Add pinning dependencies

.ci/Dockerfile

@@ -3,7 +3,7 @@
 #########################################################
 ARG ver_cuda="11.7.1"
 
-FROM nvidia/cuda:${ver_cuda}-devel-ubuntu20.04 AS python_base_cuda
+FROM nvidia/cuda:${ver_cuda}-devel-ubuntu20.04@sha256:f663a1cf01a46daa469c75bf246ac00098bd5179aff2c75367c44f475cd4c8f4 AS python_base_cuda
 LABEL maintainer="OpenVINO Training Extensions Development Team"
 
 ARG HTTP_PROXY

.github/workflows/publish.yml

@@ -79,6 +79,6 @@ jobs:
         if: ${{ steps.check-tag.outputs.match == '' }}
         uses: pypa/gh-action-pypi-publish@22b4d1f12511f2696162c08546dafbaa903448a2 # v1.7.1
         with:
-          password: ${{ secrets.TESTPYPI_API_TOKEN }}
+          password: ${{ secrets.TEST_PYPI_API_TOKEN }}
           repository-url: https://test.pypi.org/legacy/
           verbose: true

.github/workflows/publish_internal.yml

@@ -30,7 +30,7 @@ jobs:
         with:
           python-version: "3.10"
       - name: Install pypa/build
-        run: python -m pip install build==1.*
+        run: python -m pip install -r requirements/publish.txt
       - name: Build sdist
         run: python -m build --sdist
       - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
@@ -45,12 +45,14 @@ jobs:
     permissions:
       packages: write
     steps:
+      - name: Checkout
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Set up Python
         uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
           python-version: "3.10"
       - name: Install dependencies
-        run: python -m pip install twine==4.0.2
+        run: python -m pip install -r requirements/publish.txt
       - name: Download artifacts
         uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
@@ -76,7 +78,7 @@ jobs:
         if: ${{ steps.check-tag.outputs.match == '' }}
         run: |
           export REPOSITORY_URL=https://test.pypi.org/legacy/
-          twine upload --verbose --repository-url $REPOSITORY_URL dist/* -u __token__ -p ${{ secrets.TESTPYPI_API_TOKEN }}
+          twine upload --verbose --repository-url $REPOSITORY_URL dist/* -u __token__ -p ${{ secrets.TEST_PYPI_API_TOKEN }}
       - name: Clean up dist
         if: ${{ always() }}
         run: |

.github/workflows/scorecard.yml

@@ -67,6 +67,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@dc021d495cb77b369e4d9d04a501700fd83b8c51 # v2.24.0
         with:
           sarif_file: results.sarif

Dockerfile

@@ -1,5 +1,5 @@
 
-ARG UBUNTU_VER=20.04
+ARG UBUNTU_VER=20.04@sha256:a4fab1802f08df089c4b2e0a1c8f1a06f573bd1775687d07fef4076d3a2e4900
 FROM ubuntu:$UBUNTU_VER
 
 ARG PYTHON_VER=3.9

requirements/publish.txt

@@ -0,0 +1,2 @@
+build==1.0.3
+twine==4.0.2