I took what was outlined in the rationale of PEP 665 about what it takes to make pip install secure and reproducible fashion and turned it into an action:
--no-deps
--require-hashes
--only-binary :all:
I personally have left at least one of those options off before when trying to control what gets installed as part of a sensitive CI step or build enough times to motivate me creating this action. And if you use pip-tools w/ --generate-hashes
then you should have reproducible installs and avoid various supply chain attacks (e.g. edited files or unexpected dependencies via an sdist).