Skip to content

ci: workflows: pin python dependencies#87609

Merged
nashif merged 3 commits intozephyrproject-rtos:mainfrom
nashif:topic/ci/pin_deps
Mar 29, 2025
Merged

ci: workflows: pin python dependencies#87609
nashif merged 3 commits intozephyrproject-rtos:mainfrom
nashif:topic/ci/pin_deps

Conversation

@nashif
Copy link
Copy Markdown
Member

@nashif nashif commented Mar 25, 2025

Pin python dependencies to hashes and cleanup/unify python setup steps in
various workflows.

We now have one dependency file containing all requirements for github
actions that is managed centrally with hashes. No direct pip installs
are needed in workflow files and everything shall go via the
requirements file.

Pinning to specific version and hashes helps with preventing supply
chain attacks.

Signed-off-by: Anas Nashif anas.nashif@intel.com

aescolar
aescolar reviewed Mar 25, 2025
View reviewed changes
Comment thread kernel/init.c Outdated
@nashif nashif force-pushed the topic/ci/pin_deps branch 2 times, most recently from e13a855 to 68c2a9b Compare March 25, 2025 08:41
aescolar
aescolar reviewed Mar 25, 2025
View reviewed changes
Comment thread .github/workflows/backport_issue_check.yml Outdated
@nashif nashif force-pushed the topic/ci/pin_deps branch 2 times, most recently from 18b79c3 to 374367f Compare March 25, 2025 08:59
pdgendt
pdgendt reviewed Mar 25, 2025
View reviewed changes
Comment thread scripts/requirements-actions.in Outdated
@nashif
Copy link
Copy Markdown
Member Author

nashif commented Mar 25, 2025

hmm, not sure about this one:

 Traceback (most recent call last):
  File "/opt/hostedtoolcache/Python/3.12.9/x64/bin/gitlint", line 5, in <module>
    from gitlint.cli import cli
  File "/opt/hostedtoolcache/Python/3.12.9/x64/lib/python3.12/site-packages/gitlint/cli.py", line 3, in <module>
    from gitlint.config import LintConfig, LintConfigError
  File "/opt/hostedtoolcache/Python/3.12.9/x64/lib/python3.12/site-packages/gitlint/config.py", line 2, in <module>
    import ConfigParser
ModuleNotFoundError: No module named 'ConfigParser'
Compliance error, check for error messages in the "Run Compliance Tests" st

I have not seen this during testing :(

@pdgendt
Copy link
Copy Markdown
Contributor

pdgendt commented Mar 25, 2025

hmm, not sure about this one:

 Traceback (most recent call last):
  File "/opt/hostedtoolcache/Python/3.12.9/x64/bin/gitlint", line 5, in <module>
    from gitlint.cli import cli
  File "/opt/hostedtoolcache/Python/3.12.9/x64/lib/python3.12/site-packages/gitlint/cli.py", line 3, in <module>
    from gitlint.config import LintConfig, LintConfigError
  File "/opt/hostedtoolcache/Python/3.12.9/x64/lib/python3.12/site-packages/gitlint/config.py", line 2, in <module>
    import ConfigParser
ModuleNotFoundError: No module named 'ConfigParser'
Compliance error, check for error messages in the "Run Compliance Tests" st

I have not seen this during testing :(

Can we update the gitlint package? Also for the requirements.in file, we could specify gitlint-core instead.

pdgendt
pdgendt reviewed Mar 25, 2025
View reviewed changes
Comment thread scripts/requirements-actions.txt Outdated
@nashif nashif force-pushed the topic/ci/pin_deps branch 2 times, most recently from f7b1d2e to 4ebcffb Compare March 26, 2025 02:24
@nashif nashif merged commit 19c6240 into zephyrproject-rtos:main Mar 29, 2025
72 of 73 checks passed
@teburd
Copy link
Copy Markdown
Contributor

teburd commented Mar 29, 2025

Lets do it with the entire environment using nix :-D Hash all the things!

@pdgendt
Copy link
Copy Markdown
Contributor

pdgendt commented Mar 31, 2025

Missed it last time I reviewed, but commit messages shouldn't contain Github #number references 🫣

@gbarkadiusz gbarkadiusz mentioned this pull request Mar 31, 2025
Closed
@LukaszMrugala LukaszMrugala mentioned this pull request Apr 3, 2025
Closed
@jaci-nordic jaci-nordic mentioned this pull request Jul 15, 2025
Merged
jaci-nordic added a commit to jaci-nordic/sdk-nrf-1 that referenced this pull request Aug 20, 2025
@jaci-nordic
ci: Secure github actions
1ece248 
Pinning to specific version and hashes helps with preventing supply
chain attacks.
Do not use custom tokens, rely on GH provided and managed tokens.
Update GitHub Actions workflows to follow principle of least privilege
Based on zephyr changes:
zephyrproject-rtos/zephyr#87184
zephyrproject-rtos/zephyr#87609
zephyrproject-rtos/zephyr#87510
zephyrproject-rtos/zephyr#87254

Signed-off-by: Jakub Ciesla <jakub.ciesla@nordicsemi.no>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aescolar aescolar aescolar left review comments

@kartben kartben kartben approved these changes

@cfriedt cfriedt cfriedt approved these changes

@pdgendt pdgendt pdgendt approved these changes

@ceolin ceolin Awaiting requested review from ceolin

@dcpleung dcpleung Awaiting requested review from dcpleung

@fabiobaltieri fabiobaltieri Awaiting requested review from fabiobaltieri

@npitre npitre Awaiting requested review from npitre

@stephanosio stephanosio Awaiting requested review from stephanosio

@TaiJuWu TaiJuWu Awaiting requested review from TaiJuWu

@gchwier gchwier Awaiting requested review from gchwier

@golowanow golowanow Awaiting requested review from golowanow

@hakehuang hakehuang Awaiting requested review from hakehuang

@LukaszMrugala LukaszMrugala Awaiting requested review from LukaszMrugala

@PerMac PerMac Awaiting requested review from PerMac

Assignees

@nashif nashif

@stephanosio stephanosio

Labels

area: Continuous Integration area: Twister Twister platform: nRF BSIM Nordic Semiconductors, nRF BabbleSim

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@nashif @pdgendt @kartben @cfriedt @teburd @aescolar @stephanosio @zephyrbot