Pin Python packages in workflows. See #5937

[osyniakov]

Description

Pin Python packages in GitHub workflows by hash to ensure reliable production builds.

• Use actions/setup-python to set up a Python version in sync with Pipfile
• Use pipenv

How was this PR tested?

n/a

[osyniakov]

@guilload could you please check this fix as well?

[guilload]

This is going to be a bit of work to maintain each time we add or upgrade a dependency. Can we have CI use pipenv instead and rely on the same Pipfile / Pipfile.lock files?

[osyniakov]

This is going to be a bit of work to maintain each time we add or upgrade a dependency. Can we have CI use pipenv instead and rely on the same Pipfile / Pipfile.lock files?

@guilload thanks for the suggestion. I've updated my implementation to use pipenv.

When running scorecard checks, I'm still seeing the Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:101 complaint. While a dedicated requirements file would technically solve it, I feel that's too much overhead just for pinning the installer. I suggest we merge this first to get pipenv in, and then I can create a follow-up PR to investigate a cleaner way to pin pip in the CI configuration without an extra file.

[guilload]

I think pip install --user pipenv==<version> should work, but I'm happy to merge this as is and let you follow up in another PR.

[osyniakov]

@guilload I pinned the pipenv version, which is definitely an improvement, but it looks like the scorecard issue persists. It would be nice if you could take one more look and merge it.