This repository treats runtime dependencies, developer tools, Docker runtime, and GitHub Actions as supply-chain inputs.
requirements.lockpins runtime dependencies with hashes.requirements-dev.lockpins test, lint, type-check, and build tooling with hashes.requirements-bootstrap.lockpins bootstrap tooling used before installing the other locks.requirements-audit.lockpins audit tooling used by CI security checks.
CI and Docker installs use pip install --require-hashes so an unpinned or
unexpected package version fails the build.
The Docker base image is pinned by digest in Dockerfile. Update it only through
a reviewed dependency-maintenance change that rebuilds and retests the image.
Workflow actions are pinned by immutable commit SHA with the original tag kept in a comment for readability. Dependabot groups workflow updates so each change can be reviewed as a supply-chain update.
The release workflow builds the wheel and source distribution from a clean tree,
publishes SHA256SUMS.txt, and creates GitHub artifact attestations for package
provenance. Release assets should be verified before deployment:
sha256sum -c SHA256SUMS.txt
gh attestation verify telegram_resender-*.whl --repo krotname/TelegramResenderBot