Fix remaining OpenSSF Scorecard alerts: Pin all pip commands with hashes

[taylorleese]

Summary

This PR fixes the final OpenSSF Scorecard Pinned-Dependencies alert (#47) by ensuring all pip install commands use hash verification and eliminating unpinned local package installations.

Changes

GitHub Workflows

• CI workflow (.github/workflows/ci.yml): Updated both test and lint jobs to use --require-hashes for all pip installs
• Publish workflow (.github/workflows/publish.yml): Updated build dependencies to use --require-hashes

Dockerfile

• Removed pip install . command entirely (was causing Scorecard alert)
• Use PYTHONPATH=/app/src instead for module discovery
• Copy source code to runtime stage for proper execution
• No more unpinned pip commands in Dockerfile

Why These Changes?

The OpenSSF Scorecard scanner was flagging:

1. Alert deps(deps): bump python from 5d17fc0 to 404ca55 #47: pip install . in Dockerfile (line 25)
2. Multiple pip commands in GitHub workflows without --require-hashes

The PYTHONPATH Solution

Instead of installing the local package with pip install . (which can't be hash-pinned since it's source code, not a package), we:

1. Copy the source code to /app/src
2. Set PYTHONPATH=/app/src
3. Python can now find and import modules directly without installation

This is actually better because:

• ✅ Satisfies OpenSSF Scorecard requirements
• ✅ Faster builds (no package installation step)
• ✅ Simpler - just copy files
• ✅ Works identically for the MCP server entrypoint

Testing

• Docker image builds successfully
• All pre-commit hooks pass
• CI/CD pipeline passes
• OpenSSF Scorecard alert deps(deps): bump python from 5d17fc0 to 404ca55 #47 resolves after merge

Impact on Docker MCP Registry PR

This PR is required for docker/mcp-registry PR #353. The Dockerfile is used for Docker-based MCP server distribution, and these changes:

• Eliminate all Scorecard warnings about unpinned dependencies
• Should improve OpenSSF Scorecard score from 6.9/10
• Maintain full Docker functionality for MCP server deployment

Fixes

Fixes #47

Related alerts already fixed in previous PRs:

• deps(deps): bump python from d13fa04 to 5d17fc0 #42, Fix code scanning alert: Pin npm dependencies by hash in Dockerfile.glama #45, deps(deps): bump debian from b4aa902 to e899040 #46 (fixed in PR Fix OpenSSF Scorecard alerts: Add --require-hashes flag to pip install commands #28)

Related Issues

• Related: Publish MCP Toolz to official MCP registries #11 (completes Dockerfile security hardening)
• Related: Add MCP Toolz server docker/mcp-registry#353 (Docker MCP Registry submission)

🤖 Generated with Claude Code

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.50%. Comparing base (6935980) to head (896ae92).
⚠️ Report is 84 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #29   +/-   ##
=======================================
  Coverage   88.50%   88.50%           
=======================================
  Files           8        8           
  Lines        1140     1140           
  Branches      184      184           
=======================================
  Hits         1009     1009           
  Misses         79       79           
  Partials       52       52