Skip to content
@install-pinned

install-pinned

Securely install tools from PyPI.

Keep your CI pipeline secure and deterministic with pinned installs.

Deterministic

When you pip install foo, you are getting the latest and greatest version of foo and all its dependencies. However, foo's behavior (or that of its dependencies) may change over time. This introduces unexpected breakage into your CI pipeline, usually exactly at the time when you don't want it.

Secure

When you pip install foo in your CI pipeline, you trust

  • PyPI,
  • the authors of foo, and
  • all authors of all (sub)dependencies of foo

to not be compromised. If one of them is, an attacker may push a malicious package to PyPI which steals your code and your repository secrets (e.g. deployment tokens).1 To mitigate this problem, you should pin your dependencies, i.e. use a requirements.txt/poetry.lock/... lock file that ensures only specific versions (with specific file hashes) are allowed. This changes the threat model from "trust continuously" to "trust on first use".

What are the actions here for?

The actions provided here allow you to securely (i.e. with pinning + hashes) install popular tools to use in your CI pipeline without any additional lock files.

For example, you maybe want to run black in your CI pipeline, but black is not a dependency for your application. Instead of adding a separate lock file to your repository, you just use the install-pinned/black action.

Why should I not use this?

By pinning your tools, the dependency graph becomes static. This means that you will not automatically get new (security) updates. To mitigate this, you can set up Dependabot so that your pins are updated regularly.

Supported tools:

Your tool is not on the list? Request it here.

Security

If you believe you've identified a security issue with install-pinned, please report it to @mhils using the email address listed on his GitHub profile.

Footnotes

  1. This typically includes GitHub secrets that are not available to the current workflow. By default, GITHUB_TOKEN can push new commits, which can be used to rewrite workflows and obtain more secrets.

Popular repositories Loading

  1. .github .github Public

    @install-pinned meta repository

    Python 2 1

  2. poetry poetry Public

    Securely install the latest poetry release from PyPI.

    2 1

  3. mitmproxy mitmproxy Public

    Securely install the latest mitmproxy release from PyPI.

    2 1

  4. ruff ruff Public

    Securely install the latest ruff release from PyPI.

    1 1

  5. pytest pytest Public

    Securely install the latest pytest release from PyPI.

    1

  6. pip-tools pip-tools Public

    Securely install the latest pip-tools release from PyPI.

    1

Repositories

Showing 10 of 26 repositories
  • ruff Public

    Securely install the latest ruff release from PyPI.

    install-pinned/ruff’s past year of commit activity
    1 MIT 1 0 0 Updated Nov 29, 2024
  • maturin Public

    Securely install the latest maturin release from PyPI.

    install-pinned/maturin’s past year of commit activity
    0 MIT 0 0 0 Updated Nov 28, 2024
  • maturin-with-zig Public

    Securely install the latest maturin[zig] release from PyPI.

    install-pinned/maturin-with-zig’s past year of commit activity
    0 MIT 1 0 0 Updated Nov 28, 2024
  • pdm Public

    Securely install the latest pdm release from PyPI.

    install-pinned/pdm’s past year of commit activity
    0 MIT 0 0 0 Updated Nov 28, 2024
  • black Public

    Securely install the latest black release from PyPI.

    install-pinned/black’s past year of commit activity
    0 MIT 0 0 0 Updated Nov 28, 2024
  • build Public

    Securely install the latest build release from PyPI.

    install-pinned/build’s past year of commit activity
    0 MIT 0 0 0 Updated Nov 28, 2024
  • mypy Public

    Securely install the latest mypy release from PyPI.

    install-pinned/mypy’s past year of commit activity
    0 MIT 0 0 0 Updated Nov 28, 2024
  • tox Public

    Securely install the latest tox release from PyPI.

    install-pinned/tox’s past year of commit activity
    0 MIT 0 0 0 Updated Nov 28, 2024
  • tox-uv Public

    Securely install the latest tox-uv release from PyPI.

    install-pinned/tox-uv’s past year of commit activity
    0 MIT 0 0 0 Updated Nov 28, 2024
  • pip-tools Public

    Securely install the latest pip-tools release from PyPI.

    install-pinned/pip-tools’s past year of commit activity
    0 MIT 1 0 0 Updated Nov 28, 2024

Top languages

Loading…

Most used topics

Loading…