This PR is a continuation of #934. That PR hash-pinned the GitHub Actions used in sentencepiece's workflows, and this PR hash-pins the Python dependencies used in cmake.yml and wheels.yml.
Both of these workflows create Python artifacts that are published as release artifacts. Python dependencies can also be used as vectors for supply-chain attacks that modify these release artifacts. By hash-pinning the dependencies, we ensure we always get exactly the same dependencies.
This PR also configures Dependabot to monitor these Python dependencies, sending a single monthly PR updating all packages with new versions. See the PR it sent to my fork for an example: https://github.com/pnacht/sentencepiece/pull/2.
This PR is a continuation of #934. That PR hash-pinned the GitHub Actions used in sentencepiece's workflows, and this PR hash-pins the Python dependencies used in
cmake.ymlandwheels.yml.Both of these workflows create Python artifacts that are published as release artifacts. Python dependencies can also be used as vectors for supply-chain attacks that modify these release artifacts. By hash-pinning the dependencies, we ensure we always get exactly the same dependencies.
This PR also configures Dependabot to monitor these Python dependencies, sending a single monthly PR updating all packages with new versions. See the PR it sent to my fork for an example: https://github.com/pnacht/sentencepiece/pull/2.