Update dependencies and workflows for security and features

This commit updates several dependency versions in requirements and pre-commit config files, adds new package schedules to dependabot.yml, pins GitHub Actions to specific commit SHAs for improved security, and streamlines Python dependency installation in CI workflows. Also adds tomli-w to requirements for TOML file syncing and updates testing/cucumber dependencies for compatibility.
2026-02-17 13:52:14 +01:00 · 2025-12-04 21:41:44 +01:00
parent e7db714091
commit a0117f9789
9 changed files with 286 additions and 231 deletions
--- a/.github/workflows/check_toml.yml
+++ b/.github/workflows/check_toml.yml
@@ -200,7 +200,7 @@ jobs:

      - name: Install Python dependencies
        run: |
-          pip install tomli-w
+          pip install --require-hashes tomli-w==1.2.0 --hash sha256:188306098d013b691fcadc011abd66727d3c414c571bb01b1a174ba8c983cf90

      - name: Run Python script to check files
        id: run-check
--- a/.github/workflows/deploy-on-v2-commit.yml
+++ b/.github/workflows/deploy-on-v2-commit.yml
@@ -23,10 +23,10 @@ jobs:
          egress-policy: audit

      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Get commit hashes for frontend and backend
        id: commit-hashes
@@ -86,14 +86,14 @@ jobs:


      - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKER_HUB_USERNAME }}
          password: ${{ secrets.DOCKER_HUB_API }}

      - name: Build and push frontend image
        if: steps.check-frontend.outputs.exists == 'false'
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          file: ./docker/frontend/Dockerfile
@@ -106,7 +106,7 @@ jobs:
      
      - name: Build and push backend image
        if: steps.check-backend.outputs.exists == 'false'
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          file: ./docker/backend/Dockerfile
--- a/.github/workflows/sync_files_v2.yml
+++ b/.github/workflows/sync_files_v2.yml
@@ -53,8 +53,7 @@ jobs:
          cache: "pip" # caching pip dependencies

      - name: Install Python dependencies
-        run: |
-          pip install tomli-w
+        run: pip install --require-hashes -r ./.github/scripts/requirements_sync_readme.txt

      - name: Sync translation TOML files
        run: |
@@ -65,9 +64,6 @@ jobs:
          git add frontend/public/locales/*/translation.toml
          git diff --staged --quiet || git commit -m ":memo: Sync translation files (TOML)" || echo "No changes detected"

-      - name: Install README dependencies
-        run: pip install --require-hashes -r ./.github/scripts/requirements_sync_readme.txt
-
      - name: Sync README.md
        run: |
          python scripts/counter_translation_v3.py