🔒 restrict dependencies (pypi) via strict hashes

Author: Ousret

.github/workflows/cd.yml

@@ -28,9 +28,9 @@ jobs:
         uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: '3'
-      - name: Update pip, install build
+      - name: Install CI Requirements
         run: |
-          python -m pip install build
+          python -m pip install -r ci-requirements.txt --require-hashes
       - name: Build Wheel
         env:
           CHARSET_NORMALIZER_USE_MYPYC: '0'

.github/workflows/ci.yml

@@ -22,8 +22,9 @@ jobs:
         uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: '3'
-      - name: Install nox
-        run: python -m pip install nox
+      - name: Install CI Requirements
+        run: |
+          python -m pip install -r ci-requirements.txt --require-hashes
       - name: Pre-commit checks
         run: nox -s lint
 
@@ -53,8 +54,9 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
           allow-prereleases: true
-      - name: Install dependencies
-        run: python -m pip install nox
+      - name: Install CI Requirements
+        run: |
+          python -m pip install -r ci-requirements.txt --require-hashes
       - name: Run tests
         run: nox -s test-${{ matrix.python-version }}
       - name: "Upload artifact"
@@ -81,8 +83,9 @@ jobs:
         uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: '3'
-      - name: Install dependencies
-        run: python -m pip install nox
+      - name: Install CI Requirements
+        run: |
+          python -m pip install -r ci-requirements.txt --require-hashes
       - name: Coverage WITH preemptive
         run: nox -s coverage -- --coverage 97 --with-preemptive
       - name: Coverage WITHOUT preemptive
@@ -118,8 +121,9 @@ jobs:
         uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: '3'
-      - name: Install dependencies
-        run: pip install nox
+      - name: Install CI Requirements
+        run: |
+          python -m pip install -r ci-requirements.txt --require-hashes
       - name: Integration Tests with Requests
         run: nox -s downstream_${{ matrix.downstream_project }}
 
@@ -136,8 +140,9 @@ jobs:
         uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: '3'
-      - name: Install dependencies
-        run: pip install nox
+      - name: Install CI Requirements
+        run: |
+          python -m pip install -r ci-requirements.txt --require-hashes
       - name: BC Coverage
         run: nox -s backward_compatibility -- --coverage 80
 
@@ -180,8 +185,9 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
           allow-prereleases: true
-      - name: Install nox
-        run: pip install nox
+      - name: Install CI Requirements
+        run: |
+          python -m pip install -r ci-requirements.txt --require-hashes
       - name: Run tests with mypyc enabled
         run: nox -s test_mypyc-${{ matrix.python-version }}
       - name: "Upload artifact"
@@ -208,8 +214,9 @@ jobs:
         with:
           python-version: "3.x"
 
-      - name: "Install coverage"
-        run: "python -m pip install --upgrade coverage"
+      - name: Install CI Requirements
+        run: |
+          python -m pip install -r ci-requirements.txt --require-hashes
 
       - name: "Download artifact"
         uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
@@ -243,7 +250,8 @@ jobs:
         uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: '3'
-      - name: Install dependencies
-        run: pip install nox
+      - name: Install CI Requirements
+        run: |
+          python -m pip install -r ci-requirements.txt --require-hashes
       - name: Performance Measurement
         run: nox -s performance

ci-requirements.txt

@@ -0,0 +1,15 @@
+nox==2024.4.15; python_version == '3.7'
+    --hash=sha256:6492236efa15a460ecb98e7b67562a28b70da006ab0be164e8821177577c0565
+    --hash=sha256:ecf6700199cdfa9e5ea0a41ff5e6ef4641d09508eda6edb89d9987864115817f
+nox==2025.5.1; python_version >= '3.8'
+    --hash=sha256:56abd55cf37ff523c254fcec4d152ed51e5fe80e2ab8317221d8b828ac970a31
+    --hash=sha256:2a571dfa7a58acc726521ac3cd8184455ebcdcbf26401c7b737b5bc6701427b2
+build==1.1.1; python_version == '3.7'
+    --hash=sha256:8ed0851ee76e6e38adce47e4bee3b51c771d86c64cf578d0c2245567ee200e73
+    --hash=sha256:8eea65bb45b1aac2e734ba2cc8dad3a6d97d97901a395bd0ed3e7b46953d2a31
+build==1.2.2.post1; python_version == '3.8'
+    --hash=sha256:1d61c0887fa860c01971625baae8bdd338e517b836a2f70dd1f7aa3a6b2fc5b5
+    --hash=sha256:b36993e92ca9375a219c99e606a122ff365a760a2d4bba0caa09bd5278b608b7
+build==1.3.0; python_version >= '3.9'
+    --hash=sha256:7145f0b5061ba90a1500d60bd1b13ca0a8a4cebdd0cc16ed8adf1c0e739f43b4
+    --hash=sha256:698edd0ea270bde950f53aed21f3a0135672206f3911e0176261a31e0e07b397