diff --git a/.github/workflows/anchore.yml b/.github/workflows/anchore.yml index 802f626..0c58b5a 100644 --- a/.github/workflows/anchore.yml +++ b/.github/workflows/anchore.yml @@ -35,20 +35,20 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - name: Build the Docker image run: docker build . --file ${{ env.DOCKERFILE }} --tag localbuild/testimage:latest - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled - uses: anchore/scan-action@v3 + uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3 with: image: "localbuild/testimage:latest" acs-report-enable: true fail-build: true severity-cutoff: "high" - name: Upload Anchore Scan Report - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@563dcafdfe28a0bb82e2c272d84924f17b628540 # v2 if: always() with: sarif_file: results.sarif diff --git a/.github/workflows/assignee.yml b/.github/workflows/assignee.yml index 0611917..cf22668 100644 --- a/.github/workflows/assignee.yml +++ b/.github/workflows/assignee.yml @@ -21,6 +21,6 @@ jobs: steps: - name: Assign Me # You may pin to the exact commit or the version. - uses: kentaro-m/auto-assign-action@v1.2.1 + uses: kentaro-m/auto-assign-action@746a3a558fdd0e061f612ec9f8ff1b8a19c1a115 # v1.2.1 with: configuration-path: '.github/auto_assign.yml' diff --git a/.github/workflows/check_metadata_pr.yml b/.github/workflows/check_metadata_pr.yml index c687c53..5130b4a 100644 --- a/.github/workflows/check_metadata_pr.yml +++ b/.github/workflows/check_metadata_pr.yml @@ -21,7 +21,7 @@ jobs: steps: - name: Verify PR Labels - uses: jesusvasquez333/verify-pr-label-action@v1.4.0 + uses: jesusvasquez333/verify-pr-label-action@657d111bbbe13e22bbd55870f1813c699bde1401 # v1.4.0 with: github-token: '${{ secrets.GITHUB_TOKEN }}' valid-labels: 'bug, enhancement, breaking-change, ignore-for-release' @@ -29,7 +29,7 @@ jobs: - name: Label Check if: ${{ !contains(github.event.pull_request.labels.*.name, 'breaking-change') && !contains(github.event.pull_request.labels.*.name, 'enhancement') && !contains(github.event.pull_request.labels.*.name, 'bug') && !contains(github.event.pull_request.labels.*.name, 'ignore-for-release') }} - uses: actions/github-script@v3 + uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3 with: script: | core.setFailed('Missing required labels') diff --git a/.github/workflows/create_dashboard.yaml b/.github/workflows/create_dashboard.yaml index 9a91ef2..e131673 100644 --- a/.github/workflows/create_dashboard.yaml +++ b/.github/workflows/create_dashboard.yaml @@ -44,7 +44,7 @@ jobs: persist-credentials: false # from https://github.com/pagopa/opex-dashboard-azure-action/ - - uses: pagopa/opex-dashboard-azure-action@v1.1.2 + - uses: pagopa/opex-dashboard-azure-action@ece3bc2b133be74cabb50aec14cdb9b8051b886f # v1.1.2 with: environment: ${{ matrix.environment }} api-name: ${{ matrix.product }} diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index c0b3f01..5d33e4c 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -48,7 +48,7 @@ jobs: if: ${{ contains(github.event.pull_request.labels.*.name, 'ignore-for-release') }} - name: Azure Pipelines Action - Jversion - uses: jacopocarlini/azure-pipelines@v1.3 + uses: jacopocarlini/azure-pipelines@b9721743a54e862597395b4a70727cfdc03028fb # v1.3 with: azure-devops-project-url: https://dev.azure.com/pagopaspa/pagoPA-projects azure-pipeline-name: 'projectName.deploy' # TODO: set the name diff --git a/.github/workflows/sonar_analysis.yml b/.github/workflows/sonar_analysis.yml index 3e0fad0..f820728 100644 --- a/.github/workflows/sonar_analysis.yml +++ b/.github/workflows/sonar_analysis.yml @@ -19,7 +19,7 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: - name: Azure Pipelines Action - Jversion - uses: jacopocarlini/azure-pipelines@v1.3 + uses: jacopocarlini/azure-pipelines@b9721743a54e862597395b4a70727cfdc03028fb # v1.3 with: azure-devops-project-url: https://dev.azure.com/pagopaspa/pagoPA-projects azure-pipeline-name: 'projectName.code-review' # TODO: set the name diff --git a/.github/workflows/update_infra.yml b/.github/workflows/update_infra.yml index dd6ad98..cafd8f9 100644 --- a/.github/workflows/update_infra.yml +++ b/.github/workflows/update_infra.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 # prepare openapi template for infra repo - run: | diff --git a/Dockerfile b/Dockerfile index 6f1142c..bbcc8df 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,13 +1,13 @@ # # Build # -FROM maven:3.8.4-jdk-11-slim as buildtime +FROM maven:3.8.4-jdk-11-slim@sha256:04f8e5ba4a6a74fb7f97940bc75ac7340520728d2fb051ecc5c9ecbb9ba28b48 as buildtime WORKDIR /build COPY . . RUN mvn clean package -FROM adoptopenjdk/openjdk11:alpine-jre as builder +FROM adoptopenjdk/openjdk11:alpine-jre@sha256:bde3da4989dc3f8005755990565e9a1883d20ea16b025f6a66e022911c8d74a6 as builder COPY --from=buildtime /build/target/*.jar application.jar RUN java -Djarmode=layertools -jar application.jar extract diff --git a/performance-test/docker-compose.yaml b/performance-test/docker-compose.yaml index 0a56ebf..db92982 100644 --- a/performance-test/docker-compose.yaml +++ b/performance-test/docker-compose.yaml @@ -1,7 +1,7 @@ version: '3.3' services: k6: - image: grafana/k6 + image: grafana/k6@sha256:c70aaeaa1d9e4758ba5f292b1a0c73269fd949669c0d1042b2b1e18c58f07b82 container_name: k6 volumes: - '${PWD}/src:/scripts' @@ -26,7 +26,7 @@ services: - nginx nginx: - image: nginx + image: nginx@sha256:05ab1728068284cbd42d54554fa2b69a3d6334adafccf2e70cf20925d7d55e90 container_name: nginx volumes: - '${PWD}/nginx/nginx.conf:/etc/nginx/nginx.conf'