Pip-secure-install: GitHub Action to always use secure install settings from pip

brettcannon · January 26, 2022, 12:49am

I took what was outlined in the rationale of PEP 665 about what it takes to make pip install secure and reproducible fashion and turned it into an action:

--no-deps
--require-hashes
--only-binary :all:

I personally have left at least one of those options off before when trying to control what gets installed as part of a sensitive CI step or build enough times to motivate me creating this action. And if you use pip-tools w/ --generate-hashes then you should have reproducible installs and avoid various supply chain attacks (e.g. edited files or unexpected dependencies via an sdist).

dustin · January 26, 2022, 4:20am

This is great! Any plans to move it into the PyPA org eventually?

brettcannon · January 26, 2022, 10:04pm

No plans, but if people want to do that I have no issues with it. I’m not sure if it would mean for preexisting users post-move since the reference in GitHub Actions workflow files won’t be quite right, but hopefully GitHub’s normal forwarding kicks in to handle that?

Topic		Replies	Views
Announcement: pip 23.1 release! Packaging	7	9135	April 29, 2023
Announcement: pip 22.1 release! Packaging release	14	2295	May 31, 2022
Draft PEP: Recording the source hash of installed distribution Packaging	21	2289	July 10, 2020
Announcement: pip 23.0 release! Packaging release	8	3250	January 31, 2023
PEP 458: Secure PyPI downloads with package signing PEPs	134	19006	November 10, 2022

Pip-secure-install: GitHub Action to always use secure install settings from pip

Related Topics