fix: remediate supply chain security findings

Address 4 high-severity code scanning findings from vuln-mgmt#195573:

1. Pin Docker base image to SHA256 digest (code-scanning/14)
2. Pin bundler gem to exact version 2.4.10 (code-scanning/16)
3. Add hash verification for pip install in Dockerfile (code-scanning/15)
4. Add hash verification for pip install in CI workflow (code-scanning/12)

Additionally pin all GitHub Actions to full commit SHAs for
supply chain integrity.

Uses requirements file syntax for pip hash verification since
--hash is a per-requirement option, not a CLI flag.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Zack Koppert <zkoppert@github.com>

Author: zkoppert

.github/workflows/ci.yml

@@ -21,7 +21,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6.0.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 10
 
@@ -30,12 +30,12 @@ jobs:
           ruby-version: ${{ matrix.ruby }}
           bundler-cache: true
 
-      - uses: actions/setup-python@v6.2.0
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           # This should match lib/github/markups.rb GitHub::Markups::MARKUP_RST
           python-version: "3.x"
 
-      - uses: actions/cache@v5.0.4
+      - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           path: ~/.cache/pip
           key: ${{ runner.os }}-pip
@@ -52,7 +52,9 @@ jobs:
           sudo cpanm --installdeps --notest Pod::Simple
 
       - name: Install Python dependencies
-        run: python -m pip install docutils
+        run: |
+          echo 'docutils==0.22.4 --hash=sha256:d0013f540772d1420576855455d050a2180186c91c15779301ac2ccb3eeb68de' > /tmp/requirements.txt
+          python -m pip install -r /tmp/requirements.txt
 
       - name: Run rake
         run: |

Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:trusty
+FROM ubuntu:trusty@sha256:64483f3496c1373bfd55348e88694d1c4d0c9b660dee6bfef5e12f43b9933b30 # trusty
 
 RUN apt-get update -qq
 RUN apt-get install -y apt-transport-https
@@ -18,15 +18,16 @@ RUN install-zef-as-user && zef install Pod::To::HTML
 RUN curl -L http://cpanmin.us | perl - App::cpanminus
 RUN cpanm --installdeps --notest Pod::Simple
 
-RUN pip install docutils
+RUN echo 'docutils==0.22.4 --hash=sha256:d0013f540772d1420576855455d050a2180186c91c15779301ac2ccb3eeb68de' > /tmp/requirements.txt && \
+    pip install -r /tmp/requirements.txt
 
 ENV PATH $PATH:/root/.rbenv/bin:/root/.rbenv/shims
 RUN curl -fsSL https://github.com/rbenv/rbenv-installer/raw/master/bin/rbenv-installer | bash
 RUN rbenv install 2.4.1
 RUN rbenv global 2.4.1
 RUN rbenv rehash
 
-RUN gem install bundler
+RUN gem install bundler -v 2.4.10
 
 WORKDIR /data/github-markup
 COPY github-markup.gemspec .

requirements.txt

@@ -0,0 +1 @@
+docutils==0.22.4 --hash=sha256:d0013f540772d1420576855455d050a2180186c91c15779301ac2ccb3eeb68de