Add pinning dependencies (#2916)

openvinotoolkit · Feb 14, 2024 · dc7586e · dc7586e
1 parent f977f5f
commit dc7586e
Show file tree

Hide file tree

Showing 6 changed files with 11 additions and 7 deletions.
diff --git a/.ci/Dockerfile b/.ci/Dockerfile
@@ -3,7 +3,7 @@
 #########################################################
 ARG ver_cuda="11.7.1"
 
-FROM nvidia/cuda:${ver_cuda}-devel-ubuntu20.04 AS python_base_cuda
+FROM nvidia/cuda:${ver_cuda}-devel-ubuntu20.04@sha256:f663a1cf01a46daa469c75bf246ac00098bd5179aff2c75367c44f475cd4c8f4 AS python_base_cuda
 LABEL maintainer="OpenVINO Training Extensions Development Team"
 
 ARG HTTP_PROXY

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -79,6 +79,6 @@ jobs:
         if: ${{ steps.check-tag.outputs.match == '' }}
         uses: pypa/gh-action-pypi-publish@22b4d1f12511f2696162c08546dafbaa903448a2 # v1.7.1
         with:
-          password: ${{ secrets.TESTPYPI_API_TOKEN }}
+          password: ${{ secrets.TEST_PYPI_API_TOKEN }}
           repository-url: https://test.pypi.org/legacy/
           verbose: true
diff --git a/.github/workflows/publish_internal.yml b/.github/workflows/publish_internal.yml
@@ -30,7 +30,7 @@ jobs:
         with:
           python-version: "3.10"
       - name: Install pypa/build
-        run: python -m pip install build==1.*
+        run: python -m pip install -r requirements/publish.txt
       - name: Build sdist
         run: python -m build --sdist
       - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
@@ -45,12 +45,14 @@ jobs:
     permissions:
       packages: write
     steps:
+      - name: Checkout
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Set up Python
         uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
           python-version: "3.10"
       - name: Install dependencies
-        run: python -m pip install twine==4.0.2
+        run: python -m pip install -r requirements/publish.txt
       - name: Download artifacts
         uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
@@ -76,7 +78,7 @@ jobs:
         if: ${{ steps.check-tag.outputs.match == '' }}
         run: |
           export REPOSITORY_URL=https://test.pypi.org/legacy/
-          twine upload --verbose --repository-url $REPOSITORY_URL dist/* -u __token__ -p ${{ secrets.TESTPYPI_API_TOKEN }}
+          twine upload --verbose --repository-url $REPOSITORY_URL dist/* -u __token__ -p ${{ secrets.TEST_PYPI_API_TOKEN }}
       - name: Clean up dist
         if: ${{ always() }}
         run: |

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -67,6 +67,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@dc021d495cb77b369e4d9d04a501700fd83b8c51 # v2.24.0
         with:
           sarif_file: results.sarif
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 
-ARG UBUNTU_VER=20.04
+ARG UBUNTU_VER=20.04@sha256:a4fab1802f08df089c4b2e0a1c8f1a06f573bd1775687d07fef4076d3a2e4900
 FROM ubuntu:$UBUNTU_VER
 
 ARG PYTHON_VER=3.9

diff --git a/requirements/publish.txt b/requirements/publish.txt
@@ -0,0 +1,2 @@
+build==1.0.3
+twine==4.0.2