You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
osmo-cli (tracks main branch) and ngc-cli (versionless download URL) are harder to pin and may be addressed separately in a follow-up issue.
Approach
Follow the existing hash-verify pattern in devcontainer.json (actionlint/golangci-lint): download to temp file, verify SHA256 with sha256sum -c, then install. Pin container images with @sha256: digests. Pin uv to exact versions in Dockerfiles.
Acceptance Criteria
All three Dockerfile base images include @sha256: digests
uv is pinned to an exact version in both Dockerfiles
setup-dev.sh uv and terraform-docs downloads are hash-verified
train.sh uv download is hash-verified
install-dev-deps.sh uv download is version-pinned and hash-verified
devcontainer.json tflint uses the same hash-verify pattern as actionlint/golangci-lint
Summary
OpenSSF Scorecard
Pinned-Dependenciescheck identified several unpinned container images and unverified artifact downloads. GitHub Actions (119/119) and npm commands (5/5) are fully pinned, but container images (1/4), pip commands (0/2), and download-then-run scripts (0/2) have gaps.Container Images Needing
@sha256:Digestsdata-management/viewer/backend/Dockerfilepython:3.11-slimdata-management/viewer/frontend/Dockerfilenode:24.14.1-slimdata-management/viewer/frontend/Dockerfilenginx:1.27-alpinePip/uv Bootstrap Pinning
data-management/viewer/backend/Dockerfilepip install --no-cache-dir uvevaluation/sil/docker/Dockerfile.lerobot-evaluv>=0.6.0,<1.0.0Download-then-Run Scripts (No Hash Verification)
setup-dev.shtraining/rl/scripts/train.shinfrastructure/setup/optional/isaac-sim-vm/scripts/install-dev-deps.shsetup-dev.shDevcontainer
onCreateCommandGapstflintcurl | bashwithTFLINT_VERSION=v0.61.0Note
osmo-cli(tracksmainbranch) andngc-cli(versionless download URL) are harder to pin and may be addressed separately in a follow-up issue.Approach
Follow the existing hash-verify pattern in
devcontainer.json(actionlint/golangci-lint): download to temp file, verify SHA256 withsha256sum -c, then install. Pin container images with@sha256:digests. Pin uv to exact versions in Dockerfiles.Acceptance Criteria
@sha256:digestsuvis pinned to an exact version in both Dockerfilessetup-dev.shuv and terraform-docs downloads are hash-verifiedtrain.shuv download is hash-verifiedinstall-dev-deps.shuv download is version-pinned and hash-verifieddevcontainer.jsontflint uses the same hash-verify pattern as actionlint/golangci-lint