Skip to content

(chore) pin dependencies for workflows and Docker base images#238

Open
smoy wants to merge 2 commits into
NVIDIA:mainfrom
smoy:chore/pin-dependencies
Open

(chore) pin dependencies for workflows and Docker base images#238
smoy wants to merge 2 commits into
NVIDIA:mainfrom
smoy:chore/pin-dependencies

Conversation

@smoy

@smoy smoy commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Addressing two of the three issues from ossf/scorecard

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:45
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:71

Warn: containerImage not pinned by hash: Dockerfile:1
Warn: containerImage not pinned by hash: Dockerfile:9: pin your Docker image by updating python:3.12-slim-bookworm to python:3.12-slim-bookworm@sha256:8a7e7cc04fd3e2bd787f7f24e22d5d119aa590d429b50c95dfe12b3abe52f48b
Warn: pipCommand not pinned by hash: Dockerfile:7

@rng1995 rng1995 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Automated SkillSpector Review]

Approved. Both checkout uses are pinned to the immutable v4.2.2 commit, and both Docker stages pin the same immutable Python image digest. The diff is limited to supply-chain pinning and introduces no runtime/schema change. Current Python jobs fail formatting only in unchanged mcp_least_privilege.py, a known mainline drift outside this PR; DCO passes.

@rng1995

rng1995 commented Jul 10, 2026

Copy link
Copy Markdown
Collaborator

Fix linting issues @smoy

@smoy smoy force-pushed the chore/pin-dependencies branch from 69a69bc to 9b7546c Compare July 10, 2026 20:38
@smoy smoy requested a review from rng1995 July 10, 2026 20:38
@smoy

smoy commented Jul 10, 2026

Copy link
Copy Markdown
Contributor Author

Fix linting issues @smoy

rebsed from upstream.

make line is clean now

 make lint              
Running ruff...
ruff check src/ tests/
All checks passed!

@rng1995 rng1995 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Automated SkillSpector Review]

Re-review after new commits (prior approval at 9b7546c, 2026-07-09).

The PR pins all five actions/checkout uses in .github/workflows/ci.yml to 11bd71901bbe5b1630ceea73d27597364c9af683 (verified against the actions/checkout v4.2.2 tag) and pins both Dockerfile stages to the same immutable python:3.12-slim-bookworm digest. That content is unchanged from the previously approved head, so the prior approval's findings still hold for it.

Post-approval commits reviewed: the only new commit is 630bade ("Merge branch 'main' into chore/pin-dependencies", 2026-07-14). The merge is clean: the net PR diff against current main is still exactly the 7 pinning changes across 2 files, with no extraneous or reverted content smuggled in via the merge.

Blocker

  1. Merge commit 630bade has no Signed-off-by: trailer. The DCO check that this merge itself brings in from main iterates every commit in BASE..HEAD (including merge commits — there is no --no-merges exemption) and exits 1 on any commit missing a sign-off. The two original commits are signed off, but the merge commit is not, so the DCO Check job will fail at the current head (combined status is currently pending/unstable). Fix: redo the sync with a signed-off merge (git merge main --signoff) or rebase onto main (git rebase main keeps the existing signed-off commits and drops the merge commit entirely).

Non-blocking

  • The merged-in main added a docker-smoke upload step using actions/upload-artifact@v4 (ci.yml line 104), which is unpinned — the same scorecard Pinned-Dependencies class this PR addresses. It is outside this PR's diff (mainline drift), but since you will touch the branch anyway to fix the DCO issue, consider pinning it to the v4 tag's commit SHA here or in a quick follow-up.

@smoy smoy force-pushed the chore/pin-dependencies branch from 630bade to 4fdab0e Compare July 14, 2026 18:09
@smoy smoy requested a review from rng1995 July 14, 2026 18:09
@smoy

smoy commented Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

I've revised the pull request to addressed the blocker. Also addressed the newly introduce tag issue after rebasing on latest upstream.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants