Harden dependency management (#556)

Author: jaydeluca

.github/renovate.json5

@@ -12,6 +12,12 @@
   },
 
   packageRules: [
+    // Pre-commit hooks (digest-pin to commit SHA for supply chain hardening)
+    {
+      matchManagers: ["pre-commit"],
+      pinDigests: true,
+    },
+
     // Dev dependencies (patch/minor)
     {
       matchDepTypes: ["devDependencies"],

.github/workflows/build-and-test.yml

@@ -46,7 +46,7 @@ jobs:
         with:
           python-version-file: ".python-version"
       - name: Check copyright headers
-        run: uv run python scripts/check_copyright.py
+        run: uv run --frozen python scripts/check_copyright.py
 
   test-ecosystem-automation:
     name: Test ecosystem-automation
@@ -67,7 +67,7 @@ jobs:
           python-version-file: ".python-version"
 
       - name: Install dependencies
-        run: uv sync --all-extras --dev
+        run: uv sync --locked --all-extras --dev
 
       - name: Run collector-watcher tests
         run: |

.github/workflows/build-explorer-database.yml

@@ -54,12 +54,15 @@ jobs:
         run: |
           .github/scripts/use-cla-approved-bot.sh
 
-      - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
         if: steps.repo_check.outputs.is_primary == 'true'
         id: otelbot-token
         with:
           app-id: ${{ vars.OTELBOT_APP_ID }}
           private-key: ${{ secrets.OTELBOT_PRIVATE_KEY }}
+          repositories: ${{ github.event.repository.name }}
+          permission-contents: write
+          permission-pull-requests: write
 
       - name: Configure git (fork)
         if: steps.repo_check.outputs.is_primary == 'false'
@@ -78,7 +81,7 @@ jobs:
           python-version-file: ".python-version"
 
       - name: Install dependencies
-        run: uv sync
+        run: uv sync --locked
 
       - name: Build explorer database (incremental)
         if: inputs.build_mode == 'incremental'

.github/workflows/nightly-registry-update.yml

@@ -47,12 +47,15 @@ jobs:
         run: |
           .github/scripts/use-cla-approved-bot.sh
 
-      - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
         if: steps.repo_check.outputs.is_primary == 'true'
         id: otelbot-token
         with:
           app-id: ${{ vars.OTELBOT_APP_ID }}
           private-key: ${{ secrets.OTELBOT_PRIVATE_KEY }}
+          repositories: ${{ github.event.repository.name }}
+          permission-contents: write
+          permission-pull-requests: write
 
       - name: Configure git (forked repository)
         if: steps.repo_check.outputs.is_primary == 'false'
@@ -79,7 +82,7 @@ jobs:
           python-version-file: ".python-version"
 
       - name: Install dependencies
-        run: uv sync
+        run: uv sync --locked
 
       - name: Run collector-watcher
         id: collector_watcher

.github/workflows/screenshots-baseline.yml

@@ -72,11 +72,13 @@ jobs:
           cp ecosystem-explorer/screenshots/*.png /tmp/baseline/
 
       - name: Get otelbot token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
         id: otelbot-token
         with:
           app-id: ${{ vars.OTELBOT_APP_ID }}
           private-key: ${{ secrets.OTELBOT_PRIVATE_KEY }}
+          repositories: ${{ github.event.repository.name }}
+          permission-contents: write
 
       - name: Use CLA approved github bot
         run: .github/scripts/use-cla-approved-bot.sh

.github/workflows/screenshots-cleanup.yml

@@ -27,11 +27,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Get otelbot token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
         id: otelbot-token
         with:
           app-id: ${{ vars.OTELBOT_APP_ID }}
           private-key: ${{ secrets.OTELBOT_PRIVATE_KEY }}
+          repositories: ${{ github.event.repository.name }}
+          permission-contents: write
 
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

.github/workflows/screenshots-commit.yml

@@ -142,11 +142,13 @@ jobs:
           git push origin otelbot/screenshots
 
       - name: Get otelbot token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
         id: otelbot-token
         with:
           app-id: ${{ vars.OTELBOT_APP_ID }}
           private-key: ${{ secrets.OTELBOT_PRIVATE_KEY }}
+          repositories: ${{ github.event.repository.name }}
+          permission-issues: write
 
       - name: Post or update PR comment
         env:

.pre-commit-config.yaml

@@ -1,13 +1,13 @@
 repos:
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.9.1
+    rev: 18ba2d02dcafd1cc608bd83eff6c17fb0108ca71 # v0.9.1
     hooks:
       - id: ruff
         args: [--fix]
       - id: ruff-format
 
   - repo: https://github.com/DavidAnson/markdownlint-cli2
-    rev: v0.16.0
+    rev: 1d349044b9624661f5a0a7e13e0ca9801752022a # v0.16.0
     hooks:
       - id: markdownlint-cli2
         args: ["--fix"]

ecosystem-automation/v1-registry-sync/pyproject.toml

@@ -10,6 +10,9 @@ dependencies = [
 [project.scripts]
 v1-registry-sync = "v1_registry_sync.main:main"
 
+[tool.uv.sources]
+collector-watcher = { workspace = true }
+
 [project.optional-dependencies]
 dev = [
     "pytest>=8.0.0",

pyproject.toml

@@ -40,9 +40,9 @@ line-length = 120
 target-version = "py311"
 
 [tool.ruff.lint]
-select = ["E", "F", "I", "N", "W"]
+select = ["E", "F", "I", "N", "W", "S"]
 
 [tool.pytest.ini_options]
 addopts = "--import-mode=importlib"
 testpaths = ["ecosystem-automation"]
-python_files = ["test_*.py", "*_test.py"]
+python_files = ["test_*.py", "*_test.py"]