OSSF Silver Criterion

build_repeatable (MUST) — The project MUST have a reproducible build. If no build is required, select "not applicable."

Description

Generate and commit pip lock files for the repository's Python dependencies. The requirements.txt at the repository root currently has loosely pinned dependencies with no lock file, making Python builds non-reproducible. This issue covers the Python portion of build_repeatable. The Terraform portion is addressed in #166.

Acceptance Criteria

• Hash-pinned lock file exists for Python dependencies (requirements.lock via uv pip compile --generate-hashes)
• Lock file is committed to version control
• CI uses the lock file for Python dependency installation (uv pip install -r requirements.lock)
• Process for regenerating the lock file is documented

Implementation Guidance

Use uv pip compile to generate a hash-pinned lock file from the existing requirements.txt. The uv lock command requires a pyproject.toml which does not exist — uv pip compile works directly with requirements.txt and aligns with project conventions (.github/instructions/uv-projects.instructions.md).

# Generate hash-pinned lock file
uv pip compile requirements.txt -o requirements.lock --generate-hashes

# Install from lock file in CI
uv pip install -r requirements.lock

Update CI scripts that install Python dependencies to use requirements.lock instead of requirements.txt. Add a regeneration note to CONTRIBUTING.md or the lock file header.

References

• Research: .copilot-tracking/research/2026-02-07-ossf-silver-gaps-detail-research.md — build_repeatable

Relationships

• docs(build): document Terraform lock file exclusion rationale #166 addresses the Terraform portion