A GitHub action to have pip install from a requirements file as securely as possible.
The command to run Python (as -m is used to run pip). Defaults to python.
The path to the requirements file. Defaults to requirements.txt.
Additional command-line options to pass to pip (e.g. --target).
A few options are turned on for pip to make sure installations are secure and reproducible:
- A requirements file must be specified to make sure all dependencies are known
statically for auditing purposes (
-r). - No dependency resolution is done to make sure the requirements file is
complete (
--no-deps). - All requirements must have a hash provided to make sure the files have not
been tampered with (
--require-hashes). - Only wheels are allowed to have reproducible installs (
--only-binary :all:).