Further harden CI/CD (#15)

* CI cleanup
* Add pyproject.toml
* Add lockfile and requirements files
* Use pinned Python requirements in CI/CD

Author: bashonly

.github/actionlint.yml

@@ -0,0 +1,5 @@
+paths:
+  .github/workflows/build.yml:
+    ignore:
+      # SC1090 "Can't follow non-constant source": ignore when using `source` to activate venv
+      - '.+SC1090.+'

.github/workflows/build.yml

@@ -77,18 +77,26 @@ jobs:
           with open(os.environ['GITHUB_OUTPUT'], 'a') as f:
               f.write(f'matrix={json.dumps(matrix)}')
 
-      - name: Checkout
+      - name: Checkout Pyinstaller-Builds
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          path: builds
+          persist-credentials: false
+
+      - name: Checkout PyInstaller
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           fetch-depth: 0  # Needed for git-describe
           repository: pyinstaller/pyinstaller
           ref: ${{ inputs.commitish }}
+          path: pyinstaller
           persist-credentials: false
 
       - name: Git describe
         id: git_describe
         shell: bash
         run: |
+          cd pyinstaller
           git describe --tags  # So the script will exit on error
           echo "tag=$(git describe --tags)" >> "${GITHUB_OUTPUT}"
 
@@ -132,17 +140,26 @@ jobs:
         with:
           python-version: "3.14"
 
+      - name: Install Python dependencies
+        run: |
+          cd pyinstaller
+          python -m venv --clear venv
+          source venv/bin/activate
+          python -m pip install -U --require-hashes -r "../builds/requirements/pip.txt"
+          python -m pip install -U --require-hashes -r "../builds/requirements/build.txt"
+
       - name: Build source distribution
         run: |
-          python -m pip install -U build hatchling
+          cd pyinstaller
+          source venv/bin/activate
           python -m build --no-isolation --sdist --outdir=dist .
 
       - name: Upload artifacts
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
         with:
           name: pyinstaller-${{ inputs.commitish }}-sdist
           path: |
-            dist/*
+            pyinstaller/dist/*
           compression-level: 0
 
   build:
@@ -171,35 +188,51 @@ jobs:
             mingw-w64-${{ matrix.env }}-python
             mingw-w64-${{ matrix.env }}-python-pip
 
-      - name: Checkout
+      - name: Checkout Pyinstaller-Builds
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          path: builds
+          persist-credentials: false
+
+      - name: Checkout PyInstaller
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           repository: pyinstaller/pyinstaller
           ref: ${{ inputs.commitish }}
+          path: pyinstaller
           persist-credentials: false
 
       - name: Build bootloader
         env:
           ARCH: ${{ matrix.arch }}
           COMPILER: ${{ matrix.compiler }}
         run: |
-          cd bootloader
+          cd pyinstaller/bootloader
           python ./waf --target-arch="${ARCH}" --"${COMPILER}" distclean all
 
+      - name: Install Python dependencies
+        run: |
+          cd pyinstaller
+          python -m venv --clear venv
+          source venv/bin/activate
+          python -m pip install -U --require-hashes -r "../builds/requirements/pip.txt"
+          python -m pip install -U --require-hashes -r "../builds/requirements/build.txt"
+
       - name: Build wheel
         env:
           PYI_WHEEL_TAG: ${{ matrix.wheel_tag }}
           PYI_PLATFORM: ${{ matrix.platform }}
         run: |
-          python -m pip install -U build hatchling
+          cd pyinstaller
+          source venv/bin/activate
           python -m build --no-isolation --wheel --outdir=dist .
 
       - name: Upload artifacts
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
         with:
           name: pyinstaller-${{ inputs.commitish }}-${{ matrix.name }}
           path: |
-            dist/*
+            pyinstaller/dist/*
           compression-level: 0
 
   release:

.github/workflows/ci.yml

@@ -2,6 +2,7 @@ name: CI
 on:
   push:
     branches: ['master']
+  # This workflow contains required checks and needs to run for EVERY pull_request
   pull_request:
     branches: ['**']
 
@@ -19,6 +20,7 @@ env:
 
 jobs:
   actionlint:
+    # Required check; do not change name
     name: actionlint
     permissions:
       contents: read
@@ -32,14 +34,18 @@ jobs:
         with:
           python-version: "3.14"
 
+      - name: Install Python dependencies
+        run: |
+          python -m pip install -U --require-hashes -r "requirements/pip.txt"
+          python -m pip install -U --require-hashes -r "requirements/pyflakes.txt"
+
       - name: Install requirements
         env:
           GH_TOKEN: ${{ github.token }}
           ACTIONLINT_TARBALL: ${{ format('actionlint_{0}_linux_amd64.tar.gz', env.ACTIONLINT_VERSION) }}
         shell: bash
         run: |
           sudo apt -y install shellcheck
-          python -m pip install -U pyflakes
           gh release download \
             --repo "${ACTIONLINT_REPO}" \
             --pattern "${ACTIONLINT_TARBALL}" \
@@ -50,11 +56,13 @@ jobs:
           printf '%s  %s' "${ACTIONLINT_SHA256SUM}" "${ACTIONLINT_TARBALL}" | sha256sum -c -
           tar xvzf "${ACTIONLINT_TARBALL}" actionlint
           sudo install -D --mode=755 actionlint /usr/bin/
+
       - name: Run actionlint
         run: |
           actionlint -color
 
   zizmor:
+    # Required check; do not change name
     name: zizmor
     permissions:
       contents: read
@@ -64,6 +72,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           persist-credentials: false
+
       - name: Run zizmor
         uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8  # v0.5.2
         with:

pyproject.toml

@@ -0,0 +1,26 @@
+[project]
+name = "Pyinstaller-Builds"
+version = "0.1.0"
+maintainers = [
+    {email = "maintainers@yt-dlp.org"},
+]
+description = "PyInstaller builds for yt-dlp"
+readme = "README.md"
+requires-python = ">=3.13"
+license = "Unlicense"
+license-files = ["LICENSE"]
+
+[dependency-groups]
+build = [
+    "build",
+    "hatchling>=1.27.0",
+]
+pip = [
+    "pip",
+]
+pyflakes = [
+    "pyflakes~=3.4.0",
+]
+
+[tool.uv]
+exclude-newer = "7 days"

requirements/build.txt

@@ -0,0 +1,32 @@
+build==1.4.4 \
+    --hash=sha256:8c3f48a6090b39edec1a273d2d57949aaf13723b01e02f9d518396887519f64d \
+    --hash=sha256:f832ae053061f3fb524af812dc94b8b84bac6880cd587630e3b5d91a6a9c1703
+colorama==0.4.6 ; os_name == 'nt' \
+    --hash=sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44 \
+    --hash=sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6
+    # via build
+hatchling==1.29.0 \
+    --hash=sha256:50af9343281f34785fab12da82e445ed987a6efb34fd8c2fc0f6e6630dbcc1b0 \
+    --hash=sha256:793c31816d952cee405b83488ce001c719f325d9cda69f1fc4cd750527640ea6
+packaging==26.2 \
+    --hash=sha256:5fc45236b9446107ff2415ce77c807cee2862cb6fac22b8a73826d0693b0980e \
+    --hash=sha256:ff452ff5a3e828ce110190feff1178bb1f2ea2281fa2075aadb987c2fb221661
+    # via
+    #   build
+    #   hatchling
+pathspec==1.1.1 \
+    --hash=sha256:17db5ecd524104a120e173814c90367a96a98d07c45b2e10c2f3919fff91bf5a \
+    --hash=sha256:a00ce642f577bf7f473932318056212bc4f8bfdf53128c78bbd5af0b9b20b189
+    # via hatchling
+pluggy==1.6.0 \
+    --hash=sha256:7dcc130b76258d33b90f61b658791dede3486c3e6bfb003ee5c9bfb396dd22f3 \
+    --hash=sha256:e920276dd6813095e9377c0bc5566d94c932c33b27a3e3945d8389c374dd4746
+    # via hatchling
+pyproject-hooks==1.2.0 \
+    --hash=sha256:1e859bd5c40fae9448642dd871adf459e5e2084186e8d2c2a79a824c970da1f8 \
+    --hash=sha256:9e5c6bfa8dcc30091c74b0cf803c81fdd29d94f01992a7707bc97babb1141913
+    # via build
+trove-classifiers==2026.1.14.14 \
+    --hash=sha256:00492545a1402b09d4858605ba190ea33243d361e2b01c9c296ce06b5c3325f3 \
+    --hash=sha256:1f9553927f18d0513d8e5ff80ab8980b8202ce37ecae0e3274ed2ef11880e74d
+    # via hatchling

requirements/pip.txt

@@ -0,0 +1,3 @@
+pip==26.1 \
+    --hash=sha256:4e8486d821d814b77319acb7b9e8bf5a4ee7590a643e7cb21029f209be8573c1 \
+    --hash=sha256:81e13ebcca3ffa8cc85e4deff5c27e1ee26dea0aa7fc2f294a073ac208806ff3

requirements/pyflakes.txt

@@ -0,0 +1,3 @@
+pyflakes==3.4.0 \
+    --hash=sha256:b24f96fafb7d2ab0ec5075b7350b3d2d2218eab42003821c06344973d3ea2f58 \
+    --hash=sha256:f742a7dbd0d9cb9ea41e9a24a918996e8170c799fa528688d40dd582c8265f4f