fix(build): pin all dependencies for OSSF Scorecard

[WilliamBerryiii]

fix(build): pin all dependencies for OSSF Scorecard

Description

Remediates the OSSF Scorecard Pinned-Dependencies finding (47 warnings + 1 shell parse error) across the repository. Single commit 7f09fa50 updates 75 files (+12,455 / -331) to pin GitHub Actions by commit SHA, regenerate hashed Python lockfiles, pin Docker base images by sha256 digest with explicit tool versions, switch npm installs to npm ci with refreshed package-lock.json, and lock NuGet restores via packages.lock.json. A shell parse error in scripts/k3s-device-setup.sh is also fixed.

Related Issue

Closes #403

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Blueprint modification
• Component modification
• Documentation update
• CI/CD pipeline change
• Other (security/supply-chain hardening for OSSF Scorecard)

Implementation Details

• GitHub Actions: 12 workflows pinned to immutable commit SHAs with version comments.
• Python: regenerated lockfiles using pip-compile --generate-hashes across 26 sites; added .github/requirements/ for workflow-scoped Python tooling and renamed root requirements to requirements.base.in / requirements.base.txt.
• Docker: pinned base images by sha256 digest and pinned tool versions in 16 downloadThenRun install sites; deviation PD-03 removes redundant rustup from 502 broker/subscriber images (Pattern B); deviation PD-04 keeps colcon builder-only.
• npm: migrated installs to npm ci across 4 sites; package-lock.json regenerated (+2,161 lines). Risk: secretlint bumped 9.3.4 → 12.0.0 (major).
• NuGet: enabled locked-mode restore with packages.lock.json for InferencePipeline and Tests projects (+369 / +550 lines).
• Shell: fixed parse error in scripts/k3s-device-setup.sh.
• Documented deviations PD-01 through PD-05 in the plan.

Testing Performed

• Terraform plan/apply validation
• Blueprint deployment test
• Unit tests
• Integration tests
• Regression test
• Manual validation
• Other: pip-compile dry-run, npm ci, dotnet restore --locked-mode

Validation Steps

npm run mdlint-fix
pip install --require-hashes -r .github/requirements/requirements.txt
dotnet restore --locked-mode
# Re-run OSSF Scorecard locally or via workflow to confirm Pinned-Dependencies score delta.

Checklist

• Documentation updated (plan, changes log, review log)
• Tests added/updated
• All tests pass locally
• terraform fmt run on all modified files
• terraform validate passes
• az bicep format run on all modified files
• az bicep build passes
• No sensitive data (keys, passwords, PII) included
• All lint checks pass

Security Review

• No hardcoded credentials or secrets
• RBAC follows least-privilege principle (n/a — no RBAC changes)
• No new public network exposure without justification (n/a)
• Dependency vulnerabilities reviewed
• Container image changes use pinned digests or SHA references

Additional Notes

Review log: .copilot-tracking/reviews/2026-04-17/ossf-pinned-dependencies-review.md — Status ✅ Complete; 0 Critical / 0 Major / 3 Minor / 4 Info. Reviewer note: "No rework required to ship; recommend reconciling docs and running OSSF re-scan before opening any PR."

Minor follow-ups (not blocking):

• Reconcile plan checkboxes (Phases 4.4, 4.5, 5 still [ ]) and changes-log file count (says 67; actual 75).
• Smoke test secretlint v12 (major bump from 9.3.4).
• CI dry run + OSSF Scorecard delta scan post-merge.
• Backlog: introduce Renovate/Dependabot, actionlint, NuGet Central Package Management, document Update-DockerSHAPinning.ps1.

Deviations from plan: PD-01 base branch is main (not dev); PD-02 --generate-hashes for pip-compile; PD-03 Pattern B removal of rustup in 502 broker/subscriber; PD-04 colcon builder-only; PD-05 loose .in constraints with pinning enforced in .txt.

Screenshots

n/a

[katriendg]

Left one comment with the reviewer, other were minor and not worth posting.