Pin dependencies

pagopa · Sep 23, 2024 · e271c0e · e271c0e
1 parent 6192040
commit e271c0e
Show file tree

Hide file tree

Showing 9 changed files with 14 additions and 14 deletions.
diff --git a/.github/workflows/anchore.yml b/.github/workflows/anchore.yml
@@ -35,20 +35,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout the code
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
 
       - name: Build the Docker image
         run: docker build . --file ${{ env.DOCKERFILE }} --tag localbuild/testimage:latest
 
       - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
-        uses: anchore/scan-action@v3
+        uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3
         with:
           image: "localbuild/testimage:latest"
           acs-report-enable: true
           fail-build: true
           severity-cutoff: "high"
       - name: Upload Anchore Scan Report
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@422b177bb3935638109d3175d95e4dbf97066060 # v2
         if: always()
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/assignee.yml b/.github/workflows/assignee.yml
@@ -21,6 +21,6 @@ jobs:
     steps:
       - name: Assign Me
         # You may pin to the exact commit or the version.
-        uses: kentaro-m/auto-assign-action@v1.2.1
+        uses: kentaro-m/auto-assign-action@746a3a558fdd0e061f612ec9f8ff1b8a19c1a115 # v1.2.1
         with:
           configuration-path: '.github/auto_assign.yml'
diff --git a/.github/workflows/check_metadata_pr.yml b/.github/workflows/check_metadata_pr.yml
@@ -21,15 +21,15 @@ jobs:
     steps:
 
       - name: Verify PR Labels
-        uses: jesusvasquez333/verify-pr-label-action@v1.4.0
+        uses: jesusvasquez333/verify-pr-label-action@657d111bbbe13e22bbd55870f1813c699bde1401 # v1.4.0
         with:
           github-token: '${{ secrets.GITHUB_TOKEN }}'
           valid-labels: 'bug, enhancement, breaking-change, ignore-for-release'
           pull-request-number: '${{ github.event.pull_request.number }}'
 
       - name: Label Check
         if: ${{ !contains(github.event.pull_request.labels.*.name, 'breaking-change') && !contains(github.event.pull_request.labels.*.name, 'enhancement') && !contains(github.event.pull_request.labels.*.name, 'bug') && !contains(github.event.pull_request.labels.*.name, 'ignore-for-release') }}
-        uses: actions/github-script@v3
+        uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3
         with:
           script: |
             core.setFailed('Missing required labels')
diff --git a/.github/workflows/create_dashboard.yaml b/.github/workflows/create_dashboard.yaml
@@ -44,7 +44,7 @@ jobs:
           persist-credentials: false
 
       # from https://github.com/pagopa/opex-dashboard-azure-action/
-      - uses: pagopa/opex-dashboard-azure-action@v1.1.2
+      - uses: pagopa/opex-dashboard-azure-action@ece3bc2b133be74cabb50aec14cdb9b8051b886f # v1.1.2
         with:
           environment: ${{ matrix.environment }}
           api-name: ${{ matrix.product }}

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -48,7 +48,7 @@ jobs:
         if: ${{ contains(github.event.pull_request.labels.*.name, 'ignore-for-release') }}
 
       - name: Azure Pipelines Action - Jversion
-        uses: jacopocarlini/azure-pipelines@v1.3
+        uses: jacopocarlini/azure-pipelines@b9721743a54e862597395b4a70727cfdc03028fb # v1.3
         with:
           azure-devops-project-url: https://dev.azure.com/pagopaspa/pagoPA-projects
           azure-pipeline-name: 'projectName.deploy' # TODO: set the name

diff --git a/.github/workflows/sonar_analysis.yml b/.github/workflows/sonar_analysis.yml
@@ -19,7 +19,7 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       - name: Azure Pipelines Action - Jversion
-        uses: jacopocarlini/azure-pipelines@v1.3
+        uses: jacopocarlini/azure-pipelines@b9721743a54e862597395b4a70727cfdc03028fb # v1.3
         with:
           azure-devops-project-url: https://dev.azure.com/pagopaspa/pagoPA-projects
           azure-pipeline-name: 'projectName.code-review' # TODO: set the name

diff --git a/.github/workflows/update_infra.yml b/.github/workflows/update_infra.yml
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
 
       # prepare openapi template for infra repo
       - run: |

diff --git a/Dockerfile b/Dockerfile
@@ -1,13 +1,13 @@
 #
 # Build
 #
-FROM maven:3.8.4-jdk-11-slim as buildtime
+FROM maven:3.8.4-jdk-11-slim@sha256:04f8e5ba4a6a74fb7f97940bc75ac7340520728d2fb051ecc5c9ecbb9ba28b48 as buildtime
 WORKDIR /build
 COPY . .
 RUN mvn clean package
 
 
-FROM adoptopenjdk/openjdk11:alpine-jre as builder
+FROM adoptopenjdk/openjdk11:alpine-jre@sha256:9b42c4324d3a5258a1d1e6f56872dfe5be87ca5587f773c67b2a40d241461024 as builder
 COPY --from=buildtime /build/target/*.jar application.jar
 RUN java -Djarmode=layertools -jar application.jar extract
 

diff --git a/performance-test/docker-compose.yaml b/performance-test/docker-compose.yaml
@@ -1,7 +1,7 @@
 version: '3.3'
 services:
   k6:
-    image: grafana/k6
+    image: grafana/k6@sha256:9e37f3209c16af8c17a79cf3a5f7d4402673726de4c7e25572d189acf06405c5
     container_name: k6
     volumes:
       - '${PWD}/src:/scripts'
@@ -26,7 +26,7 @@ services:
       - nginx
 
   nginx:
-    image: nginx
+    image: nginx@sha256:04ba374043ccd2fc5c593885c0eacddebabd5ca375f9323666f28dfd5a9710e3
     container_name: nginx
     volumes:
       - '${PWD}/nginx/nginx.conf:/etc/nginx/nginx.conf'