* don't autoupgrade pip: let's consider pip to be part of platform?
* pin build and tox in new requirements-build.txt: this mostly prevents
tox from going to 4.x before we're ready
* use requirements-build.txt as constraint when installing tox or build
during CI & CD
* use requirements-build.txt in requiremenets-dev.txt
Note that coveralls is not pinned, not sure if it should be.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
This changes very little but it does mean any jobs added in future have to
be explicit about the permissions they need. This also makes OSSF scorecard
happier.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Use `--upgrade` option to upgrade pip with pip in workflow, instead
of non-existing `-u` option (-U would also be possible).
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
1. update action/setup-python to latest version
2. pin major version to be used to 3.x
3. upgrade pip before using it
1 and 2 were suggested in #2089
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
