Use hashed requirements lock

2025-09-07 23:08:43 +00:00 · 2025-08-03 10:08:50 -04:00
parent c3ed4c08ee
commit 6f885bd65e
9 changed files with 2004 additions and 111 deletions
--- a/.github/workflows/briefcase.yml
+++ b/.github/workflows/briefcase.yml
@@ -16,8 +16,10 @@ jobs:
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
-          pip install -r src/requirements.txt
-          pip install briefcase
+          pip install pip-tools briefcase
+          pip-compile --generate-hashes --output-file=requirements.lock src/requirements.txt
+          git diff --exit-code requirements.lock
+          pip install --require-hashes -r requirements.lock
      - name: Build with Briefcase
        run: briefcase build
      - name: Upload artifacts
--- a/.github/workflows/dependency-audit.yml
+++ b/.github/workflows/dependency-audit.yml
@@ -19,7 +19,9 @@ jobs:
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
-          pip install -r src/requirements.txt
-          pip install pip-audit
+          pip install pip-tools pip-audit
+          pip-compile --generate-hashes --output-file=requirements.lock src/requirements.txt
+          git diff --exit-code requirements.lock
+          pip install --require-hashes -r requirements.lock
      - name: Run pip-audit
        run: pip-audit -r requirements.lock --ignore-vuln GHSA-wj6h-64fc-37mp
--- a/.github/workflows/python-ci.yml
+++ b/.github/workflows/python-ci.yml
@@ -59,14 +59,16 @@ jobs:
        uses: actions/cache@v3
        with:
          path: ~/.cache/pip
-          key: ${{ runner.os }}-pip-${{ hashFiles('src/requirements.txt') }}
+          key: ${{ runner.os }}-pip-${{ hashFiles('requirements.lock') }}
          restore-keys: |
            ${{ runner.os }}-pip-
-      - name: Set up Python dependencies
-        id: deps
+      - name: Verify lockfile and install dependencies
        run: |
          python -m pip install --upgrade pip
-          pip install -r src/requirements.txt
+          pip install pip-tools
+          pip-compile --generate-hashes --output-file=requirements.lock src/requirements.txt
+          git diff --exit-code requirements.lock
+          pip install --require-hashes -r requirements.lock
      - name: Run pip-audit
        run: |
          pip install pip-audit