Files
obdash/requirements-gui.txt
justin 0b0ecc96e7 Fix #12: pin CI actions to SHAs, container to digest, bound deps
Supply-chain hardening for the release pipeline:
- actions/checkout and softprops/action-gh-release pinned from floating major
  tags to commit SHAs (v4.2.2 / v2.2.1) — a moved tag can no longer inject code
  into the job that holds the release token.
- Linux/arm64 build container pinned by manifest-list digest
  (nikolaik/python-nodejs:python3.12-nodejs20@sha256:9ff0859…).
- requirements-gui.txt gains upper bounds so a breaking major (e.g. numpy 3,
  PySide6 7) can't silently change a release binary; current versions still
  satisfy, so no build change.

Deferred (noted on the issue): hash-verifying the Windows get-pip.py / embed-zip
download — low value + fragile (get-pip.py isn't hash-stable) and that fallback
path is dormant now that the runner has Python installed system-wide.

Closes #12

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_016yT89n4zR4qbrySoSiEyZs
2026-07-01 19:42:51 -04:00

10 lines
381 B
Plaintext

# GUI dependencies (cross-platform: Windows / macOS / Linux, incl. Apple Silicon)
# pip install -r requirements-gui.txt
# python run_gui.py
# Upper bounds guard the release binaries against a surprise breaking major bump
# while still resolving to wheels across the range. (bleak is optional — BLE only.)
PySide6>=6.6,<7
pyqtgraph>=0.13,<0.15
numpy>=1.24,<3
pyserial>=3.5,<4