diff --git a/.github/renovate.json b/.github/renovate.json index 0a5c9b3a..27f6939f 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -47,13 +47,14 @@ }, { "customType": "regex", - "description": "Track Debian base image in Dockerfile", + "description": "Track Debian base image digest in Dockerfile for security updates", "managerFilePatterns": ["/^Dockerfile$/"], "matchStrings": [ - "ARG CADDY_IMAGE=debian:(?[\\w.-]+)" + "#\\s*renovate:\\s*datasource=docker\\s+depName=debian.*\\nARG CADDY_IMAGE=debian:(?trixie-slim@sha256:[a-f0-9]+)" ], "depNameTemplate": "debian", - "datasourceTemplate": "docker" + "datasourceTemplate": "docker", + "versioningTemplate": "docker" } ], diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index d3aba767..b2c34274 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -107,7 +107,7 @@ jobs: cache: 'npm' - name: Cache npm dependencies - uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5 with: path: ~/.npm key: npm-${{ hashFiles('package-lock.json') }} @@ -246,7 +246,7 @@ jobs: run: npm ci - name: Cache Playwright browsers - uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5 with: path: ~/.cache/ms-playwright key: playwright-${{ matrix.browser }}-${{ hashFiles('package-lock.json') }} diff --git a/.github/workflows/security-pr.yml b/.github/workflows/security-pr.yml index 227710a6..3491ca1d 100644 --- a/.github/workflows/security-pr.yml +++ b/.github/workflows/security-pr.yml @@ -214,7 +214,7 @@ jobs: - name: Upload Trivy SARIF to GitHub Security if: steps.check-artifact.outputs.artifact_exists == 'true' # github/codeql-action v4 - uses: github/codeql-action/upload-sarif@b2ff80ddacba59b60f4e0cf3b699baaea3230cd9 + uses: github/codeql-action/upload-sarif@f985be5b50bd175586d44aac9ac52926adf12893 with: sarif_file: 'trivy-binary-results.sarif' category: ${{ steps.pr-info.outputs.is_push == 'true' && format('security-scan-{0}', github.event.workflow_run.head_branch) || format('security-scan-pr-{0}', steps.pr-info.outputs.pr_number) }} diff --git a/.github/workflows/supply-chain-pr.yml b/.github/workflows/supply-chain-pr.yml index 77e64de8..be3e7a1f 100644 --- a/.github/workflows/supply-chain-pr.yml +++ b/.github/workflows/supply-chain-pr.yml @@ -296,7 +296,7 @@ jobs: - name: Upload SARIF to GitHub Security if: steps.check-artifact.outputs.artifact_found == 'true' # github/codeql-action v4 - uses: github/codeql-action/upload-sarif@b2ff80ddacba59b60f4e0cf3b699baaea3230cd9 + uses: github/codeql-action/upload-sarif@f985be5b50bd175586d44aac9ac52926adf12893 continue-on-error: true with: sarif_file: grype-results.sarif diff --git a/Dockerfile b/Dockerfile index c4e55342..20c4d5af 100644 --- a/Dockerfile +++ b/Dockerfile @@ -22,8 +22,8 @@ ARG CADDY_VERSION=2.11.0-beta.2 ## upstream caddy image tags while still shipping a pinned caddy binary. ## Using trixie (Debian 13 testing) for faster security updates - bookworm ## packages marked "wont-fix" are actively maintained in trixie. -# renovate: datasource=docker depName=debian -ARG CADDY_IMAGE=debian:trixie-slim +# renovate: datasource=docker depName=debian versioning=docker +ARG CADDY_IMAGE=debian:trixie-slim@sha256:77ba0164de17b88dd0bf6cdc8f65569e6e5fa6cd256562998b62553134a00ef0 # ---- Cross-Compilation Helpers ---- FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.9.0 AS xx