ci: pin dependencies

nashif · nashif · commit d48d25b5541c · 2025-03-24T10:50:40.000-04:00
Signed-off-by: Anas Nashif &lt;anas.nashif@intel.com&gt;
diff --git a/.github/workflows/assigner.yml b/.github/workflows/assigner.yml
@@ -28,16 +28,29 @@ jobs:
       issues: write        # to add assignees to issues
 
     steps:
-    - name: Install Python dependencies
-      run: |
-        pip install -U PyGithub>=1.55 west
-
     - name: Check out source code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
+    - name: Set up Python
+      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+      with:
+        python-version: 3.12
+
+    - name: cache-pip
+      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+      with:
+        path: ~/.cache/pip
+        key: ${{ hashFiles('scripts/requirements-actions.txt') }}
+        restore-keys: |
+          ${{ hashFiles('scripts/requirements-actions.txt') }}
+
+    - name: install-packages
+      run: |
+        pip install -r scripts/requirements-actions.txt --require-hashes
+
     - name: Run assignment script
       env:
-        GITHUB_TOKEN: ${{ secrets.ZB_GITHUB_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
         FLAGS="-v"
         FLAGS+=" -o ${{ github.event.repository.owner.login }}"
diff --git a/.github/workflows/backport_issue_check.yml b/.github/workflows/backport_issue_check.yml
@@ -28,16 +28,29 @@ jobs:
       - name: Check out source code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - name: Install Python dependencies
+      - name: Set up Python
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        with:
+          python-version: 3.12
+
+      - name: cache-pip
+        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+        with:
+          path: ~/.cache/pip
+          key: ${{ hashFiles('scripts/requirements-actions.txt') }}
+          restore-keys: |
+            ${{ hashFiles('scripts/requirements-actions.txt') }}
+
+      - name: install-packages
         run: |
-          pip install -U pygithub
+          pip install -r scripts/requirements-actions.txt --require-hashes
 
       - name: Run backport issue checker
         env:
           GITHUB_TOKEN: ${{ secrets.ZB_GITHUB_TOKEN }}
         run: |
           ./scripts/release/list_backports.py \
-            -o ${{ github.event.repository.owner.login }} \
-            -r ${{ github.event.repository.name }} \
-            -b ${{ github.event.pull_request.base.ref }} \
-            -p ${{ github.event.pull_request.number }}
+          -o ${{ github.event.repository.owner.login }} \
+          -r ${{ github.event.repository.name }} \
+          -b ${{ github.event.pull_request.base.ref }} \
+          -p ${{ github.event.pull_request.number }}
diff --git a/.github/workflows/bsim-tests.yaml b/.github/workflows/bsim-tests.yaml
@@ -178,7 +178,6 @@ jobs:
 
       - name: Merge Test Results
         run: |
-          pip install junitparser junit2html
           junitparser merge --glob "./bsim_*/*bsim_results.*.xml" "./twister-out/twister.xml" junit.xml
           junit2html junit.xml junit.html
 
diff --git a/.github/workflows/bug_snapshot.yaml b/.github/workflows/bug_snapshot.yaml
@@ -26,9 +26,23 @@ jobs:
     - name: Checkout
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-    - name: Install Python dependencies
+    - name: Set up Python
+      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+      with:
+        python-version: 3.12
+
+    - name: cache-pip
+      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+      with:
+        path: ~/.cache/pip
+        key: ${{ hashFiles('scripts/requirements-actions.txt') }}
+        restore-keys: |
+          ${{ hashFiles('scripts/requirements-actions.txt') }}
+
+    - name: install-packages
       run: |
-        pip install -U pygithub
+        pip install -r scripts/requirements-actions.txt --require-hashes
+
 
     - name: Snapshot bugs
       env:
diff --git a/.github/workflows/clang.yaml b/.github/workflows/clang.yaml
@@ -135,13 +135,36 @@ jobs:
       checks: write # to create GitHub annotations
     if: (success() || failure())
     steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
       - name: Download Artifacts
         uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
         with:
           path: artifacts
+
+      - name: Set up Python
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        with:
+          python-version: 3.12
+
+      - name: cache-pip
+        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+        with:
+          path: ~/.cache/pip
+          key: ${{ hashFiles('scripts/requirements-actions.txt') }}
+          restore-keys: |
+            ${{ hashFiles('scripts/requirements-actions.txt') }}
+
+      - name: install-packages
+        run: |
+          pip install -r scripts/requirements-actions.txt --require-hashes
+
       - name: Merge Test Results
         run: |
-          pip install junitparser junit2html
           junitparser merge artifacts/*/twister.xml junit.xml
           junit2html junit.xml junit-clang.html
 
diff --git a/.github/workflows/codechecker.yml b/.github/workflows/codechecker.yml
@@ -95,7 +95,7 @@ jobs:
           export CODECHECKER_EXPORT=sarif
           export CODECHECKER_SKIP_FILE=$ZEPHYR_BASE/.github/codechecker/skipfile
 
-          pip install codechecker==v6.25.1 cppcheck sarif-tools jq
+          pip install codechecker==v6.25.1 cppcheck sarif-tools
           sudo apt-get update
           sudo apt-get install -y jq
           export PATH=/usr/lib/llvm-16/bin/:$PATH
@@ -117,6 +117,6 @@ jobs:
 
       - name: Upload Analysis Results
         if: always()
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 #v3
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/codecov.yaml b/.github/workflows/codecov.yaml
@@ -104,7 +104,6 @@ jobs:
           export ZEPHYR_BASE=${PWD}
           export ZEPHYR_TOOLCHAIN_VARIANT=zephyr
           mkdir -p coverage/reports
-          pip install gcovr==6.0
           ./scripts/twister -E ${{matrix.normalized}}-testplan.json
           ls -la
           ./scripts/twister \
@@ -144,6 +143,23 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: Set up Python
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        with:
+          python-version: 3.12
+
+      - name: cache-pip
+        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+        with:
+          path: ~/.cache/pip
+          key: ${{ hashFiles('scripts/requirements-actions.txt') }}
+          restore-keys: |
+            ${{ hashFiles('scripts/requirements-actions.txt') }}
+
+      - name: install-packages
+        run: |
+          pip install -r scripts/requirements-actions.txt --require-hashes
+
       - name: Download Artifacts
         uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
         with:
@@ -185,7 +201,6 @@ jobs:
       - name: Merge coverage files
         run: |
           pushd ./coverage/reports
-          pip install gcovr==6.0
           gcovr ${{ steps.get-coverage-files.outputs.mergefiles }}  --merge-mode-functions=separate --json merged.json
           gcovr ${{ steps.get-coverage-files.outputs.mergefiles }} --merge-mode-functions=separate --cobertura merged.xml
           popd
@@ -201,7 +216,6 @@ jobs:
       - name: Generate Coverage Report
         if: always()
         run: |
-          pip install xlsxwriter ijson
           python3 ./scripts/ci/coverage/coverage_analysis.py \
             -t native_sim-testplan.json \
             -m MAINTAINERS.yml \
diff --git a/.github/workflows/coding_guidelines.yml b/.github/workflows/coding_guidelines.yml
@@ -16,16 +16,16 @@ jobs:
         ref: ${{ github.event.pull_request.head.sha }}
         fetch-depth: 0
 
-    - name: cache-pip
-      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+    - name: Set up Python
+      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
       with:
-        path: ~/.cache/pip
-        key: ${{ runner.os }}-pip-${{ hashFiles('.github/workflows/coding_guidelines.yml') }}
+        python-version: 3.12
+        cache: pip
+        cache-dependency-path: scripts/requirements-actions.txt
 
-    - name: Install python dependencies
+    - name: install-packages
       run: |
-        pip install unidiff
-        pip install sh
+        pip install -r scripts/requirements-actions.txt --require-hashes
 
     - name: Install Packages
       run: |
diff --git a/.github/workflows/compliance.yml b/.github/workflows/compliance.yml
@@ -51,18 +51,19 @@ jobs:
     - name: Set up Python
       uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
       with:
-        python-version: 3.11
+        python-version: 3.12
 
     - name: cache-pip
       uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
       with:
         path: ~/.cache/pip
-        key: ${{ runner.os }}-pip-${{ hashFiles('.github/workflows/compliance.yml') }}
+        key: ${{ hashFiles('scripts/requirements-actions.txt') }}
+        restore-keys: |
+          ${{ hashFiles('scripts/requirements-actions.txt') }}
 
-    - name: Install python dependencies
+    - name: install-packages
       run: |
-        pip install -r scripts/requirements-compliance.txt
-        pip install west
+        pip install -r scripts/requirements-actions.txt --require-hashes
 
     - name: west setup
       run: |
diff --git a/.github/workflows/daily_test_version.yml b/.github/workflows/daily_test_version.yml
@@ -26,15 +26,28 @@ jobs:
         aws-secret-access-key: ${{ secrets.AWS_TESTING_SECRET_ACCESS_KEY }}
         aws-region: us-east-1
 
-    - name: install-pip
-      run: |
-        pip install gitpython
-
     - name: checkout
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         fetch-depth: 0
 
+    - name: Set up Python
+      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+      with:
+        python-version: 3.12
+
+    - name: cache-pip
+      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+      with:
+        path: ~/.cache/pip
+        key: ${{ hashFiles('scripts/requirements-actions.txt') }}
+        restore-keys: |
+          ${{ hashFiles('scripts/requirements-actions.txt') }}
+
+    - name: install-packages
+      run: |
+        pip install -r scripts/requirements-actions.txt --require-hashes
+
     - name: Upload to AWS S3
       run: |
         python3 scripts/ci/version_mgr.py --update .
diff --git a/.github/workflows/footprint-tracking.yml b/.github/workflows/footprint-tracking.yml
@@ -61,14 +61,30 @@ jobs:
         run: |
           sudo apt-get update
           sudo apt-get install -y python3-venv
-          pip install -U gitpython
 
       - name: checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
 
+      - name: Set up Python
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        with:
+          python-version: 3.12
+
+      - name: cache-pip
+        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+        with:
+          path: ~/.cache/pip
+          key: ${{ hashFiles('scripts/requirements-actions.txt') }}
+          restore-keys: |
+            ${{ hashFiles('scripts/requirements-actions.txt') }}
+
+      - name: install-packages
+        run: |
+          pip install -r scripts/requirements-actions.txt --require-hashes
+
       - name: Environment Setup
         run: |
           echo "ZEPHYR_SDK_INSTALL_DIR=/opt/toolchains/zephyr-sdk-$( cat SDK_VERSION )" >> $GITHUB_ENV
@@ -97,7 +113,6 @@ jobs:
         run: |
           python3 -m venv .venv
           . .venv/bin/activate
-          pip install awscli
           aws s3 sync  --quiet footprint_data/ s3://testing.zephyrproject.org/footprint_data/
 
       - name: Transform Footprint data to Twister JSON reports
@@ -116,7 +131,6 @@ jobs:
           ELASTICSEARCH_INDEX: ${{ vars.FOOTPRINT_TRACKING_INDEX }}
         run: |
           shopt -s globstar
-          pip install -U elasticsearch
           run_date=`date --iso-8601=minutes`
           python3 ./scripts/ci/upload_test_results_es.py -r ${run_date} \
             --flatten footprint \
diff --git a/.github/workflows/manifest.yml b/.github/workflows/manifest.yml
@@ -20,12 +20,28 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
+      - name: Set up Python
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        with:
+          python-version: 3.12
+
+      - name: cache-pip
+        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+        with:
+          path: ~/.cache/pip
+          key: ${{ hashFiles('scripts/requirements-actions.txt') }}
+          restore-keys: |
+            ${{ hashFiles('scripts/requirements-actions.txt') }}
+
+      - name: install-packages
+        run: |
+          pip install -r scripts/requirements-actions.txt --require-hashes
+
       - name: west setup
         env:
           BASE_REF: ${{ github.base_ref }}
         working-directory: zephyrproject/zephyr
         run: |
-          pip install west
           git config --global user.email "you@example.com"
           git config --global user.name "Your Name"
           west init -l . || true
diff --git a/.github/workflows/stats_merged_prs.yml b/.github/workflows/stats_merged_prs.yml
@@ -17,12 +17,30 @@ jobs:
     steps:
       - name: checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up Python
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        with:
+          python-version: 3.12
+
+      - name: cache-pip
+        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+        with:
+          path: ~/.cache/pip
+          key: ${{ hashFiles('scripts/requirements-actions.txt') }}
+          restore-keys: |
+            ${{ hashFiles('scripts/requirements-actions.txt') }}
+
+      - name: install-packages
+        run: |
+          pip install -r scripts/requirements-actions.txt --require-hashes
+
+
       - name: PR event
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           ELASTICSEARCH_KEY: ${{ secrets.ELASTICSEARCH_KEY }}
           ELASTICSEARCH_SERVER: "https://elasticsearch.zephyrproject.io:443"
           PR_STAT_ES_INDEX: ${{ vars.PR_STAT_ES_INDEX }}
         run: |
-          pip install pygithub elasticsearch
           python3 ./scripts/ci/stats/merged_prs.py --pull-request ${{ github.event.pull_request.number }} --repo ${{ github.repository }}
diff --git a/.github/workflows/twister-publish.yaml b/.github/workflows/twister-publish.yaml
diff --git a/.github/workflows/twister.yaml b/.github/workflows/twister.yaml
diff --git a/kernel/init.c b/kernel/init.c
diff --git a/scripts/requirements-actions.in b/scripts/requirements-actions.in
diff --git a/scripts/requirements-actions.txt b/scripts/requirements-actions.txt
