From 5afb1089d167e89f91e91db456aa070936c6f0b9 Mon Sep 17 00:00:00 2001
From: Zack Koppert <zkoppert@github.com>
Date: Thu, 5 Mar 2026 09:17:34 -0800
Subject: [PATCH] fix: harden pip install against supply chain attacks

- Expand requirements.txt via pip-compile to pin all transitive dependencies
- Add --no-deps to Dockerfile pip install to prevent runtime dep resolution

Resolves pip-install-no-hash-check security alert.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 Dockerfile       |  2 +-
 requirements.txt | 28 +++++++++++++++++++++++++++-
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index d9471af..cfb9123 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -7,7 +7,7 @@ LABEL org.opencontainers.image.source https://github.com/github-community-projec
 WORKDIR /action/workspace
 COPY requirements.txt *.py /action/workspace/
 
-RUN python3 -m pip install --no-cache-dir -r requirements.txt \
+RUN python3 -m pip install --no-cache-dir --no-deps -r requirements.txt \
     && apt-get -y update \
     && apt-get -y install --no-install-recommends git=1:2.47.3-0+deb13u1 \
     && rm -rf /var/lib/apt/lists/*
diff --git a/requirements.txt b/requirements.txt
index 7c298f1..cef0d5b 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,2 +1,28 @@
-github3.py==4.0.1
+certifi==2026.2.25
+    # via requests
+cffi==2.0.0
+    # via cryptography
+charset-normalizer==3.4.4
+    # via requests
+cryptography==46.0.5
+    # via pyjwt
+github3-py==4.0.1
+    # via -r requirements.txt
+idna==3.11
+    # via requests
+pycparser==3.0
+    # via cffi
+pyjwt==2.11.0
+    # via github3-py
+python-dateutil==2.9.0.post0
+    # via github3-py
 python-dotenv==1.2.1
+    # via -r requirements.txt
+requests==2.32.5
+    # via github3-py
+six==1.17.0
+    # via python-dateutil
+uritemplate==4.2.0
+    # via github3-py
+urllib3==2.6.3
+    # via requests