To protect against supply chain attacks, it would be great if you
- commit the lockfile (uv.lock) for reproducible dependency resolution,
- reference GitHub actions with a SHA-pinned version instead of tags, and
- use a digest or at least a tag for the container image
quay.io/fedora/fedora in the CI config.
In addition, use dependabot to keep these up-to-date.
To protect against supply chain attacks, it would be great if you
quay.io/fedora/fedorain the CI config.In addition, use dependabot to keep these up-to-date.