fix: harden pip install against supply chain attacks (#686)

Resolves code scanning alert #94 (pip install without hash verification).

- Expand requirements.txt via pip-compile to pin all transitive dependencies
  to exact versions (5 top-level → 17 total packages)
- Add --no-deps to Dockerfile pip install to prevent pip from resolving
  any packages beyond what is explicitly listed

This follows the approach recommended in the Opengrep rule guidance:
'use pip install --no-deps -r requirements.txt when using pip-compile
workflow.' With all transitive deps pinned and --no-deps preventing
runtime dependency resolution, no unvetted packages can be introduced.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: zkoppert

Dockerfile

@@ -16,7 +16,7 @@ LABEL com.github.actions.name="issue-metrics" \
 WORKDIR /action/workspace
 COPY requirements.txt *.py /action/workspace/
 
-RUN python3 -m pip install --no-cache-dir -r requirements.txt \
+RUN python3 -m pip install --no-cache-dir --no-deps -r requirements.txt \
     && apt-get -y update \
     && apt-get -y install --no-install-recommends git=1:2.47.3-0+deb13u1 \
     && rm -rf /var/lib/apt/lists/*

requirements.txt

@@ -1,5 +1,34 @@
-github3.py==4.0.1
+certifi==2026.2.25
+    # via requests
+cffi==2.0.0
+    # via cryptography
+charset-normalizer==3.4.4
+    # via requests
+cryptography==46.0.5
+    # via pyjwt
+github3-py==4.0.1
+    # via -r requirements.txt
+idna==3.11
+    # via requests
 numpy==2.4.2
+    # via -r requirements.txt
+pycparser==3.0
+    # via cffi
+pyjwt==2.11.0
+    # via github3-py
+python-dateutil==2.9.0.post0
+    # via github3-py
 python-dotenv==1.2.1
+    # via -r requirements.txt
 pytz==2025.2
+    # via -r requirements.txt
 requests==2.32.5
+    # via
+    #   -r requirements.txt
+    #   github3-py
+six==1.17.0
+    # via python-dateutil
+uritemplate==4.2.0
+    # via github3-py
+urllib3==2.6.3
+    # via requests