From 2e6a19d3b55e172d48bbf2e0ea38bf821b44c508 Mon Sep 17 00:00:00 2001 From: Joe Harrison <53116754+sudo-kraken@users.noreply.github.com> Date: Tue, 7 Oct 2025 19:55:56 +0100 Subject: [PATCH] ci: updated all workflows to be pinned to commit hashes ahead of renovate connection (#1989) * ci: updated all workflows to be pineed to commit hashes ahead of renovate connection * ci: update doc links regex * ci: bump version for codeql-action * ci: bump version for action/cache to v4.2.0 * ci: adding package-manager-cache: false to the node v5 setup steps * ci: remove the --include to test precedence as it was overriding * chore: added missing @ from commit hash * ci: updates to shas to bring up to latest, also update to renovate config to account for major versions * chore: update renovate global minimum age settings * updated node sha * Apply suggestion from @M0NsTeRRR Co-authored-by: Ludovic Ortega * Apply suggestion from @M0NsTeRRR Co-authored-by: Ludovic Ortega * Apply suggestion from @M0NsTeRRR Co-authored-by: Ludovic Ortega * Apply suggestion from @M0NsTeRRR * Apply suggestion from @M0NsTeRRR --------- Co-authored-by: Ludovic Ortega --- .github/renovate.json5 | 6 ++--- .github/renovate/actions.json5 | 1 - .github/renovate/docker.json5 | 8 +++++++ .github/renovate/groups.json5 | 2 -- .github/renovate/helm.json5 | 1 + .github/workflows/ci.yml | 26 ++++++++++---------- .github/workflows/codeql.yml | 8 +++---- .github/workflows/conflict_labeler.yml | 2 +- .github/workflows/cypress.yml | 11 +++++---- .github/workflows/docs-deploy.yml | 13 +++++----- .github/workflows/docs-link-check.yml | 15 ++++-------- .github/workflows/helm.yml | 22 ++++++++--------- .github/workflows/lint-helm-charts.yml | 8 +++---- .github/workflows/preview.yml | 18 +++++++------- .github/workflows/release.yml | 33 +++++++++++++------------- .github/workflows/stale.yml | 2 +- .github/workflows/test-docs-deploy.yml | 9 +++---- .github/workflows/trivy-scan.yml | 6 ++--- Dockerfile | 4 ++-- Dockerfile.local | 2 +- 20 files changed, 101 insertions(+), 96 deletions(-) create mode 100644 .github/renovate/docker.json5 diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 71a90454e..1c47932c6 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -4,13 +4,12 @@ "config:recommended", ":dependencyDashboard", ":timezone(UTC)", - "docker:enableMajor", - "docker:pinDigests", "group:nextjsMonorepo", "group:reactMonorepo", "group:typescript-eslintMonorepo", "group:tailwindcssMonorepo", "github>seerr-team/seerr//.github/renovate/actions.json5", + "github>seerr-team/seerr//.github/renovate/docker.json5", "github>seerr-team/seerr//.github/renovate/groups.json5", "github>seerr-team/seerr//.github/renovate/helm.json5", "github>seerr-team/seerr//.github/renovate/labels.json5", @@ -20,5 +19,6 @@ "dependencyDashboardTitle": "Renovate Dashboard 🤖", "suppressNotifications": ["prEditedNotification", "prIgnoreNotification"], "rebaseWhen": "conflicted", - "labels": ["dependencies"] + "labels": ["dependencies"], + "minimumReleaseAge": "7 days" } diff --git a/.github/renovate/actions.json5 b/.github/renovate/actions.json5 index 3e99b1807..77671a7d6 100644 --- a/.github/renovate/actions.json5 +++ b/.github/renovate/actions.json5 @@ -8,7 +8,6 @@ { matchManagers: ['github-actions'], groupName: 'GitHub Actions', - minimumReleaseAge: '7 days', }, ], } diff --git a/.github/renovate/docker.json5 b/.github/renovate/docker.json5 new file mode 100644 index 000000000..9817e86a1 --- /dev/null +++ b/.github/renovate/docker.json5 @@ -0,0 +1,8 @@ +{ + $schema: 'https://docs.renovatebot.com/renovate-schema.json', + + extends: [ + 'docker:enableMajor', + 'docker:pinDigests' + ], +} \ No newline at end of file diff --git a/.github/renovate/groups.json5 b/.github/renovate/groups.json5 index 73fa32486..97dbe6703 100644 --- a/.github/renovate/groups.json5 +++ b/.github/renovate/groups.json5 @@ -7,7 +7,6 @@ matchPackageNames: ['node'], matchManagers: ['dockerfile', 'npm'], groupName: 'Node.js', - minimumReleaseAge: '7 days', commitMessageTopic: 'Node.js', }, @@ -15,7 +14,6 @@ { matchPackageNames: ['pg', 'sqlite3', 'typeorm'], groupName: 'Database', - minimumReleaseAge: '7 days', }, ], } diff --git a/.github/renovate/helm.json5 b/.github/renovate/helm.json5 index 1cbe05431..e2f6e53a5 100644 --- a/.github/renovate/helm.json5 +++ b/.github/renovate/helm.json5 @@ -5,6 +5,7 @@ { matchManagers: ['helm-values'], matchFileNames: ['charts/*/values.yaml'], + minimumReleaseAge: '0' }, ], diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index de1088365..838b05be4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,12 +26,12 @@ jobs: container: node:22-alpine steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - name: Pnpm Setup - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0 - name: Get pnpm store directory shell: sh @@ -39,7 +39,7 @@ jobs: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV - name: Setup pnpm cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ${{ env.STORE_PATH }} key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }} @@ -75,7 +75,7 @@ jobs: runs-on: ${{ matrix.runner }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false @@ -84,10 +84,10 @@ jobs: run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT" - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Warm cache (no push) — ${{ matrix.platform }} - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: . file: ./Dockerfile @@ -111,7 +111,7 @@ jobs: id-token: write steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false @@ -120,16 +120,16 @@ jobs: run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT" - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Log in to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} - name: Log in to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -137,7 +137,7 @@ jobs: - name: Extract metadata id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | ${{ github.repository }} @@ -149,7 +149,7 @@ jobs: org.opencontainers.image.created=${{ steps.ts.outputs.TIMESTAMP }} - name: Build & Push (multi-arch, single tag) - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: . file: ./Dockerfile @@ -184,7 +184,7 @@ jobs: fi - name: Post Status to Discord - uses: sarisia/actions-status-discord@v1 + uses: sarisia/actions-status-discord@58667542682a27f270460405363e3a982f57a7ee # v1.0.0 with: webhook: ${{ secrets.DISCORD_WEBHOOK }} status: ${{ steps.status.outputs.status }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d019b2f99..199b830df 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -37,20 +37,20 @@ jobs: language: [actions, javascript] steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6 with: languages: ${{ matrix.language }} queries: +security-and-quality - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6 with: category: '/language:${{ matrix.language }}' diff --git a/.github/workflows/conflict_labeler.yml b/.github/workflows/conflict_labeler.yml index b198a24cc..4709c67ec 100644 --- a/.github/workflows/conflict_labeler.yml +++ b/.github/workflows/conflict_labeler.yml @@ -27,7 +27,7 @@ jobs: pull-requests: write steps: - name: Apply label - uses: eps1lon/actions-label-merge-conflict@v3 + uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3 with: dirtyLabel: 'merge conflict' commentOnDirty: 'This pull request has merge conflicts. Please resolve the conflicts so the PR can be successfully reviewed and merged.' diff --git a/.github/workflows/cypress.yml b/.github/workflows/cypress.yml index ae12d01f5..76ffa2151 100644 --- a/.github/workflows/cypress.yml +++ b/.github/workflows/cypress.yml @@ -37,23 +37,24 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version-file: package.json + package-manager-cache: false - name: Pnpm Setup - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0 - name: Install dependencies run: pnpm install --frozen-lockfile - name: Setup cypress cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ~/.cache/Cypress key: ${{ runner.os }}-cypress-store-${{ hashFiles('**/pnpm-lock.yaml') }} @@ -66,7 +67,7 @@ jobs: run: pnpm exec cypress install - name: Cypress run - uses: cypress-io/github-action@v6 + uses: cypress-io/github-action@b8ba51a856ba5f4c15cf39007636d4ab04f23e3c # v6.10.2 with: install: false build: pnpm cypress:build diff --git a/.github/workflows/docs-deploy.yml b/.github/workflows/docs-deploy.yml index bd54722ec..fc98ab793 100644 --- a/.github/workflows/docs-deploy.yml +++ b/.github/workflows/docs-deploy.yml @@ -22,18 +22,19 @@ jobs: name: Build Docusaurus runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version-file: package.json + package-manager-cache: false - name: Pnpm Setup - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0 - name: Get pnpm store directory shell: sh @@ -41,7 +42,7 @@ jobs: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV - name: Setup pnpm cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ${{ env.STORE_PATH }} key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }} @@ -58,7 +59,7 @@ jobs: run: pnpm build - name: Upload Build Artifact - uses: actions/upload-pages-artifact@v4 + uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b6 # v4.0.0 with: path: gen-docs/build @@ -76,4 +77,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5 diff --git a/.github/workflows/docs-link-check.yml b/.github/workflows/docs-link-check.yml index 6fd5442f5..26f71ca42 100644 --- a/.github/workflows/docs-link-check.yml +++ b/.github/workflows/docs-link-check.yml @@ -36,27 +36,22 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 persist-credentials: false - name: Run Lychee link checker - uses: lycheeverse/lychee-action@v2 + uses: lycheeverse/lychee-action@885c65f3dc543b57c898c8099f4e08c8afd178a2 # v2.6.1 with: fail: false args: >- --verbose --no-progress --accept 200..204,300..304,307,308,404,429,999 - --include '^(http|https)://.*' --exclude '^file://' - --exclude '^https?://localhost' - --exclude '^https?://127\.0\.0\.1' - --exclude '^https?://0\.0\.0\.0' - --exclude '^https?://\[\:\:1\]' - --exclude '^https?://\[\:\:\]' - --exclude '^https?://support.discord.com' + --exclude '^https?://(localhost|127\.0\.0\.1|0\.0\.0\.0|\[::1\]|\[::\])' + --exclude '^https?://support\.discord\.com' './docs/**/*.md' './docs/**/*.mdx' './gen-docs/**/*.md' @@ -65,7 +60,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload Lychee report - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: lychee-report path: | diff --git a/.github/workflows/helm.yml b/.github/workflows/helm.yml index 2e49b36cf..48df8e1e9 100644 --- a/.github/workflows/helm.yml +++ b/.github/workflows/helm.yml @@ -28,19 +28,19 @@ jobs: has_artifacts: ${{ steps.check-artifacts.outputs.has_artifacts }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 persist-credentials: false - name: Install helm - uses: azure/setup-helm@v4 + uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 - name: Install Oras - uses: oras-project/setup-oras@v1 + uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1.2.4 - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -76,7 +76,7 @@ jobs: fi - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 if: steps.check-artifacts.outputs.has_artifacts == 'true' with: name: artifacts @@ -93,28 +93,28 @@ jobs: if: needs.package-helm-chart.outputs.has_artifacts == 'true' steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 persist-credentials: false - name: Install helm - uses: azure/setup-helm@v4 + uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 - name: Install Oras - uses: oras-project/setup-oras@v1 + uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1.2.4 - name: Install Cosign - uses: sigstore/cosign-installer@v3 + uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0 - name: Downloads artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: artifacts path: .cr-release-packages/ - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ghcr.io username: ${{ github.actor }} diff --git a/.github/workflows/lint-helm-charts.yml b/.github/workflows/lint-helm-charts.yml index 461158f23..b0533fbd0 100644 --- a/.github/workflows/lint-helm-charts.yml +++ b/.github/workflows/lint-helm-charts.yml @@ -28,19 +28,19 @@ jobs: contents: read steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 persist-credentials: false - name: Set up Helm - uses: azure/setup-helm@v4 + uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 - name: Set up chart-testing - uses: helm/chart-testing-action@v2 + uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0 - name: Ensure documentation is updated - uses: docker://jnorwood/helm-docs:v1.14.2 + uses: docker://jnorwood/helm-docs@sha256:7e562b49ab6b1dbc50c3da8f2dd6ffa8a5c6bba327b1c6335cc15ce29267979c # v1.14.2 - name: Run chart-testing (list-changed) id: list-changed diff --git a/.github/workflows/preview.yml b/.github/workflows/preview.yml index 4b86393ce..edaac172a 100644 --- a/.github/workflows/preview.yml +++ b/.github/workflows/preview.yml @@ -30,7 +30,7 @@ jobs: runs-on: ${{ matrix.runner }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false @@ -39,7 +39,7 @@ jobs: run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT" - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Derive preview version from tag id: ver @@ -52,7 +52,7 @@ jobs: echo "Building preview version: ${VER}" - name: Warm cache (no push) — ${{ matrix.platform }} - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: . file: ./Dockerfile @@ -76,7 +76,7 @@ jobs: id-token: write steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false @@ -85,16 +85,16 @@ jobs: run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT" - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Log in to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} - name: Log in to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -112,7 +112,7 @@ jobs: - name: Extract metadata id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | ${{ github.repository }} @@ -124,7 +124,7 @@ jobs: org.opencontainers.image.created=${{ steps.ts.outputs.TIMESTAMP }} - name: Build & Push (multi-arch, single tag) - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: . file: ./Dockerfile diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2baa23854..49bc2ff67 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,18 +23,19 @@ jobs: new_release_version: ${{ steps.release.outputs.new_release_version }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version-file: package.json + package-manager-cache: false - name: Pnpm Setup - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0 - name: Get pnpm store directory shell: sh @@ -42,7 +43,7 @@ jobs: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV - name: Setup pnpm cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ${{ env.STORE_PATH }} key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }} @@ -54,7 +55,7 @@ jobs: - name: Release id: release - uses: cycjimmy/semantic-release-action@v5 + uses: cycjimmy/semantic-release-action@9cc899c47e6841430bbaedb43de1560a568dfd16 # v5.0.0 with: extra_plugins: | @semantic-release/git@10 @@ -79,7 +80,7 @@ jobs: runs-on: ${{ matrix.runner }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false @@ -88,10 +89,10 @@ jobs: run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT" - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Warm cache (no push) — ${{ matrix.platform }} - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: . file: ./Dockerfile @@ -116,7 +117,7 @@ jobs: packages: write steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false @@ -125,16 +126,16 @@ jobs: run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT" - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Log in to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} - name: Log in to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -142,7 +143,7 @@ jobs: - name: Extract metadata id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: | ${{ github.repository }} @@ -153,7 +154,7 @@ jobs: org.opencontainers.image.created=${{ steps.ts.outputs.TIMESTAMP }} - name: Build & Push (multi-arch, single tag) - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: . file: ./Dockerfile @@ -191,7 +192,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Get Build Job Status - uses: technote-space/workflow-conclusion-action@v3 + uses: technote-space/workflow-conclusion-action@45ce8e0eb155657ab8ccf346ade734257fd196a5 # v3.0.3 - name: Combine Job Status id: status @@ -204,7 +205,7 @@ jobs: fi - name: Post Status to Discord - uses: sarisia/actions-status-discord@v1 + uses: sarisia/actions-status-discord@58667542682a27f270460405363e3a982f57a7ee # v1.0.0 with: webhook: ${{ secrets.DISCORD_WEBHOOK }} status: ${{ steps.status.outputs.status }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 3a4ce1099..4ccd7c88c 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -21,7 +21,7 @@ jobs: issues: write pull-requests: write steps: - - uses: actions/stale@v10.1.0 + - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0 with: any-of-labels: "pending author's response" exempt-issue-labels: 'confirmed' diff --git a/.github/workflows/test-docs-deploy.yml b/.github/workflows/test-docs-deploy.yml index 323bb0504..1fb49859d 100644 --- a/.github/workflows/test-docs-deploy.yml +++ b/.github/workflows/test-docs-deploy.yml @@ -24,18 +24,19 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version-file: package.json + package-manager-cache: false - name: Pnpm Setup - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0 - name: Get pnpm store directory shell: sh @@ -43,7 +44,7 @@ jobs: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV - name: Setup pnpm cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ${{ env.STORE_PATH }} key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }} diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml index 5832f7310..2f5dd1dc0 100644 --- a/.github/workflows/trivy-scan.yml +++ b/.github/workflows/trivy-scan.yml @@ -34,13 +34,13 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 persist-credentials: false - name: Cache Trivy DB - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: .trivycache key: trivy-${{ runner.os }}-${{ hashFiles('**/Dockerfile') }} @@ -56,6 +56,6 @@ jobs: ignore-unfixed: true - name: Upload SARIF to code scanning - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6 with: sarif_file: trivy.sarif diff --git a/Dockerfile b/Dockerfile index 650027e45..9bb6853b9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM node:22-alpine AS build_image +FROM node:22.20.0-alpine3.22@sha256:096829fd4bb8c2ce2340ed64dd2f857951f8704325f7acf53e3dc0561c36a214 AS build_image ARG SOURCE_DATE_EPOCH ARG TARGETPLATFORM @@ -33,7 +33,7 @@ RUN pnpm prune --prod --ignore-scripts && \ touch config/DOCKER && \ echo "{\"commitTag\": \"${COMMIT_TAG}\"}" > committag.json -FROM node:22-alpine +FROM node:22.20.0-alpine3.22@sha256:096829fd4bb8c2ce2340ed64dd2f857951f8704325f7acf53e3dc0561c36a214 ENV PNPM_HOME="/pnpm" ENV PATH="$PNPM_HOME:$PATH" diff --git a/Dockerfile.local b/Dockerfile.local index 8d0ce3f33..1cefe8f29 100644 --- a/Dockerfile.local +++ b/Dockerfile.local @@ -1,4 +1,4 @@ -FROM node:22-alpine +FROM node:22.20.0-alpine3.22@sha256:096829fd4bb8c2ce2340ed64dd2f857951f8704325f7acf53e3dc0561c36a214 ENV PNPM_HOME="/pnpm" ENV PATH="$PNPM_HOME:$PATH"