Pin hashes in requirements (#7081)

* use global pin for requests

* unify on yaml for workflo files

* format workflow files

* pin action versions

* fix pinned version

* use system venv

* switch args

* remove uv for now and add setting for pyyaml

* use requirements file

* also switch on docker flow

* generate hashes

* added hashes to reqs

* add hashes for CI too

* add hash checking

* require hashes everywhere possible

* require hashes where possible in docker

.github/workflows/docker.yaml

@@ -24,10 +24,6 @@ on:
     branches:
       - "master"
 
-env:
-  requests_version: 2.31.0
-  pyyaml_version: 6.0.1
-
 permissions:
   contents: read
 
@@ -80,8 +76,7 @@ jobs:
           python-version: ${{ env.python_version }}
       - name: Version Check
         run: |
-          pip install requests==${{ env.requests_version }}
-          pip install pyyaml==${{ env.pyyaml_version }}
+          pip install --require-hashes -r .github/requirements.txt
           python3 .github/scripts/version_check.py
           echo "git_commit_hash=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
           echo "git_commit_date=$(git show -s --format=%ci)" >> $GITHUB_ENV