security(build): pin dependencies and hash-verify downloads

[WilliamBerryiii]

Description

Addressed OpenSSF Scorecard "Pinned-Dependencies" findings by pinning all binary downloads with SHA256 hash verification, pinning Docker base images with digest references, adding Dependabot Docker ecosystem monitoring, and introducing a weekly CI workflow for binary staleness detection.

Shell Script Hash Verification

All curl | bash-style installs were replaced with a download-then-verify pattern using sha256sum -c --quiet - with temp file cleanup.

• Converted uv and terraform-docs installs in setup-dev.sh to download+hash-verify with multi-architecture support (x86_64 and aarch64)
• Converted uv install in training/rl/scripts/train.sh to download+hash-verify for x86_64
• Converted uv install in infrastructure/setup/optional/isaac-sim-vm/scripts/install-dev-deps.sh to download+hash-verify for x86_64
• Converted tflint install in .devcontainer/devcontainer.json from curl | bash to download+sha256sum verification

Docker Image Digest Pinning

All Docker base images were pinned with @sha256: digest references to prevent silent base image mutation.

• Pinned python:3.11-slim with digest in data-management/viewer/backend/Dockerfile
• Pinned node:24.14.1-slim and nginx:1.27-alpine with digests in data-management/viewer/frontend/Dockerfile
• Pinned uv to exact ==0.10.9 in evaluation/sil/docker/Dockerfile.lerobot-eval

CI Binary Freshness Workflow

• Added .github/workflows/check-binary-freshness.yml, a ~269-line weekly workflow that checks 5 pinned tool versions against latest upstream releases and manages GitHub issue lifecycle for stale binaries
  • Actions are SHA-pinned with persist-credentials: false
  • Includes a Docker image coverage boundary comment noting which images are tracked by Dependabot versus manually

Dependabot Docker Ecosystem

• Added 3 new Docker ecosystem entries in .github/dependabot.yml covering all Dockerfile directories, consistent with existing configuration (weekly Monday, 5 PR limit)

Closes #445

Type of Change

• 🐛 Bug fix (non-breaking change fixing an issue)
• ✨ New feature (non-breaking change adding functionality)
• 💥 Breaking change (fix or feature causing existing functionality to change)
• 📚 Documentation update
• 🏗️ Infrastructure change (Terraform/IaC)
• ♻️ Refactoring (no functional changes)

Component(s) Affected

• infrastructure/terraform/prerequisites/ - Azure subscription setup
• infrastructure/terraform/ - Terraform infrastructure
• infrastructure/setup/ - OSMO control plane / Helm
• workflows/ - Training and evaluation workflows
• training/ - Training pipelines and scripts
• docs/ - Documentation

Testing Performed

• Terraform plan reviewed (no unexpected changes)
• Terraform apply tested in dev environment
• Training scripts tested locally with Isaac Sim
• OSMO workflow submitted successfully
• Smoke tests passed (smoke_test_azure.py)

No items are applicable. Changes are limited to build-time dependency pinning, Dockerfiles, CI workflows, and Dependabot configuration. All SHA256 hashes were verified against upstream release artifacts. The CI workflow uses workflow_dispatch and schedule triggers for independent validation.

Documentation Impact

• No documentation changes needed
• Documentation updated in this PR
• Documentation issue filed

Checklist

• My code follows the project conventions
• Commit messages follow conventional commit format
• I have performed a self-review
• Documentation impact assessed above
• No new linting warnings introduced

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 1f1b239.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 5.7	Details Check Score Reason Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 10 all changesets reviewed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits

Scanned Files

• .github/workflows/check-binary-freshness.yml

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 65.18%. Comparing base (0458908) to head (1f1b239).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #465   +/-   ##
=======================================
  Coverage   65.18%   65.18%           
=======================================
  Files         253      253           
  Lines       15541    15541           
  Branches     2118     2118           
=======================================
  Hits        10130    10130           
  Misses       5122     5122           
  Partials      289      289           

Flag	Coverage Δ
pester	82.24% <ø> (ø)
pytest	92.40% <ø> (ø)
pytest-dataviewer	65.12% <ø> (ø)
pytest-fuzz	1.56% <ø> (ø)
vitest	51.77% <ø> (ø)

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[katriendg]

Thanks