ci: pin dependencies

Signed-off-by: Anas Nashif <[email protected]>

Author: nashif

.github/workflows/assigner.yml

@@ -28,16 +28,27 @@ jobs:
       issues: write        # to add assignees to issues
 
     steps:
-    - name: Install Python dependencies
-      run: |
-        pip install -U PyGithub>=1.55 west
-
     - name: Check out source code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
+    - name: Set up Python
+      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+      with:
+        python-version: 3.12
+        cache: pip
+        cache-dependency-path: scripts/requirements-actions.txt
+
+    - name: install-packages
+      run: |
+        pip install -r scripts/requirements-actions.txt --require-hashes
+
+    - name: install-packages
+      run: |
+        pip install -r scripts/requirements-actions.txt --require-hashes
+
     - name: Run assignment script
       env:
-        GITHUB_TOKEN: ${{ secrets.ZB_GITHUB_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
         FLAGS="-v"
         FLAGS+=" -o ${{ github.event.repository.owner.login }}"

.github/workflows/backport_issue_check.yml

@@ -28,16 +28,27 @@ jobs:
       - name: Check out source code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - name: Install Python dependencies
+      - name: Set up Python
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        with:
+          python-version: 3.12
+          cache: pip
+          cache-dependency-path: scripts/requirements-actions.txt
+
+      - name: install-packages
+        run: |
+          pip install -r scripts/requirements-actions.txt --require-hashes
+
+      - name: install-packages
         run: |
-          pip install -U pygithub
+          pip install -r scripts/requirements-actions.txt --require-hashes
 
       - name: Run backport issue checker
         env:
           GITHUB_TOKEN: ${{ secrets.ZB_GITHUB_TOKEN }}
         run: |
           ./scripts/release/list_backports.py \
-            -o ${{ github.event.repository.owner.login }} \
-            -r ${{ github.event.repository.name }} \
-            -b ${{ github.event.pull_request.base.ref }} \
-            -p ${{ github.event.pull_request.number }}
+          -o ${{ github.event.repository.owner.login }} \
+          -r ${{ github.event.repository.name }} \
+          -b ${{ github.event.pull_request.base.ref }} \
+          -p ${{ github.event.pull_request.number }}

.github/workflows/bsim-tests.yaml

@@ -178,7 +178,6 @@ jobs:
 
       - name: Merge Test Results
         run: |
-          pip install junitparser junit2html
           junitparser merge --glob "./bsim_*/*bsim_results.*.xml" "./twister-out/twister.xml" junit.xml
           junit2html junit.xml junit.html
 

.github/workflows/bug_snapshot.yaml

@@ -26,9 +26,17 @@ jobs:
     - name: Checkout
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-    - name: Install Python dependencies
+    - name: Set up Python
+      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+      with:
+        python-version: 3.12
+        cache: pip
+        cache-dependency-path: scripts/requirements-actions.txt
+
+    - name: install-packages
       run: |
-        pip install -U pygithub
+        pip install -r scripts/requirements-actions.txt --require-hashes
+
 
     - name: Snapshot bugs
       env:

.github/workflows/clang.yaml

@@ -135,13 +135,30 @@ jobs:
       checks: write # to create GitHub annotations
     if: (success() || failure())
     steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
       - name: Download Artifacts
         uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
         with:
           path: artifacts
+
+      - name: Set up Python
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        with:
+          python-version: 3.12
+          cache: pip
+          cache-dependency-path: scripts/requirements-actions.txt
+
+      - name: install-packages
+        run: |
+          pip install -r scripts/requirements-actions.txt --require-hashes
+
       - name: Merge Test Results
         run: |
-          pip install junitparser junit2html
           junitparser merge artifacts/*/twister.xml junit.xml
           junit2html junit.xml junit-clang.html
 

.github/workflows/codechecker.yml

@@ -95,7 +95,7 @@ jobs:
           export CODECHECKER_EXPORT=sarif
           export CODECHECKER_SKIP_FILE=$ZEPHYR_BASE/.github/codechecker/skipfile
 
-          pip install codechecker==v6.25.1 cppcheck sarif-tools jq
+          pip install codechecker==v6.25.1 cppcheck sarif-tools
           sudo apt-get update
           sudo apt-get install -y jq
           export PATH=/usr/lib/llvm-16/bin/:$PATH
@@ -117,6 +117,6 @@ jobs:
 
       - name: Upload Analysis Results
         if: always()
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 #v3
         with:
           sarif_file: results.sarif

.github/workflows/codecov.yaml

@@ -104,7 +104,6 @@ jobs:
           export ZEPHYR_BASE=${PWD}
           export ZEPHYR_TOOLCHAIN_VARIANT=zephyr
           mkdir -p coverage/reports
-          pip install gcovr==6.0
           ./scripts/twister -E ${{matrix.normalized}}-testplan.json
           ls -la
           ./scripts/twister \
@@ -144,6 +143,17 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: Set up Python
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        with:
+          python-version: 3.12
+          cache: pip
+          cache-dependency-path: scripts/requirements-actions.txt
+
+      - name: install-packages
+        run: |
+          pip install -r scripts/requirements-actions.txt --require-hashes
+
       - name: Download Artifacts
         uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
         with:
@@ -185,7 +195,6 @@ jobs:
       - name: Merge coverage files
         run: |
           pushd ./coverage/reports
-          pip install gcovr==6.0
           gcovr ${{ steps.get-coverage-files.outputs.mergefiles }}  --merge-mode-functions=separate --json merged.json
           gcovr ${{ steps.get-coverage-files.outputs.mergefiles }} --merge-mode-functions=separate --cobertura merged.xml
           popd
@@ -201,7 +210,6 @@ jobs:
       - name: Generate Coverage Report
         if: always()
         run: |
-          pip install xlsxwriter ijson
           python3 ./scripts/ci/coverage/coverage_analysis.py \
             -t native_sim-testplan.json \
             -m MAINTAINERS.yml \

.github/workflows/coding_guidelines.yml

@@ -16,16 +16,16 @@ jobs:
         ref: ${{ github.event.pull_request.head.sha }}
         fetch-depth: 0
 
-    - name: cache-pip
-      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+    - name: Set up Python
+      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
       with:
-        path: ~/.cache/pip
-        key: ${{ runner.os }}-pip-${{ hashFiles('.github/workflows/coding_guidelines.yml') }}
+        python-version: 3.12
+        cache: pip
+        cache-dependency-path: scripts/requirements-actions.txt
 
-    - name: Install python dependencies
+    - name: install-packages
       run: |
-        pip install unidiff
-        pip install sh
+        pip install -r scripts/requirements-actions.txt --require-hashes
 
     - name: Install Packages
       run: |

.github/workflows/compliance.yml

@@ -51,18 +51,13 @@ jobs:
     - name: Set up Python
       uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
       with:
-        python-version: 3.11
+        python-version: 3.12
+        cache: pip
+        cache-dependency-path: scripts/requirements-actions.txt
 
-    - name: cache-pip
-      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
-      with:
-        path: ~/.cache/pip
-        key: ${{ runner.os }}-pip-${{ hashFiles('.github/workflows/compliance.yml') }}
-
-    - name: Install python dependencies
+    - name: install-packages
       run: |
-        pip install -r scripts/requirements-compliance.txt
-        pip install west
+        pip install -r scripts/requirements-actions.txt --require-hashes
 
     - name: west setup
       run: |

.github/workflows/daily_test_version.yml

@@ -26,15 +26,22 @@ jobs:
         aws-secret-access-key: ${{ secrets.AWS_TESTING_SECRET_ACCESS_KEY }}
         aws-region: us-east-1
 
-    - name: install-pip
-      run: |
-        pip install gitpython
-
     - name: checkout
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         fetch-depth: 0
 
+    - name: Set up Python
+      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+      with:
+        python-version: 3.12
+        cache: pip
+        cache-dependency-path: scripts/requirements-actions.txt
+
+    - name: install-packages
+      run: |
+        pip install -r scripts/requirements-actions.txt --require-hashes
+
     - name: Upload to AWS S3
       run: |
         python3 scripts/ci/version_mgr.py --update .