diff --git a/.github/workflows/commit-lint.yaml b/.github/workflows/commit-lint.yaml index e83fcf5..6657608 100644 --- a/.github/workflows/commit-lint.yaml +++ b/.github/workflows/commit-lint.yaml @@ -16,5 +16,5 @@ jobs: name: commit-lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: wagoid/commitlint-github-action@v6 \ No newline at end of file + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: wagoid/commitlint-github-action@3d28780bbf0365e29b144e272b2121204d5be5f3 # v6 \ No newline at end of file diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index e249f77..df44ea2 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -27,18 +27,18 @@ jobs: name: github-pages url: ${{ steps.deployment.outputs.page_url }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: setup pages - uses: actions/configure-pages@v5 + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 - name: setup python - uses: actions/setup-python@v5 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5 with: python-version: 3.x - name: setup cache run: | echo "cache_id=$(date --utc '+%V')" >> $GITHUB_ENV - name: handle cache - uses: actions/cache@v4 + uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4 with: key: mkdocs-material-${{ env.cache_id }} path: .cache @@ -51,10 +51,10 @@ jobs: run: | mkdocs build - name: upload artifact - uses: actions/upload-pages-artifact@v3 + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 with: # Upload entire repository path: public/ - name: deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index 462a83c..1c93159 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -14,8 +14,8 @@ jobs: name: golangci-lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5 with: go-version: '1.22.x' cache: false diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml index 308de4e..812680d 100644 --- a/.github/workflows/goreleaser.yml +++ b/.github/workflows/goreleaser.yml @@ -23,34 +23,34 @@ jobs: release: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 if: github.event_name == 'pull_request' with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.ref }} - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 if: github.event_name != 'pull_request' with: fetch-depth: 0 - name: setup-go - uses: actions/setup-go@v5 + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5 with: go-version: 1.23.x - - uses: anchore/sbom-action/download-syft@v0.17.5 + - uses: anchore/sbom-action/download-syft@1ca97d9028b51809cf6d3c934c3e160716e1b605 # v0.17.5 - name: setup qemu id: qemu - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3 - name: setup docker buildx id: buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3 - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: install cosign - uses: sigstore/cosign-installer@v3 + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3 - name: install quill env: QUILL_VERSION: 0.4.1 @@ -72,7 +72,7 @@ jobs: run: | echo "GORELEASER_ARGS=--snapshot --skip publish --skip sign" >> $GITHUB_ENV - name: setup-quill - uses: 1password/load-secrets-action@v2 + uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2 # Extra Safeguard - This ensures the secrets are only loaded on tag and a tag that the repo owner triggered if: startsWith(github.ref, 'refs/tags/') == true && github.actor == 'ekristen-dev[bot]' with: @@ -85,7 +85,7 @@ jobs: QUILL_SIGN_PASSWORD: ${{ secrets.OP_QUILL_SIGN_PASSWORD }} QUILL_SIGN_P12: ${{ secrets.OP_QUILL_SIGN_P12 }} - name: run goreleaser - uses: goreleaser/goreleaser-action@v6 + uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6 with: distribution: goreleaser version: latest @@ -98,7 +98,7 @@ jobs: docker images --format "{{.Repository}}:{{.Tag}}" | grep "${{ github.repository }}" | xargs -L1 docker push - name: upload artifacts if: github.event.pull_request.base.ref == 'main' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4 with: name: binaries path: releases/*.tar.gz diff --git a/.github/workflows/semantic-lint.yml b/.github/workflows/semantic-lint.yml index 17c1488..0188ea1 100644 --- a/.github/workflows/semantic-lint.yml +++ b/.github/workflows/semantic-lint.yml @@ -16,6 +16,6 @@ jobs: name: semantic-lint runs-on: ubuntu-latest steps: - - uses: amannn/action-semantic-pull-request@v5 + - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/semantic.yml b/.github/workflows/semantic.yml index 74c5364..b33fa7f 100644 --- a/.github/workflows/semantic.yml +++ b/.github/workflows/semantic.yml @@ -21,16 +21,16 @@ jobs: id-token: write # to enable use of OIDC for npm provenance steps: - name: checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 - name: setup node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4 with: node-version: "lts/*" - name: generate-token id: generate_token - uses: tibdex/github-app-token@v2 + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2 with: app_id: ${{ secrets.BOT2_APP_ID }} private_key: ${{ secrets.BOT2_APP_PEM }} diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 6dc84ac..ffc27a6 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -11,8 +11,8 @@ jobs: name: test runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5 with: go-version: 1.23.x - name: download go mods diff --git a/Dockerfile b/Dockerfile index 5a2565a..379cfe3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,10 +1,10 @@ -# syntax=docker/dockerfile:1.10-labs -FROM cgr.dev/chainguard/wolfi-base:latest as base +# syntax=docker/dockerfile:1.10-labs@sha256:940282bab7a18daad689c238d407ad22393369ad53c6125c9c00f8be8a9da678 +FROM cgr.dev/chainguard/wolfi-base:latest@sha256:8ece91a71d17ae3792056b3bfa64cb80dfbcb01848b320e446dd632ff9672491 as base ARG PROJECT_NAME=distillery RUN apk add --no-cache ca-certificates RUN addgroup -S ${PROJECT_NAME} && adduser -S ${PROJECT_NAME} -G ${PROJECT_NAME} -FROM ghcr.io/acorn-io/images-mirror/golang:1.21 AS build +FROM ghcr.io/acorn-io/images-mirror/golang:1.21@sha256:856073656d1a517517792e6cdd2f7a5ef080d3ca2dff33e518c8412f140fdd2d AS build ARG PROJECT_NAME=distillery COPY / /src WORKDIR /src