diff --git a/.github/workflows/check-pr-title.yml b/.github/workflows/check-pr-title.yml index 4b1c75e6..9d6afcff 100644 --- a/.github/workflows/check-pr-title.yml +++ b/.github/workflows/check-pr-title.yml @@ -16,4 +16,4 @@ jobs: runs-on: ubuntu-22.04 steps: - - uses: blumilksoftware/action-pr-title@v1.2.0 + - uses: blumilksoftware/action-pr-title@e05fc76a1cc45b33644f1de51218be43ac121dd0 # v1.2.0 diff --git a/.github/workflows/deploy-to-beta-manually.yml b/.github/workflows/deploy-to-beta-manually.yml index 063c200f..c3ced7c1 100644 --- a/.github/workflows/deploy-to-beta-manually.yml +++ b/.github/workflows/deploy-to-beta-manually.yml @@ -37,10 +37,10 @@ jobs: run: echo "DEPLOYMENT_PROJECT_VERSION=$(bash ./environment/prod/deployment/scripts/version.sh --long)" >> $GITHUB_ENV - name: set up Docker Buildx - uses: docker/setup-buildx-action@v3.3.0 + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 - name: login to GitHub Container Registry - uses: docker/login-action@v3.1.0 + uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 with: registry: ${{ env.DOCKER_REGISTRY }} username: ${{ env.DOCKER_REGISTRY_USER_NAME }} @@ -51,14 +51,14 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@v5.5.1 + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: images: ${{ env.DOCKER_IMAGE_NAME }} tags: type=raw,value=beta context: git - name: build and push image - uses: docker/build-push-action@v5.3.0 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./environment/prod/app/Dockerfile @@ -70,7 +70,7 @@ jobs: cache-to: type=gha, ref=${{ env.DOCKER_IMAGE_NAME }}-beta-build-cache, mode=max - name: copy files via ssh - uses: appleboy/scp-action@v0.1.7 + uses: appleboy/scp-action@917f8b81dfc1ccd331fef9e2d61bdc6c8be94634 # v0.1.7 with: timeout: 10s command_timeout: 10m @@ -84,7 +84,7 @@ jobs: rm: true - name: run deployment script over ssh - uses: appleboy/ssh-action@v1.0.3 + uses: appleboy/ssh-action@029f5b4aeeeb58fdfe1410a5d17f967dacf36262 # v1.0.3 with: timeout: 10s command_timeout: 10m diff --git a/.github/workflows/deploy-to-prod.yml b/.github/workflows/deploy-to-prod.yml index c9deaeb3..ecfc4623 100644 --- a/.github/workflows/deploy-to-prod.yml +++ b/.github/workflows/deploy-to-prod.yml @@ -26,10 +26,10 @@ jobs: run: echo "DEPLOYMENT_PROJECT_VERSION=$(bash ./environment/prod/deployment/scripts/version.sh --long)" >> $GITHUB_ENV - name: set up Docker Buildx - uses: docker/setup-buildx-action@v3.3.0 + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 - name: login to GitHub Container Registry - uses: docker/login-action@v3.1.0 + uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 with: registry: ${{ env.DOCKER_REGISTRY }} username: ${{ env.DOCKER_REGISTRY_USER_NAME }} @@ -40,7 +40,7 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@v5.5.1 + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: images: ${{ env.DOCKER_IMAGE_NAME }} tags: | @@ -49,7 +49,7 @@ jobs: context: workflow - name: build and push image - uses: docker/build-push-action@v5.3.0 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: ./environment/prod/app/Dockerfile @@ -61,7 +61,7 @@ jobs: cache-to: type=gha, ref=${{ env.DOCKER_IMAGE_NAME }}-prod-build-cache, mode=max - name: copy files via ssh - uses: appleboy/scp-action@v0.1.7 + uses: appleboy/scp-action@917f8b81dfc1ccd331fef9e2d61bdc6c8be94634 # v0.1.7 with: timeout: 10s command_timeout: 10m @@ -74,7 +74,7 @@ jobs: target: ${{ secrets.TOBY_VPS_LIVE_APP_PATH }} rm: true - - uses: appleboy/ssh-action@v1.0.3 + - uses: appleboy/ssh-action@029f5b4aeeeb58fdfe1410a5d17f967dacf36262 # v1.0.3 with: timeout: 10s command_timeout: 10m diff --git a/.github/workflows/run-command-on-beta.yml b/.github/workflows/run-command-on-beta.yml index 9836e1a1..46a1507c 100644 --- a/.github/workflows/run-command-on-beta.yml +++ b/.github/workflows/run-command-on-beta.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: run php artisan command - uses: appleboy/ssh-action@v1.0.3 + uses: appleboy/ssh-action@029f5b4aeeeb58fdfe1410a5d17f967dacf36262 # v1.0.3 with: timeout: 10s command_timeout: 10m diff --git a/.github/workflows/test-and-lint-js.yml b/.github/workflows/test-and-lint-js.yml index 33898381..8722ea40 100644 --- a/.github/workflows/test-and-lint-js.yml +++ b/.github/workflows/test-and-lint-js.yml @@ -26,14 +26,14 @@ jobs: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - name: Cache dependencies - uses: actions/cache@v4.0.2 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: node_modules key: ${{ runner.os }}-npm-dependencies-${{ hashFiles('package.lock') }} restore-keys: ${{ runner.os }}-npm-dependencies - name: Set up node - uses: actions/setup-node@v4.0.2 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version: 22 diff --git a/.github/workflows/test-and-lint-php.yml b/.github/workflows/test-and-lint-php.yml index c8c1dad9..2ca98d94 100644 --- a/.github/workflows/test-and-lint-php.yml +++ b/.github/workflows/test-and-lint-php.yml @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-22.04 services: pgsql: - image: postgres:15 + image: postgres:15@sha256:4b4da96c37fefd6f28c3f58e7470bbc6d2cb34ac5641b9df7221d962eb4bc55d env: POSTGRES_DB: toby POSTGRES_USER: toby @@ -40,14 +40,14 @@ jobs: run: composer validate - name: Cache dependencies - uses: actions/cache@v4.0.2 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: vendor key: ${{ runner.os }}-composer-dependencies-${{ hashFiles('composer.lock') }} restore-keys: ${{ runner.os }}-composer-dependencies - name: Setup PHP - uses: shivammathur/setup-php@2.30.4 + uses: shivammathur/setup-php@c665c7a15b5295c2488ac8a87af9cb806cd72198 # 2.30.4 with: php-version: 8.3 extensions: dom, curl, libxml, mbstring, zip, pcntl, pdo, pdo_pgsql, intl, gd diff --git a/docker-compose.yml b/docker-compose.yml index 672b6e49..9fb29a66 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -38,7 +38,7 @@ services: condition: service_healthy database: - image: postgres:15 + image: postgres:15@sha256:4b4da96c37fefd6f28c3f58e7470bbc6d2cb34ac5641b9df7221d962eb4bc55d container_name: toby-db-dev environment: - PGPASSWORD=${DOCKER_DEV_DB_ROOT_PASSWORD} @@ -59,7 +59,7 @@ services: restart: unless-stopped redis: - image: redis:7.0-alpine3.16 + image: redis:7.0-alpine3.16@sha256:2700d5097763fda285c463f4eefc3d0730a2df2a9d48e66707b19d5a5e5f23d4 container_name: toby-redis-dev healthcheck: test: [ "CMD-SHELL", "redis-cli ping | grep PONG" ] @@ -99,7 +99,7 @@ services: restart: unless-stopped selenium: - image: selenium/standalone-chrome + image: selenium/standalone-chrome@sha256:f0037767d53479c9c7c7126a84135a06ba38748e0d47b9efca865c82d4345c38 container_name: toby-selenium-dev volumes: - /dev/shm:/dev/shm diff --git a/environment/prod/deployment/beta/docker-compose.beta.yml b/environment/prod/deployment/beta/docker-compose.beta.yml index f449e1c2..e051b719 100644 --- a/environment/prod/deployment/beta/docker-compose.beta.yml +++ b/environment/prod/deployment/beta/docker-compose.beta.yml @@ -46,7 +46,7 @@ services: - .deployment toby-beta-database: - image: postgres:15 + image: postgres:15@sha256:4b4da96c37fefd6f28c3f58e7470bbc6d2cb34ac5641b9df7221d962eb4bc55d container_name: toby-beta-database environment: - PGPASSWORD=${DOCKER_TOBY_BETA_DB_ROOT_PASSWORD:? variable DOCKER_TOBY_BETA_DB_ROOT_PASSWORD not set} @@ -65,7 +65,7 @@ services: restart: unless-stopped toby-beta-redis: - image: redis:7.0-alpine3.16 + image: redis:7.0-alpine3.16@sha256:2700d5097763fda285c463f4eefc3d0730a2df2a9d48e66707b19d5a5e5f23d4 container_name: toby-beta-redis healthcheck: test: [ "CMD-SHELL", "redis-cli ping | grep PONG" ] diff --git a/environment/prod/deployment/prod/docker-compose.prod.yml b/environment/prod/deployment/prod/docker-compose.prod.yml index a603741c..d1db3718 100644 --- a/environment/prod/deployment/prod/docker-compose.prod.yml +++ b/environment/prod/deployment/prod/docker-compose.prod.yml @@ -50,7 +50,7 @@ services: - .deployment toby-prod-database: - image: postgres:15 + image: postgres:15@sha256:4b4da96c37fefd6f28c3f58e7470bbc6d2cb34ac5641b9df7221d962eb4bc55d container_name: toby-prod-database environment: - PGPASSWORD=${DOCKER_TOBY_PROD_DB_ROOT_PASSWORD:? variable DOCKER_TOBY_PROD_DB_ROOT_PASSWORD not set} @@ -69,7 +69,7 @@ services: restart: unless-stopped toby-prod-redis: - image: redis:7.0-alpine3.16 + image: redis:7.0-alpine3.16@sha256:2700d5097763fda285c463f4eefc3d0730a2df2a9d48e66707b19d5a5e5f23d4 container_name: toby-prod-redis healthcheck: test: [ "CMD-SHELL", "redis-cli ping | grep PONG" ]