Pip-secure-install: GitHub Action to always use secure install settings from pip

I took what was outlined in the rationale of PEP 665 about what it takes to make pip install secure and reproducible fashion and turned it into an action:

  • --no-deps
  • --require-hashes
  • --only-binary :all:

I personally have left at least one of those options off before when trying to control what gets installed as part of a sensitive CI step or build enough times to motivate me creating this action. And if you use pip-tools w/ --generate-hashes then you should have reproducible installs and avoid various supply chain attacks (e.g. edited files or unexpected dependencies via an sdist).


This is great! Any plans to move it into the PyPA org eventually?

No plans, but if people want to do that I have no issues with it. I’m not sure if it would mean for preexisting users post-move since the reference in GitHub Actions workflow files won’t be quite right, but hopefully GitHub’s normal forwarding kicks in to handle that?