diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 350feb1..25b16c5 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -15,12 +15,12 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: submodules: recursive - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 with: go-version-file: go.mod diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 156975b..deef5f6 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: ssh-key: ${{ secrets.PUSH_KEY }} fetch-tags: true @@ -49,7 +49,7 @@ jobs: exit 0 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3 - name: Set up Docker Context for Buildx id: buildx-context @@ -57,7 +57,7 @@ jobs: docker context create builders - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3 with: registry: ghcr.io username: ${{ github.actor }} @@ -65,12 +65,12 @@ jobs: - name: Set up Docker Buildx timeout-minutes: 5 - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3 with: version: latest - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 with: go-version-file: go.mod diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 4d99cba..bd60f48 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: ssh-key: ${{ secrets.PUSH_KEY }} fetch-tags: true @@ -89,7 +89,7 @@ jobs: - name: Build Changelog id: github_release - uses: mikepenz/release-changelog-builder-action@v5 + uses: mikepenz/release-changelog-builder-action@e92187bd633e680ebfdd15961a7c30b2d097e7ad # v5 with: mode: "PR" configurationJson: | @@ -123,7 +123,7 @@ jobs: - name: Create GitHub release if: ${{ env.SKIP != 'true' }} - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2 with: tag_name: ${{ env.version }} name: Release ${{ env.version }} diff --git a/.github/workflows/reuse.yaml b/.github/workflows/reuse.yaml index 328ee5b..46fe64c 100644 --- a/.github/workflows/reuse.yaml +++ b/.github/workflows/reuse.yaml @@ -6,6 +6,6 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: REUSE Compliance Check - uses: fsfe/reuse-action@v5 + uses: fsfe/reuse-action@bb774aa972c2a89ff34781233d275075cbddf542 # v5 diff --git a/Dockerfile b/Dockerfile index f61c245..2136fab 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # Build the manager binary -FROM docker.io/golang:1.23 AS builder +FROM docker.io/golang:1.23@sha256:45c8837b16499b4e0e52b62d4cfba7bf04fc651b7d9265f95010fe0beaec2626 AS builder ARG TARGETOS ARG TARGETARCH @@ -24,7 +24,7 @@ COPY pkg/ pkg/ # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform. RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager cmd/main.go -FROM alpine:3.21.3 +FROM alpine:3.21.3@sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c RUN apk add --no-cache docker-cli kind WORKDIR / COPY --from=builder /workspace/manager .