fix(security): pin pip dependencies by hash for reproducible builds

.github/workflows/ci.yml

@@ -39,7 +39,7 @@ jobs:
 
       - name: Lint backend (Ruff)
         run: |
-          pip install ruff
+          pip install --require-hashes --no-deps -r apps/api/requirements-ci.lock
           ruff check apps/api/src/ apps/api/tests/
 
       - name: Install frontend dependencies
@@ -76,8 +76,8 @@ jobs:
 
       - name: Install backend dependencies
         run: |
-          pip install -r apps/api/requirements.txt
-          pip install -r apps/api/requirements-dev.txt
+          pip install --require-hashes -r apps/api/requirements.lock
+          pip install --require-hashes --no-deps -r apps/api/requirements-dev.lock
 
       - name: Run backend tests
         run: pytest tests/ -v --tb=short
@@ -114,8 +114,8 @@ jobs:
 
       - name: Scan Python dependencies
         run: |
-          pip install pip-audit
-          pip-audit -r apps/api/requirements.txt
+          pip install --require-hashes --no-deps -r apps/api/requirements-ci.lock
+          pip-audit -r apps/api/requirements.lock --require-hashes
         continue-on-error: true
 
       - name: Scan Node dependencies

Makefile

@@ -84,3 +84,14 @@ tf-plan: ## Plan Terraform changes
 
 tf-apply: ## Apply Terraform changes
 	cd infra/terraform && terraform apply tfplan
+
+# ---------------------------------------------------------------------------
+# Dependency Lock Files
+# ---------------------------------------------------------------------------
+
+lock-deps: ## Regenerate hash-locked Python requirements files
+	docker run --rm -v $(PWD)/apps/api:/app -w /app python:3.12-slim \
+		sh -c "pip install pip-tools && \
+		pip-compile --generate-hashes --output-file=requirements.lock requirements.txt && \
+		pip-compile --generate-hashes --output-file=requirements-dev.lock requirements-dev.txt && \
+		pip-compile --generate-hashes --output-file=requirements-ci.lock requirements-ci.txt"

apps/api/Dockerfile

@@ -13,16 +13,16 @@ RUN apt-get update && \
     apt-get install -y --no-install-recommends curl && \
     rm -rf /var/lib/apt/lists/*
 
-COPY requirements.txt .
-RUN pip install --no-cache-dir -r requirements.txt
+COPY requirements.lock .
+RUN pip install --no-cache-dir --require-hashes -r requirements.lock
 
 # ---------------------------------------------------------------------------
 # Development stage: hot-reload with source mounted
 # ---------------------------------------------------------------------------
 FROM base AS development
 
-COPY requirements-dev.txt .
-RUN pip install --no-cache-dir -r requirements-dev.txt
+COPY requirements-dev.lock .
+RUN pip install --no-cache-dir --require-hashes --no-deps -r requirements-dev.lock
 
 COPY . .
 

apps/api/requirements-ci.txt

@@ -0,0 +1,6 @@
+# CI-only tools used by GitHub Actions workflows.
+# Pinned versions (no hashes needed since these are not application dependencies
+# but we keep them pinned for reproducibility and to satisfy Scorecard pinning).
+ruff==0.15.14
+pip-audit==2.10.0
+pip-tools==7.5.1