Pin dependencies

.github/workflows/00_anchore.yml

@@ -35,20 +35,20 @@ jobs:
  runs-on: ubuntu-latest
  steps:
  - name: Checkout the code
- uses: actions/checkout@v3
+ uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
 
  - name: Build the Docker image
  run: docker build . --file ${{ env.DOCKERFILE }} --tag localbuild/testimage:latest --build-arg APP_NAME=fdr-technicalsupport --build-arg QUARKUS_PROFILE=prod
 
  - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
- uses: anchore/scan-action@v3
+ uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3
  with:
  image: "localbuild/testimage:latest"
  acs-report-enable: true
  fail-build: false
  severity-cutoff: "high"
  - name: Upload Anchore Scan Report
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@083cd45dc7d463f048a5d0975943f0e19e9c9378 # v2
  if: always()
  with:
  sarif_file: results.sarif

.github/workflows/01_add_patch_label.yml

@@ -19,7 +19,7 @@ jobs:
  steps:
  - name: Check user labels
  id: check_user_labels
- uses: actions/[email protected]
+ uses: actions/github-script@d556feaca394842dc55e4734bf3bb9f685482fa0 # v6.3.3
  with:
  github-token: ${{ secrets.GITHUB_TOKEN }}
  script: |
@@ -48,7 +48,7 @@ jobs:
 
  - name: Add comment
  if: ${{ steps.check_user_labels.outputs.result == 'true' }}
- uses: actions/[email protected]
+ uses: actions/github-script@d556feaca394842dc55e4734bf3bb9f685482fa0 # v6.3.3
  with:
  github-token: ${{ secrets.GITHUB_TOKEN }}
  script: |

.github/workflows/01_assignee.yml

@@ -21,6 +21,6 @@ jobs:
  steps:
  - name: Assign Me
  # You may pin to the exact commit or the version.
- uses: kentaro-m/[email protected]
+ uses: kentaro-m/auto-assign-action@746a3a558fdd0e061f612ec9f8ff1b8a19c1a115 # v1.2.1
  with:
  configuration-path: '.github/auto_assign.yml'

.github/workflows/02_check_pr.yml

@@ -24,7 +24,7 @@ jobs:
  steps:
  - name: Assign Me
  # You may pin to the exact commit or the version.
- uses: kentaro-m/[email protected]
+ uses: kentaro-m/auto-assign-action@746a3a558fdd0e061f612ec9f8ff1b8a19c1a115 # v1.2.1
  with:
  configuration-path: '.github/auto_assign.yml'
 
@@ -37,7 +37,7 @@ jobs:
  steps:
  - name: Verify PR Labels
  if: ${{ !contains(github.event.pull_request.labels.*.name, 'breaking-change') && !contains(github.event.pull_request.labels.*.name, 'new-release') && !contains(github.event.pull_request.labels.*.name, 'ignore-for-release') }}
- uses: actions/[email protected]
+ uses: actions/github-script@d556feaca394842dc55e4734bf3bb9f685482fa0 # v6.3.3
  with:
  github-token: ${{ secrets.GITHUB_TOKEN }}
  script: |
@@ -70,15 +70,15 @@ jobs:
  runs-on: ubuntu-latest
  steps:
  - name: Checkout
- uses: actions/checkout@v3
+ uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
  - name: Formatting
  id: format
  continue-on-error: true
  uses: axel-op/googlejavaformat-action@v3
  with:
  args: "--set-exit-if-changed"
 
- - uses: actions/[email protected]
+ - uses: actions/github-script@d556feaca394842dc55e4734bf3bb9f685482fa0 # v6.3.3
  if: steps.format.outcome != 'success'
  with:
  github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/03_code_review.yml

@@ -30,7 +30,7 @@ jobs:
  # Steps represent a sequence of tasks that will be executed as part of the job
  steps:
  - name: Code Review
- uses: pagopa/github-actions-template/[email protected]
+ uses: pagopa/github-actions-template/maven-code-review@de4ca1ddefb1461c176cc42259e494158b578fe3 # v1.8.3
  with:
  github_token: ${{ secrets.GITHUB_TOKEN }}
  sonar_token: ${{ secrets.SONAR_TOKEN }}

.github/workflows/04_release_deploy.yml

@@ -83,7 +83,7 @@ jobs:
  steps:
  - name: Make Release
  id: release
- uses: pagopa/github-actions-template/[email protected]
+ uses: pagopa/github-actions-template/maven-release@d91a1fd0b913c9830589be5d86cdb71c90813fae # v1.5.4
  with:
  semver: ${{ needs.setup.outputs.semver }}
  github_token: ${{ secrets.BOT_TOKEN_GITHUB }}
@@ -98,7 +98,7 @@ jobs:
  steps:
  - name: Build and Push
  id: semver
- uses: pagopa/github-actions-template/[email protected]
+ uses: pagopa/github-actions-template/ghcr-build-push@d91a1fd0b913c9830589be5d86cdb71c90813fae # v1.5.4
  with:
  branch: ${{ github.ref_name}}
  github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -125,7 +125,7 @@ jobs:
  steps:
  - name: Report Status
  if: always()
- uses: ravsamhq/notify-slack-action@v2
+ uses: ravsamhq/notify-slack-action@be814b201e233b2dc673608aa46e5447c8ab13f2 # v2
  with:
  status: ${{ needs.deploy_aks.result }}
  token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/05_update_code.yml

@@ -17,7 +17,7 @@ jobs:
  if: ${{ contains(github.event.comment.body, 'update_code') }}
  steps:
  - name: Checkout
- uses: actions/checkout@v3
+ uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
  with:
  token: ${{ secrets.API_TOKEN_GITHUB }}
 
@@ -26,7 +26,7 @@ jobs:
  env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  - name: Set up JDK 11
- uses: actions/setup-java@v1
+ uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1
  with:
  java-version: 11
 
@@ -43,7 +43,7 @@ jobs:
  if: ${{ always() && contains(needs.*.result, 'failure') }}
  steps:
  - name: Notify if Failure
- uses: actions/[email protected]
+ uses: actions/github-script@d556feaca394842dc55e4734bf3bb9f685482fa0 # v6.3.3
  with:
  github-token: ${{ secrets.GITHUB_TOKEN }}
  script: |

Dockerfile

@@ -1,5 +1,5 @@
 ## Stage 1 : build with maven builder image with native capabilities
-FROM quay.io/quarkus/ubi-quarkus-graalvmce-builder-image:22.3-java17 AS build
+FROM quay.io/quarkus/ubi-quarkus-graalvmce-builder-image:22.3-java17@sha256:ef2deded4d54bb9e28983eeee092d8a221664fa0869a4ce9d3e5a4eaeeadc82e AS build
 COPY --chown=quarkus:quarkus mvnw /code/mvnw
 COPY --chown=quarkus:quarkus .mvn /code/.mvn
 COPY --chown=quarkus:quarkus pom.xml /code/
@@ -12,7 +12,7 @@ ARG APP_NAME
 
 RUN ./mvnw package -DskipTests=true -Dquarkus.application.name=$APP_NAME -Dquarkus.profile=$QUARKUS_PROFILE
 
-FROM registry.access.redhat.com/ubi8/openjdk-17:1.14
+FROM registry.access.redhat.com/ubi8/openjdk-17:1.14@sha256:79585ca02551ecff9d368905d7ce387232b9fd328256e7a715ae3c4ec7b086d3
 
 ENV LANGUAGE='en_US:en'
 

docker/docker-compose.yml

@@ -2,7 +2,7 @@ version: '3.8'
 
 services:
  elasticsearch:
- image: docker.elastic.co/elasticsearch/elasticsearch:8.6.2
+ image: docker.elastic.co/elasticsearch/elasticsearch:8.6.2@sha256:1c53c89d04f207beb99d56cc4a1cc23516bd9c386858843d5082a98257c04d1c
  ports:
  - "9200:9200"
  - "9300:9300"
@@ -15,7 +15,7 @@ services:
  - infra
 
  kibana:
- image: docker.elastic.co/kibana/kibana:8.6.2
+ image: docker.elastic.co/kibana/kibana:8.6.2@sha256:7157c399f97acddf3297501d5af66097d57be67d27d62f810bcbdd11785a39b8
  ports:
  - "5601:5601"
  networks:
@@ -25,7 +25,7 @@ services:
 
  alertmanager:
  hostname: alertmanager
- image: prom/alertmanager
+ image: prom/alertmanager@sha256:e13b6ed5cb929eeaee733479dce55e10eb3bc2e9c4586c705a4e8da41e5eacf5
  volumes:
  - ${PWD}/alertmanager/alertmanager.conf:/etc/alertmanager/alertmanager.conf
  command:
@@ -37,7 +37,7 @@ services:
 
  prometheus:
  hostname: prometheus
- image: prom/prometheus
+ image: prom/prometheus@sha256:f6639335d34a77d9d9db382b92eeb7fc00934be8eae81dbc03b31cfe90411a94
  volumes:
  - ${PWD}/prometheus/prometheus.yml:/etc/prometheus/prometheus.yml
  - ${PWD}/prometheus/alert_rules.yml:/etc/prometheus/alert_rules.yml
@@ -53,7 +53,7 @@ services:
 
  grafana:
  hostname: grafana
- image: grafana/grafana
+ image: grafana/grafana@sha256:464eac539793a183381ae198cb3bfcee137f17888ee192b8ac1ae2e867f72a9d
  volumes:
  - ${PWD}/grafana/grafana_datasources.yml:/etc/grafana/provisioning/datasources/all.yaml
  - ${PWD}/grafana/grafana_config.ini:/etc/grafana/config.ini
@@ -64,7 +64,7 @@ services:
  - infra
 
  jaeger-all-in-one:
- image: jaegertracing/all-in-one:latest
+ image: jaegertracing/all-in-one:latest@sha256:836e9b69c88afbedf7683ea7162e179de63b1f981662e83f5ebb68badadc710f
  ports:
  - "16686:16686"
  - "14268:14268"
@@ -73,7 +73,7 @@ services:
  - infra
 
  otel-collector:
- image: otel/opentelemetry-collector:latest
+ image: otel/opentelemetry-collector:latest@sha256:7020db3692a3d722fec002f39608ffe3a5d2fa4d09e14607cf33b9416f2c1df8
  command: [ "--config=/etc/otel-collector-config.yaml" ]
  volumes:
  - ${PWD}/otel-collector/otel-collector-config.yaml:/etc/otel-collector-config.yaml:Z

src/main/docker/Dockerfile.jvm

@@ -75,7 +75,7 @@
 # accessed directly. (example: "foo.example.com,bar.example.com")
 #
 ###
-FROM registry.access.redhat.com/ubi8/openjdk-17:1.14
+FROM registry.access.redhat.com/ubi8/openjdk-17:1.14@sha256:79585ca02551ecff9d368905d7ce387232b9fd328256e7a715ae3c4ec7b086d3
 
 ENV LANGUAGE='en_US:en'
 

src/main/docker/Dockerfile.legacy-jar

@@ -75,7 +75,7 @@
 # accessed directly. (example: "foo.example.com,bar.example.com")
 #
 ###
-FROM registry.access.redhat.com/ubi8/openjdk-17:1.14
+FROM registry.access.redhat.com/ubi8/openjdk-17:1.14@sha256:79585ca02551ecff9d368905d7ce387232b9fd328256e7a715ae3c4ec7b086d3
 
 ENV LANGUAGE='en_US:en'
 

src/main/docker/Dockerfile.multistage

@@ -1,5 +1,5 @@
 ## Stage 1 : build with maven builder image with native capabilities
-FROM quay.io/quarkus/ubi-quarkus-graalvmce-builder-image:22.3-java17 AS build
+FROM quay.io/quarkus/ubi-quarkus-graalvmce-builder-image:22.3-java17@sha256:ef2deded4d54bb9e28983eeee092d8a221664fa0869a4ce9d3e5a4eaeeadc82e AS build
 COPY --chown=quarkus:quarkus mvnw /code/mvnw
 COPY --chown=quarkus:quarkus .mvn /code/.mvn
 COPY --chown=quarkus:quarkus pom.xml /code/
@@ -12,7 +12,7 @@ ARG APP_NAME
 RUN ./mvnw package -Pnative -Dquarkus.application.name=$APP_NAME -Dquarkus.profile=$QUARKUS_PROFILE
 
 ## Stage 2 : create the docker final image
-FROM quay.io/quarkus/quarkus-micro-image:2.0
+FROM quay.io/quarkus/quarkus-micro-image:2.0@sha256:01b24ef15634428ca911d4159c86e98742278c288fdb9cead64cb81b1cac140b
 WORKDIR /work/
 COPY --from=build /code/target/*-runner /work/application
 

src/main/docker/Dockerfile.multistage.jvm

@@ -1,5 +1,5 @@
 ## Stage 1 : build with maven builder image with native capabilities
-FROM quay.io/quarkus/ubi-quarkus-graalvmce-builder-image:22.3-java17 AS build
+FROM quay.io/quarkus/ubi-quarkus-graalvmce-builder-image:22.3-java17@sha256:ef2deded4d54bb9e28983eeee092d8a221664fa0869a4ce9d3e5a4eaeeadc82e AS build
 COPY --chown=quarkus:quarkus mvnw /code/mvnw
 COPY --chown=quarkus:quarkus .mvn /code/.mvn
 COPY --chown=quarkus:quarkus pom.xml /code/
@@ -12,7 +12,7 @@ ARG APP_NAME
 
 RUN ./mvnw package -DskipTests=true -Dquarkus.application.name=$APP_NAME -Dquarkus.profile=$QUARKUS_PROFILE
 
-FROM registry.access.redhat.com/ubi8/openjdk-17:1.14
+FROM registry.access.redhat.com/ubi8/openjdk-17:1.14@sha256:79585ca02551ecff9d368905d7ce387232b9fd328256e7a715ae3c4ec7b086d3
 
 ENV LANGUAGE='en_US:en'
 

src/main/docker/Dockerfile.native

@@ -14,7 +14,7 @@
 # docker run -i --rm -p 8080:8080 quarkus/code-with-quarkus
 #
 ###
-FROM registry.access.redhat.com/ubi8/ubi-minimal:8.6
+FROM registry.access.redhat.com/ubi8/ubi-minimal:8.6@sha256:33931dce809712888d1a8061bfa676963f517daca993984afed3251bc1fb5987
 WORKDIR /work/
 RUN chown 1001 /work \
  && chmod "g+rwX" /work \

src/main/docker/Dockerfile.native-micro

@@ -17,7 +17,7 @@
 # docker run -i --rm -p 8080:8080 quarkus/code-with-quarkus
 #
 ###
-FROM quay.io/quarkus/quarkus-micro-image:2.0
+FROM quay.io/quarkus/quarkus-micro-image:2.0@sha256:01b24ef15634428ca911d4159c86e98742278c288fdb9cead64cb81b1cac140b
 WORKDIR /work/
 RUN chown 1001 /work \
  && chmod "g+rwX" /work \