Skip to content

Harden against supply chain attacks #3

Description

@twwd

To protect against supply chain attacks, it would be great if you

  1. commit the lockfile (uv.lock) for reproducible dependency resolution,
  2. reference GitHub actions with a SHA-pinned version instead of tags, and
  3. use a digest or at least a tag for the container image quay.io/fedora/fedora in the CI config.

In addition, use dependabot to keep these up-to-date.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions