GitXplorerGitXplorer
b

pip-secure-install

public
38 stars
0 forks
0 issues

Commits

List of commits on branch main.
Unverified
92f400e3191171c1858cc0e0d9ac6320173fdb0c

Add branding

bbrettcannon committed 3 years ago
Unverified
1f4f95d67942e2fd2ed9b3a09083f2734ac611a4

Be explicit about what we are checking for

bbrettcannon committed 3 years ago
Unverified
3c07f91373bafff6aeefd5059d3e950fdc8fcf0d

Add a test for `options`

bbrettcannon committed 3 years ago
Unverified
68c9cad51d237ac83d65449d3a74da121d1c360a

Add a test for `python` input

bbrettcannon committed 3 years ago
Unverified
4d0ce71b61ddfa0438479984d4f077c10a711f5b

Specify a name for the defaults inputs test

bbrettcannon committed 3 years ago
Unverified
e6275d9c0162e61f7cf1c57a6ecdc5cebdf3faea

Fix the requirements file again

bbrettcannon committed 3 years ago

README

The README file for this repository.

pip-secure-install

A GitHub action to have pip install from a requirements file as securely as possible.

Inputs

python

The command to run Python (as -m is used to run pip). Defaults to python.

requirements-file

The path to the requirements file. Defaults to requirements.txt.

options

Additional command-line options to pass to pip (e.g. --target).

Design

A few options are turned on for pip to make sure installations are secure and reproducible:

  • A requirements file must be specified to make sure all dependencies are known statically for auditing purposes (-r).
  • No dependency resolution is done to make sure the requirements file is complete (--no-deps).
  • All requirements must have a hash provided to make sure the files have not been tampered with (--require-hashes).
  • Only wheels are allowed to have reproducible installs (--only-binary :all:).