Skip to content

Pin dependencies to harden against supply chain attacks#169

Merged
janhoy merged 4 commits intomainfrom
supply-chain-hardening
Apr 15, 2026
Merged

Pin dependencies to harden against supply chain attacks#169
janhoy merged 4 commits intomainfrom
supply-chain-hardening

Conversation

@janhoy
Copy link
Copy Markdown
Contributor

@janhoy janhoy commented Apr 13, 2026
edited
Loading

As suggested by Gus...

Hardens the build against supply-chain attacks and adds tooling to keep dependencies up to date.

Dependency pinning

  • Add Dockerfile with base image pinned by digest (python:3.13-alpine@sha256:…)
  • Add requirements.in (direct deps) and generate requirements.txt as a hash-verified lockfile via pip-compile --generate-hashes
  • Pin GitHub Actions refs to commit SHAs in both workflow files
  • Upgrade Pelican 4.9.1 → 4.11.0.post0 (drops pkg_resources dependency, fixes runtime error with setuptools 82+)

Dependabot

  • Add .github/dependabot.yml covering pip, docker, and github-actions ecosystems (monthly updates)
  • Dependabot natively regenerates requirements.txt from requirements.in on pip bump PRs

Developer tooling

  • Add ./build.sh --lock to regenerate requirements.txt inside Docker (no local pip-tools needed); combine with -b to also rebuild the image
  • ./build.sh -b auto-detects stale lockfile and rebuilds image if requirements.txt is newer than the cached image

Dependency upgrades

  • beautifulsoup4 4.12.3 → 4.14.3, jsonschema 4.22.0 → 4.26.0, invoke 2.2.1 → 3.0.3, livereload 2.6.3 → 2.7.1, markupsafe 2.1.5 → 3.0.3, checksumdir 1.2.0 → 1.3.0

@janhoy janhoy requested a review from gus-asf April 13, 2026 12:37
@janhoy
Enable dependabot
a870275 
Use a real Dockerfile so dependabot can update python
gus-asf
gus-asf approved these changes Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gus-asf gus-asf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One comment, but not suggesting a change

Comment thread requirements.lock.txt Outdated
janhoy added 2 commits April 15, 2026 09:56
@janhoy
Use locked requirements.txt and add --lock option
d6b13f6 
Bump pelican to 4.11
@janhoy
Upgrades
5f14061 
- beautifulsoup4 4.12.3 → 4.14.3
- jsonschema 4.22.0 → 4.26.0
- invoke 2.2.1 → 3.0.3
- livereload 2.6.3 → 2.7.1
- markupsafe 2.1.5 → 3.0.3
@janhoy janhoy requested a review from gus-asf April 15, 2026 08:09
@janhoy
Copy link
Copy Markdown
Contributor Author

janhoy commented Apr 15, 2026

I did another round of cleanups, added python lockfile to pin sha for all py deps, a --lock option to regenerate locfile, and upgraded a bunch of packages, dependabot support etc. See updated PR description for a summary.

Coincidentally infra just messaged all projects using Pelican that we must stop using @main and that is one of the fixes here.

@janhoy janhoy merged commit 3ef2f8f into main Apr 15, 2026
2 checks passed
@janhoy janhoy deleted the supply-chain-hardening branch April 15, 2026 08:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gus-asf gus-asf Awaiting requested review from gus-asf

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@janhoy @gus-asf