Skip to content
package

GitHub Action

pip-secure-install

v1.0.0 Latest version

pip-secure-install

package

pip-secure-install

Have pip install from a requirements file as securely as possible

Installation

Copy and paste the following snippet into your .yml file.

              

- name: pip-secure-install

uses: brettcannon/pip-secure-install@v1.0.0

Learn more about this action in brettcannon/pip-secure-install

Choose a version

pip-secure-install

A GitHub action to have pip install from a requirements file as securely as possible.

Inputs

python

The command to run Python (as -m is used to run pip). Defaults to python.

requirements-file

The path to the requirements file. Defaults to requirements.txt.

options

Additional command-line options to pass to pip (e.g. --target).

Design

A few options are turned on for pip to make sure installations are secure and reproducible:

  • A requirements file must be specified to make sure all dependencies are known statically for auditing purposes (-r).
  • No dependency resolution is done to make sure the requirements file is complete (--no-deps).
  • All requirements must have a hash provided to make sure the files have not been tampered with (--require-hashes).
  • Only wheels are allowed to have reproducible installs (--only-binary :all:).