PREQ-4947 pipfile lock update

[julien-carsique-sonarsource]

The pipenv install --deploy security check parameter will abort if the Pipfile.lock is out-of-date, or Python version is wrong.

• Configure pip with Repox
• Add --deploy option everywhere
• Update the Pipfile.lock files with pipenv lock; pipenv update

This adds a requirement for the public-reader preset: https://github.com/SonarSource/re-terraform-aws-vault/pull/8857

Test with https://github.com/SonarSource/gh-action_releasability/actions/runs/23738357260

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 Dependency risks

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonar-review-alpha]

Summary

This PR enforces stricter Python dependency management by adding the --deploy flag to all pipenv install commands and configuring pip to use the Repox artifact repository. The --deploy flag validates that Pipfile.lock matches the current environment and Python version, failing fast if dependencies are out of sync. Both Pipfile.lock files have been regenerated to reflect current dependency versions. The changes span the CI workflow, Makefiles, and both root and releasability-status GitHub Actions definitions.

What reviewers should know

Files to review in order:

1. action.yml and releasability-status/action.yml — The main entry points. Look for the new config-pip action step and --deploy flags on pipenv install calls.

2. Makefile and releasability-status/Makefile — Short and simple; verify --deploy is added to both test and releasability-check targets.

3. .github/workflows/build.yml — The CI definition used for testing PRs in this repo itself. Same pattern as the action.yml files.

4. Pipfile.lock files — These are large and mostly unreadable diffs. The important thing is they were regenerated fresh; spot-check a few dependency versions to confirm they look reasonable, but don't need line-by-line review.

Key context: The --deploy flag makes pipenv install fail if Pipfile.lock is stale or the Python version doesn't match. This is a security improvement to catch environment mismatches early. The config-pip action (from SonarSource/ci-github-actions) sets up pip to route traffic through Repox, which requires the public-reader preset mentioned in the description.

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[Copilot]

Pull request overview

This PR updates Python dependency lockfiles and hardens CI/install steps by enforcing pipenv install --deploy (ensuring lockfiles and Python version match), while also adding a pip configuration step via SonarSource/ci-github-actions/config-pip@v1 to support Repox usage.

Changes:

• Update Pipfile.lock files (root and releasability-status/) to current resolved dependencies/hashes.
• Add --deploy to pipenv install invocations across composite actions, workflow, and Makefiles.
• Introduce SonarSource/ci-github-actions/config-pip step before Python dependency installation.

Reviewed changes

Copilot reviewed 5 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
action.yml	Adds pip configuration step and enforces pipenv install --deploy in the main composite action.
Pipfile.lock	Refreshes resolved dependency versions/hashes for the main action.
Makefile	Enforces --deploy for local make test and make releasability-check.
.github/workflows/build.yml	Adds pip configuration and enforces --deploy for CI dependency installs in both modules.
releasability-status/action.yml	Adds pip configuration and enforces pipenv install --deploy in the status composite action.
releasability-status/Pipfile.lock	Refreshes resolved dev dependencies/hashes for the status action.
releasability-status/Makefile	Enforces --deploy for local make test and make releasability-status.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

SonarSource/ci-github-actions/config-pip@v1 uses a mutable tag. The rest of this workflow pins actions to commit SHAs; please pin config-pip to a commit SHA as well to prevent supply-chain drift.

Suggested change

	- uses: SonarSource/ci-github-actions/config-pip@v1
	- uses: SonarSource/ci-github-actions/config-pip@0123456789abcdef0123456789abcdef01234567 # v1

[Copilot]

SonarSource/ci-github-actions/config-pip is referenced by the mutable tag @v1. In this repo most external actions are pinned to a full commit SHA (e.g., actions/setup-python@…, aws-actions/configure-aws-credentials@…) to reduce supply-chain risk; please pin this action to a specific commit SHA (and keep the # v1 comment if desired).

Suggested change

	- uses: SonarSource/ci-github-actions/config-pip@v1
	- uses: SonarSource/ci-github-actions/config-pip@0f5c4926e7e10c8ca3fee763018cabbaea807b87 # v1

[Copilot]

SonarSource/ci-github-actions/config-pip is referenced via the mutable @v1 tag. To align with the repo’s action pinning approach (commit SHA + version comment), pin this to a specific commit SHA to avoid unexpected changes in CI behavior.

Suggested change

	- uses: SonarSource/ci-github-actions/config-pip@v1
	- uses: SonarSource/ci-github-actions/config-pip@8c919a28b9a7cbdeb18f0d33bd44a14bcbb15741 # v1.0.0