diff --git a/.github/workflows/check-pr-title.yml b/.github/workflows/check-pr-title.yml index 4b1c75e6..9d6afcff 100644 --- a/.github/workflows/check-pr-title.yml +++ b/.github/workflows/check-pr-title.yml @@ -16,4 +16,4 @@ jobs: runs-on: ubuntu-22.04 steps: - - uses: blumilksoftware/action-pr-title@v1.2.0 + - uses: blumilksoftware/action-pr-title@e05fc76a1cc45b33644f1de51218be43ac121dd0 # v1.2.0 diff --git a/.github/workflows/deploy-to-beta-manually.yml b/.github/workflows/deploy-to-beta-manually.yml index 44375233..378eae22 100644 --- a/.github/workflows/deploy-to-beta-manually.yml +++ b/.github/workflows/deploy-to-beta-manually.yml @@ -22,7 +22,7 @@ jobs: run: echo "BRANCH_NAME=$GITHUB_REF_NAME" >> $GITHUB_ENV - name: checkout - uses: actions/checkout@v4.1.4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 with: fetch-depth: 0 ref: ${{ env.BRANCH_NAME }} @@ -37,10 +37,10 @@ jobs: run: echo "DEPLOYMENT_PROJECT_VERSION=$(bash ./environment/prod/deployment/scripts/version.sh --long)" >> $GITHUB_ENV - name: set up Docker Buildx - uses: docker/setup-buildx-action@v3.3.0 + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 - name: login to GitHub Container Registry - uses: docker/login-action@v3.1.0 + uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 with: registry: ${{ env.DOCKER_REGISTRY }} username: ${{ env.DOCKER_REGISTRY_USER_NAME }} @@ -51,14 +51,14 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@v5.5.1 + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: images: ${{ env.DOCKER_IMAGE_NAME }} tags: type=raw,value=beta context: git - name: build and push image - uses: docker/build-push-action@v5.3.0 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./environment/prod/app/Dockerfile @@ -70,7 +70,7 @@ jobs: cache-to: type=gha, ref=${{ env.DOCKER_IMAGE_NAME }}-beta-build-cache, mode=max - name: copy files via ssh - uses: appleboy/scp-action@v0.1.7 + uses: appleboy/scp-action@917f8b81dfc1ccd331fef9e2d61bdc6c8be94634 # v0.1.7 with: timeout: 10s command_timeout: 10m @@ -84,7 +84,7 @@ jobs: rm: true - name: run deployment script over ssh - uses: appleboy/ssh-action@v1.0.3 + uses: appleboy/ssh-action@029f5b4aeeeb58fdfe1410a5d17f967dacf36262 # v1.0.3 with: timeout: 10s command_timeout: 10m diff --git a/.github/workflows/deploy-to-prod.yml b/.github/workflows/deploy-to-prod.yml index e0a4b972..b374aa9c 100644 --- a/.github/workflows/deploy-to-prod.yml +++ b/.github/workflows/deploy-to-prod.yml @@ -20,16 +20,16 @@ jobs: DOCKER_REGISTRY_PROJECT_NAME: ${{ github.event.repository.name }} steps: - name: checkout - uses: actions/checkout@v4.1.4 + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - name: set deployment project version run: echo "DEPLOYMENT_PROJECT_VERSION=$(bash ./environment/prod/deployment/scripts/version.sh --long)" >> $GITHUB_ENV - name: set up Docker Buildx - uses: docker/setup-buildx-action@v3.3.0 + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 - name: login to GitHub Container Registry - uses: docker/login-action@v3.1.0 + uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 with: registry: ${{ env.DOCKER_REGISTRY }} username: ${{ env.DOCKER_REGISTRY_USER_NAME }} @@ -40,7 +40,7 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@v5.5.1 + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: images: ${{ env.DOCKER_IMAGE_NAME }} tags: | @@ -49,7 +49,7 @@ jobs: context: workflow - name: build and push image - uses: docker/build-push-action@v5.3.0 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./environment/prod/app/Dockerfile @@ -61,7 +61,7 @@ jobs: cache-to: type=gha, ref=${{ env.DOCKER_IMAGE_NAME }}-prod-build-cache, mode=max - name: copy files via ssh - uses: appleboy/scp-action@v0.1.7 + uses: appleboy/scp-action@917f8b81dfc1ccd331fef9e2d61bdc6c8be94634 # v0.1.7 with: timeout: 10s command_timeout: 10m @@ -74,7 +74,7 @@ jobs: target: ${{ secrets.TOBY_VPS_LIVE_APP_PATH }} rm: true - - uses: appleboy/ssh-action@v1.0.3 + - uses: appleboy/ssh-action@029f5b4aeeeb58fdfe1410a5d17f967dacf36262 # v1.0.3 with: timeout: 10s command_timeout: 10m diff --git a/.github/workflows/run-command-on-beta.yml b/.github/workflows/run-command-on-beta.yml index 9836e1a1..46a1507c 100644 --- a/.github/workflows/run-command-on-beta.yml +++ b/.github/workflows/run-command-on-beta.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: run php artisan command - uses: appleboy/ssh-action@v1.0.3 + uses: appleboy/ssh-action@029f5b4aeeeb58fdfe1410a5d17f967dacf36262 # v1.0.3 with: timeout: 10s command_timeout: 10m diff --git a/.github/workflows/test-and-lint-js.yml b/.github/workflows/test-and-lint-js.yml index c008f458..f689244a 100644 --- a/.github/workflows/test-and-lint-js.yml +++ b/.github/workflows/test-and-lint-js.yml @@ -23,17 +23,17 @@ jobs: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4.1.2 + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - name: Cache dependencies - uses: actions/cache@v4.0.2 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: node_modules key: ${{ runner.os }}-npm-dependencies-${{ hashFiles('package.lock') }} restore-keys: ${{ runner.os }}-npm-dependencies - name: Set up node - uses: actions/setup-node@v4.0.2 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version: 22 diff --git a/.github/workflows/test-and-lint-php.yml b/.github/workflows/test-and-lint-php.yml index f1b0ed2d..e5e41bae 100644 --- a/.github/workflows/test-and-lint-php.yml +++ b/.github/workflows/test-and-lint-php.yml @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-22.04 services: pgsql: - image: postgres:15 + image: postgres:15@sha256:4b4da96c37fefd6f28c3f58e7470bbc6d2cb34ac5641b9df7221d962eb4bc55d env: POSTGRES_DB: toby POSTGRES_USER: toby @@ -34,20 +34,20 @@ jobs: - 5432:5432 steps: - - uses: actions/checkout@v4.1.2 + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - name: Validate composer.json and composer.lock run: composer validate - name: Cache dependencies - uses: actions/cache@v4.0.2 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: vendor key: ${{ runner.os }}-composer-dependencies-${{ hashFiles('composer.lock') }} restore-keys: ${{ runner.os }}-composer-dependencies - name: Setup PHP - uses: shivammathur/setup-php@2.30.4 + uses: shivammathur/setup-php@c665c7a15b5295c2488ac8a87af9cb806cd72198 # 2.30.4 with: php-version: 8.3 extensions: dom, curl, libxml, mbstring, zip, pcntl, pdo, pdo_pgsql, intl, gd diff --git a/docker-compose.yml b/docker-compose.yml index df62a59e..bab7bc2e 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -38,7 +38,7 @@ services: condition: service_healthy database: - image: postgres:15 + image: postgres:15@sha256:4b4da96c37fefd6f28c3f58e7470bbc6d2cb34ac5641b9df7221d962eb4bc55d container_name: toby-db-dev environment: - PGPASSWORD=${DOCKER_DEV_DB_ROOT_PASSWORD} @@ -59,7 +59,7 @@ services: restart: unless-stopped redis: - image: redis:7.0-alpine3.16 + image: redis:7.0-alpine3.16@sha256:2700d5097763fda285c463f4eefc3d0730a2df2a9d48e66707b19d5a5e5f23d4 container_name: toby-redis-dev healthcheck: test: [ "CMD-SHELL", "redis-cli ping | grep PONG" ] @@ -75,7 +75,7 @@ services: restart: unless-stopped mailpit: - image: axllent/mailpit:v1.9 + image: axllent/mailpit:v1.9@sha256:47b6dbbae83e523b407f47ddf93f71ba71e75554ddb4c255d81f3b9b8487103e container_name: toby-mailpit-dev labels: - "traefik.enable=true" @@ -99,7 +99,7 @@ services: restart: unless-stopped selenium: - image: selenium/standalone-chrome + image: selenium/standalone-chrome@sha256:f0037767d53479c9c7c7126a84135a06ba38748e0d47b9efca865c82d4345c38 container_name: toby-selenium-dev volumes: - /dev/shm:/dev/shm diff --git a/environment/dev/app/Dockerfile b/environment/dev/app/Dockerfile index 5bd1eb78..260c2a8d 100644 --- a/environment/dev/app/Dockerfile +++ b/environment/dev/app/Dockerfile @@ -4,7 +4,7 @@ ARG PHP_MODULE_NAME=php${PHP_VERSION} # https://github.com/nginx/unit/tags ARG UNIT_VERSION=1.31.1-1 -FROM alpine:3.19.0 as secops-tools +FROM alpine:3.19.0@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48 as secops-tools # https://github.com/FiloSottile/age/releases ARG AGE_VERSION="1.1.1" @@ -20,10 +20,10 @@ RUN wget --output-document age.tar.gz "https://github.com/FiloSottile/age/releas && chmod +x /usr/local/bin/sops # https://hub.docker.com/r/composer/composer -FROM composer/composer:2.7.4-bin as composer-bin +FROM composer/composer:2.7.4-bin@sha256:d75832c5b2b08ced21d724948cd30674c06b400ca2768eeb5934a3682e690b58 as composer-bin # https://hub.docker.com/_/node -FROM node:22.1.0-bullseye-slim as node +FROM node:22.1.0-bullseye-slim@sha256:d5a435ce3230983b4d359cdc79341fd0b3482aeb445f2fbc04d0e23ecb211dd4 as node FROM php:${PHP_VERSION}-cli-bullseye as unit-modules-builder diff --git a/environment/prod/app/Dockerfile b/environment/prod/app/Dockerfile index 01b6838e..be0f6b9a 100644 --- a/environment/prod/app/Dockerfile +++ b/environment/prod/app/Dockerfile @@ -5,7 +5,7 @@ ARG PHP_MODULE_NAME=php${PHP_VERSION} ARG UNIT_VERSION=1.31.1-1 ### PHP DEPENDENCIES ### -FROM composer:2.7.4 as vendor +FROM composer:2.7.4@sha256:ee4676ef56f97c82f11b421717386bcf9353a53bee9276c414ad80a0a4dc0e02 as vendor WORKDIR /app_composer_dependencies @@ -20,7 +20,7 @@ RUN composer install \ --ignore-platform-reqs ### FRONTEND ### -FROM node:22.1.0-bullseye-slim as frontend +FROM node:22.1.0-bullseye-slim@sha256:d5a435ce3230983b4d359cdc79341fd0b3482aeb445f2fbc04d0e23ecb211dd4 as frontend WORKDIR /app_frontend_dependencies diff --git a/environment/prod/deployment/beta/docker-compose.beta.yml b/environment/prod/deployment/beta/docker-compose.beta.yml index f449e1c2..e051b719 100644 --- a/environment/prod/deployment/beta/docker-compose.beta.yml +++ b/environment/prod/deployment/beta/docker-compose.beta.yml @@ -46,7 +46,7 @@ services: - .deployment toby-beta-database: - image: postgres:15 + image: postgres:15@sha256:4b4da96c37fefd6f28c3f58e7470bbc6d2cb34ac5641b9df7221d962eb4bc55d container_name: toby-beta-database environment: - PGPASSWORD=${DOCKER_TOBY_BETA_DB_ROOT_PASSWORD:? variable DOCKER_TOBY_BETA_DB_ROOT_PASSWORD not set} @@ -65,7 +65,7 @@ services: restart: unless-stopped toby-beta-redis: - image: redis:7.0-alpine3.16 + image: redis:7.0-alpine3.16@sha256:2700d5097763fda285c463f4eefc3d0730a2df2a9d48e66707b19d5a5e5f23d4 container_name: toby-beta-redis healthcheck: test: [ "CMD-SHELL", "redis-cli ping | grep PONG" ] diff --git a/environment/prod/deployment/prod/docker-compose.prod.yml b/environment/prod/deployment/prod/docker-compose.prod.yml index a603741c..d1db3718 100644 --- a/environment/prod/deployment/prod/docker-compose.prod.yml +++ b/environment/prod/deployment/prod/docker-compose.prod.yml @@ -50,7 +50,7 @@ services: - .deployment toby-prod-database: - image: postgres:15 + image: postgres:15@sha256:4b4da96c37fefd6f28c3f58e7470bbc6d2cb34ac5641b9df7221d962eb4bc55d container_name: toby-prod-database environment: - PGPASSWORD=${DOCKER_TOBY_PROD_DB_ROOT_PASSWORD:? variable DOCKER_TOBY_PROD_DB_ROOT_PASSWORD not set} @@ -69,7 +69,7 @@ services: restart: unless-stopped toby-prod-redis: - image: redis:7.0-alpine3.16 + image: redis:7.0-alpine3.16@sha256:2700d5097763fda285c463f4eefc3d0730a2df2a9d48e66707b19d5a5e5f23d4 container_name: toby-prod-redis healthcheck: test: [ "CMD-SHELL", "redis-cli ping | grep PONG" ]