fix: harden pip install against supply chain attacks (#490)

zkoppert · Copilot · web-flow · commit 4e96aff17b76 · 2026-03-05T17:15:43.000-06:00
- Expand requirements.txt via pip-compile to pin all transitive dependencies
- Add --no-deps to Dockerfile pip install to prevent runtime dep resolution

Resolves pip-install-no-hash-check security alert.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/Dockerfile b/Dockerfile
@@ -7,7 +7,7 @@ LABEL org.opencontainers.image.source https://github.com/github-community-projec
 WORKDIR /action/workspace
 COPY requirements.txt *.py /action/workspace/
 
-RUN python3 -m pip install --no-cache-dir -r requirements.txt \
+RUN python3 -m pip install --no-cache-dir --no-deps -r requirements.txt \
     && apt-get -y update \
     && apt-get -y install --no-install-recommends git=1:2.47.3-0+deb13u1 \
     && rm -rf /var/lib/apt/lists/*
diff --git a/requirements.txt b/requirements.txt
@@ -1,4 +1,32 @@
-github3.py==4.0.1
-requests==2.32.5
+certifi==2026.2.25
+    # via requests
+cffi==2.0.0
+    # via cryptography
+charset-normalizer==3.4.4
+    # via requests
+cryptography==46.0.5
+    # via pyjwt
+github3-py==4.0.1
+    # via -r requirements.txt
+idna==3.11
+    # via requests
+pycparser==3.0
+    # via cffi
+pyjwt==2.11.0
+    # via github3-py
+python-dateutil==2.9.0.post0
+    # via github3-py
 python-dotenv==1.2.1
-ruamel.yaml==0.19.1
+    # via -r requirements.txt
+requests==2.32.5
+    # via
+    #   -r requirements.txt
+    #   github3-py
+ruamel-yaml==0.19.1
+    # via -r requirements.txt
+six==1.17.0
+    # via python-dateutil
+uritemplate==4.2.0
+    # via github3-py
+urllib3==2.6.3
+    # via requests
