From 844df703450c1d01bad87ccf4baf163985dc5787 Mon Sep 17 00:00:00 2001 From: Rhuan Barreto Date: Thu, 28 May 2026 23:09:09 +0200 Subject: [PATCH] fix(ci): pin pip build dependency by hash for Scorecard compliance Pin `pip install build` to version 1.5.0 with `--require-hashes` and SHA-256 hashes for both the wheel and source tarball. This resolves GitHub code scanning alert #16 (Scorecard Pinned-Dependencies) which flagged the unpinned pip command as a medium-severity supply chain risk. Signed-off-by: Rhuan Barreto --- .github/workflows/publish-shims.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish-shims.yml b/.github/workflows/publish-shims.yml index 9b942712..2057832d 100644 --- a/.github/workflows/publish-shims.yml +++ b/.github/workflows/publish-shims.yml @@ -64,7 +64,10 @@ jobs: - name: Build package working-directory: shims/pypi run: | - pip install build + pip install 'build==1.5.0' \ + --require-hashes \ + --hash=sha256:13f3eecb844759ab66efec90ca17639bbf14dc06cb2fdf37a9010322d9c50a6f \ + --hash=sha256:302c22c3ba2a0fd5f3911918651341ebb3896176cbdec15bd421f80b1afc7647 python -m build - name: Publish to PyPI uses: pypa/gh-action-pypi-publish@6733eb7d741f0b11ec6a39b58540dab7590f9b7d # v1.14.0