fix: install pyinstaller and flake8 using a hash for security reasons

sbp-bvanb · sbp-bvanb · commit 8485a9ecddb4 · 2026-03-23T08:16:24.000+01:00
diff --git a/.github/workflows/general.yml b/.github/workflows/general.yml
@@ -15,7 +15,7 @@ jobs:
           - testing-type: yamllint
     runs-on: ubuntu-slim
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       # yamllint disable-line rule:line-length
       - uses: schubergphilis/mcvs-general-action@f52c4433add29d8eff9036bf37b5b69a2c4cf28b # v0.5.8
         with:
diff --git a/.github/workflows/mcvs-pr-validation.yml b/.github/workflows/mcvs-pr-validation.yml
@@ -15,5 +15,6 @@ jobs:
   MCVS-PR-validation-action:
     runs-on: ubuntu-slim
     steps:
-      - uses: actions/checkout@v4.2.2
-      - uses: schubergphilis/mcvs-pr-validation-action@v0.2.0
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      # yamllint disable-line rule:line-length
+      - uses: schubergphilis/mcvs-pr-validation-action@b1c337a896fea52b52a93335713a435d5a07ea72 # v0.2.0
diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
@@ -0,0 +1,16 @@
+---
+name: python
+# "on": pull_request
+"on": push
+permissions:
+  contents: read
+  packages: read
+jobs:
+  mcvs-python-action:
+    runs-on: ubuntu-slim
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: ./
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          pyinstaller-binary-name: some-binary
diff --git a/README.md b/README.md
@@ -19,8 +19,8 @@ jobs:
   MCVS-python-action:
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4.2.2
-      - uses: schubergphilis/mcvs-python-action@v0.2.1
+      - uses: actions/checkout@some-hash # v4.2.2
+      - uses: schubergphilis/mcvs-python-action@some-hash # v0.2.1
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
 ```
diff --git a/action.yml b/action.yml
@@ -18,12 +18,14 @@ runs:
     # Install the python version that has been defined in the .python-version
     # file.
     #
+    # yamllint disable-line rule:line-length
     - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
       with:
         cache: pip
     #
     # Code security scanning.
     #
+    # yamllint disable-line rule:line-length
     - uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # v6.2.0
       with:
         only-fixed: false
@@ -39,7 +41,7 @@ runs:
         requirements_file=requirements.txt
         if [ -f ${requirements_file} ]; then
           pip install \
-            -r ${requirements_file}
+            --requirement ${requirements_file}
         fi
     #
     # Run pytest if 'import pytest' is found.
@@ -61,7 +63,11 @@ runs:
     - name: Code linting with Flake8
       shell: bash
       run: |
-        pip install flake8==7.2.0
+        python3 -m pip install \
+          --require-hashes \
+          --user \
+          --requirement \
+            ${GITHUB_ACTION_PATH}/configs/pip/flake8/requirements.txt
 
         errors=$(flake8 -v --max-line-length=150 --exclude=client/,.venv/,venv/ --count --statistics --exit-zero .)
         echo "Flake8 reported $errors errors/warnings."
@@ -88,10 +94,16 @@ runs:
       shell: bash
       run: |
         pip install pyinstaller==v6.13.0
+        python3 -m pip install \
+          --require-hashes \
+          --user \
+          --requirement \
+            ${GITHUB_ACTION_PATH}/configs/pip/pyinstaller/requirements.txt
         pyinstaller --onefile main.py --name gomod-go-version-updater
-    - name: Attach a binary to a release
+    # yamllint disable-line rule:line-length
+    - uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # 2.9.0
+      name: Attach a binary to a release
       if: ${{ steps.condition_check.outcome == 'success' }}
-      uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # 2.9.0
       with:
         repo_token: ${{ inputs.token }}
         file: dist/${{ inputs.pyinstaller-binary-name }}
diff --git a/configs/pip/flake8/requirements.txt b/configs/pip/flake8/requirements.txt
@@ -0,0 +1,4 @@
+flake8==7.2.0 --hash=sha256:93b92ba5bdb60754a6da14fa3b93a9361fd00a59632ada61fd7b130436c40343
+pycodestyle==2.13.0 --hash=sha256:35863c5974a271c7a726ed228a14a4f6daf49df369d8c50cd9a6f58a5e143ba9
+pyflakes==3.3.2 --hash=sha256:5039c8339cbb1944045f4ee5466908906180f13cc99cc9949348d10f82a5c32a
+mccabe==0.7.0 --hash=sha256:6c2d30ab6be0e4a46919781807b4f0d834ebdd6c6e3dca0bda5a15f863427b6e
diff --git a/configs/pip/pyinstaller/requirements.txt b/configs/pip/pyinstaller/requirements.txt
@@ -0,0 +1 @@
+pyinstaller==v6.13.0 --hash=sha256:bc09795f5954135dd4486c1535650958c8218acb954f43860e4b05fb515a21c0

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+pyinstaller==v6.13.0 --hash=sha256:bc09795f5954135dd4486c1535650958c8218acb954f43860e4b05fb515a21c0`