GitXplorerGitXplorer
b

pip-secure-install

public
38 stars
0 forks
0 issues

Commits

List of commits on branch main.
Unverified
77f1cd5863e021f74c46de61187783e90935c1b8

Add the renamed file

bbrettcannon committed 3 years ago
Unverified
6cd27a2c908aeb64a07c8fe2dc1d32e5ff3512af

Rename the CI workflow file

bbrettcannon committed 3 years ago
Unverified
b10c65c66c39d93cf79a51c14f5b9b576f9b3ba2

Fix a mistake in the test `requirements.txt`

bbrettcannon committed 3 years ago
Verified
f9efbfc393e817b0cceec085e48fadebeec857ae

Add CI for default inputs

bbrettcannon committed 3 years ago
Unverified
89b5ef412d1f9ceef86f3183af9d0dc6abc6eeea

Add a `requirements.txt` file for testing

bbrettcannon committed 3 years ago
Unverified
f267261efae6ee0d095f8e0fd4bd914f8eda6d2d

First attempt

bbrettcannon committed 3 years ago

README

The README file for this repository.

pip-secure-install

A GitHub action to have pip install from a requirements file as securely as possible.

Inputs

python

The command to run Python (as -m is used to run pip). Defaults to python.

requirements-file

The path to the requirements file. Defaults to requirements.txt.

options

Additional command-line options to pass to pip (e.g. --target).

Design

A few options are turned on for pip to make sure installations are secure and reproducible:

  • A requirements file must be specified to make sure all dependencies are known statically for auditing purposes (-r).
  • No dependency resolution is done to make sure the requirements file is complete (--no-deps).
  • All requirements must have a hash provided to make sure the files have not been tampered with (--require-hashes).
  • Only wheels are allowed to have reproducible installs (--only-binary :all:).