I took what was outlined in the rationale of PEP 665 about what it takes to make pip install secure and reproducible fashion and turned it into an action:
I personally have left at least one of those options off before when trying to control what gets installed as part of a sensitive CI step or build enough times to motivate me creating this action. And if you use pip-tools w/
--generate-hashes then you should have reproducible installs and avoid various supply chain attacks (e.g. edited files or unexpected dependencies via an sdist).