Merge branch 'development' into feature/beta-release

.github/renovate.json

@@ -47,13 +47,14 @@
     },
     {
       "customType": "regex",
-      "description": "Track Debian base image in Dockerfile",
+      "description": "Track Debian base image digest in Dockerfile for security updates",
       "managerFilePatterns": ["/^Dockerfile$/"],
       "matchStrings": [
-        "ARG CADDY_IMAGE=debian:(?<currentValue>[\\w.-]+)"
+        "#\\s*renovate:\\s*datasource=docker\\s+depName=debian.*\\nARG CADDY_IMAGE=debian:(?<currentValue>trixie-slim@sha256:[a-f0-9]+)"
       ],
       "depNameTemplate": "debian",
-      "datasourceTemplate": "docker"
+      "datasourceTemplate": "docker",
+      "versioningTemplate": "docker"
     }
   ],
 

.github/workflows/e2e-tests.yml

@@ -107,7 +107,7 @@ jobs:
           cache: 'npm'
 
       - name: Cache npm dependencies
-        uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
         with:
           path: ~/.npm
           key: npm-${{ hashFiles('package-lock.json') }}
@@ -246,7 +246,7 @@ jobs:
         run: npm ci
 
       - name: Cache Playwright browsers
-        uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
         with:
           path: ~/.cache/ms-playwright
           key: playwright-${{ matrix.browser }}-${{ hashFiles('package-lock.json') }}

.github/workflows/security-pr.yml

@@ -214,7 +214,7 @@ jobs:
       - name: Upload Trivy SARIF to GitHub Security
         if: steps.check-artifact.outputs.artifact_exists == 'true'
         # github/codeql-action v4
-        uses: github/codeql-action/upload-sarif@b2ff80ddacba59b60f4e0cf3b699baaea3230cd9
+        uses: github/codeql-action/upload-sarif@f985be5b50bd175586d44aac9ac52926adf12893
         with:
           sarif_file: 'trivy-binary-results.sarif'
           category: ${{ steps.pr-info.outputs.is_push == 'true' && format('security-scan-{0}', github.event.workflow_run.head_branch) || format('security-scan-pr-{0}', steps.pr-info.outputs.pr_number) }}

.github/workflows/supply-chain-pr.yml

@@ -296,7 +296,7 @@ jobs:
       - name: Upload SARIF to GitHub Security
         if: steps.check-artifact.outputs.artifact_found == 'true'
         # github/codeql-action v4
-        uses: github/codeql-action/upload-sarif@b2ff80ddacba59b60f4e0cf3b699baaea3230cd9
+        uses: github/codeql-action/upload-sarif@f985be5b50bd175586d44aac9ac52926adf12893
         continue-on-error: true
         with:
           sarif_file: grype-results.sarif

Dockerfile

@@ -22,8 +22,8 @@ ARG CADDY_VERSION=2.11.0-beta.2
 ## upstream caddy image tags while still shipping a pinned caddy binary.
 ## Using trixie (Debian 13 testing) for faster security updates - bookworm
 ## packages marked "wont-fix" are actively maintained in trixie.
-# renovate: datasource=docker depName=debian
-ARG CADDY_IMAGE=debian:trixie-slim
+# renovate: datasource=docker depName=debian versioning=docker
+ARG CADDY_IMAGE=debian:trixie-slim@sha256:77ba0164de17b88dd0bf6cdc8f65569e6e5fa6cd256562998b62553134a00ef0
 
 # ---- Cross-Compilation Helpers ----
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.9.0 AS xx