-dateutil==2.9.0.post0
+    # via github3-py
 python-dotenv==1.2.1
+    # via -r requirements.txt
 requests==2.32.5
+    # via
+    #   -r requirements.txt
+    #   github3-py
+six==1.17.0
+    # via python-dateutil
+uritemplate==4.2.0
+    # via github3-py
+urllib3==2.6.3
+    # via requests