Merge pull request #360 from communitiesuk/renovate/pin-dependencies

Pin dependencies

.github/workflows/codeql-analysis.yml

@@ -38,11 +38,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -53,7 +53,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
+      uses: github/codeql-action/autobuild@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -67,4 +67,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3

Dockerfile

@@ -1,8 +1,8 @@
-FROM python:3.10-bullseye
+FROM python:3.10-bullseye@sha256:5c6f3a5a8ab7f559a2d5adb543030c0306e5656a049be19fe51b1677ca8d04d7
 
 WORKDIR /app
 
-COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
+COPY --from=ghcr.io/astral-sh/uv:latest@sha256:ab5cd8c7946ae6a359a9aea9073b5effd311d40a65310380caae938a1abf55da /uv /uvx /bin/
 
 # Install the project's dependencies using the lockfile and settings
 RUN --mount=type=cache,target=/root/.cache/uv \

pyproject.toml

@@ -5,9 +5,9 @@ description = "The funding service design authenticator for the DLUHC."
 authors = ["Version One"]
 license = "MIT License"
 
-requires-python = ">=3.10, <3.11"
+requires-python = "~=3.10.0"
 dependencies = [
-    "beautifulsoup4>=4.12.3",
+    "beautifulsoup4==4.12.3",
     "connexion==2.14.2",
     "cssmin==0.2.0",
     "email-validator==1.2.1",
@@ -18,16 +18,16 @@ dependencies = [
     "flask-talisman==0.8.1",
     "flask-wtf==1.2.1",
     "flask==2.2.5",
-    "funding-service-design-utils==5.1.*",
+    "funding-service-design-utils==5.1.1",
     "govuk-frontend-jinja==2.3.0",
-    "greenlet>=3.1.1",
+    "greenlet==3.1.1",
     "jsmin==3.0.1",
     "msal==1.28.0",
-    "openapi-spec-validator>=0.4.0",
-    "prance>=0.21.8.0",
+    "openapi-spec-validator==0.4.0",
+    "prance==0.21.8.0",
     "pyjwt==2.4.0",
+    "requests==2.32.3",
     "pyscss==1.4.0",
-    "requests>=2.32.3",
 ]
 
 [tool.black]
@@ -42,21 +42,21 @@ count = true
 
 [dependency-groups]
 dev = [
-    "beautifulsoup4>=4.12.3",
-    "black>=22.12.0",
-    "debugpy>=1.6.7",
-    "deepdiff>=5.8.1",
-    "dparse>=0.5.2",
-    "flake8-pyproject>=1.2.3",
-    "invoke>=2.0.0",
-    "moto>=5.0.12",
-    "pre-commit~=4.0.0",
-    "pytest>=7.1.2",
-    "pytest-env>=0.6.2",
-    "pytest-flask>=1.3.0",
+    "beautifulsoup4==4.12.3",
+    "black==22.12.0",
+    "debugpy==1.6.7",
+    "deepdiff==5.8.1",
+    "dparse==0.6.3",
+    "flake8-pyproject==1.2.3",
+    "invoke==2.0.0",
+    "moto==5.0.12",
+    "pre-commit==4.0.1",
+    "pytest==7.1.2",
+    "pytest-env==0.6.2",
+    "pytest-flask==1.3.0",
     "pytest-mock==3.10.0",
     "pytest-selenium==2.0.1",
     "selenium==4.23.1",
-    "swagger-ui-bundle>=0.0.9",
+    "swagger-ui-bundle==0.0.9",
     "webdriver-manager==4.0.1",
 ]