Skip to content

[Security] Add requirements lockfile (datadog-api-client-python)#3375

Draft
SeanMeyer wants to merge 3 commits into
masterfrom
add-lockfile/requirements
Draft

[Security] Add requirements lockfile (datadog-api-client-python)#3375
SeanMeyer wants to merge 3 commits into
masterfrom
add-lockfile/requirements

Conversation

@SeanMeyer

@SeanMeyer SeanMeyer commented Apr 1, 2026

Copy link
Copy Markdown

Summary

Adds a compiled requirements lockfile with SHA-256 hashes for reproducible CI builds.

  • requirements.in — human-readable dependency input (16 deps)
  • requirements.txt — compiled lockfile (45 packages, all with hashes)
  • Does NOT change the library's published dependency ranges in setup.cfg

Why: Follow-up to incident #51987. This library had no lockfile for the main package.

Workstream: #incident-51987-pinning-dependencies

Adds requirements.in (extracted from setup.cfg install_requires + extras)
and a compiled requirements.txt with pinned versions and hashes,
generated by uv pip compile. This does not change the published
dependency ranges in setup.cfg — it only provides a lockfile for
deterministic CI builds and supply-chain auditability.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@SeanMeyer

Copy link
Copy Markdown
Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

To use Codex here, create a Codex account and connect to github.

SeanMeyer and others added 2 commits April 1, 2026 20:16
Every CI job now computes a 2-day-old cutoff timestamp and passes
--uploaded-prior-to to all pip install commands. This refuses any
PyPI package published less than 2 days ago, blocking freshly-
published malicious versions from entering CI builds.

Workflows updated:
- reusable-python-test.yml (unit tests)
- reusable-integration-test.yml (integration tests)
- reusable-examples.yml (example checks)
- reusable-pre-commit.yml (pre-commit hooks)
- docs.yml (documentation build)
- publish.yml (release publishing)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The lockfile with SHA-256 hashes already provides supply-chain protection.
The --uploaded-prior-to flag requires pip 26.0+ which is not available on
runners, and Python 3.8 cannot use pip 26.0 at all.
@github-actions

github-actions Bot commented May 5, 2026

Copy link
Copy Markdown

This PR has been automatically marked as stale because it has not had activity in the last 30 days.
If there is no activity for another 90 days, this issue will be automatically closed.

@github-actions github-actions Bot added the stale label May 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant