From 5098c4e1ec72609619cccadd84b10749a57c4afe Mon Sep 17 00:00:00 2001 From: Herman Jensen Date: Tue, 24 Mar 2026 13:59:36 +0100 Subject: [PATCH 1/3] chore: pin actions and images to SHA digests Pin all mutable GitHub Actions tags and Docker image tags to immutable SHA digests for improved supply chain security and reproducibility. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/build-react.yaml | 4 ++-- .github/workflows/publish-docs.yaml | 8 ++++---- .github/workflows/publish-dotnet.yaml | 4 ++-- .github/workflows/test-publish-docs.yaml | 4 ++-- docusaurus/Dockerfile | 4 ++-- react/Dockerfile | 4 ++-- react/Dockerfile.CI | 2 +- 7 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/build-react.yaml b/.github/workflows/build-react.yaml index 7ed87404..2fe65405 100644 --- a/.github/workflows/build-react.yaml +++ b/.github/workflows/build-react.yaml @@ -17,9 +17,9 @@ jobs: working-directory: react steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/setup-node@v6 + - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: lts/* registry-url: https://npm.intility.com/ diff --git a/.github/workflows/publish-docs.yaml b/.github/workflows/publish-docs.yaml index 6bb7d151..cba4fb9c 100644 --- a/.github/workflows/publish-docs.yaml +++ b/.github/workflows/publish-docs.yaml @@ -16,10 +16,10 @@ jobs: run: working-directory: docusaurus steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - - uses: actions/setup-node@v6 + - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 20 registry-url: https://npm.intility.com/ @@ -34,7 +34,7 @@ jobs: run: npm run build - name: Upload Build Artifact - uses: actions/upload-pages-artifact@v4 + uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0 with: path: docusaurus/build @@ -56,4 +56,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5 diff --git a/.github/workflows/publish-dotnet.yaml b/.github/workflows/publish-dotnet.yaml index 96f1f001..4b81efbf 100644 --- a/.github/workflows/publish-dotnet.yaml +++ b/.github/workflows/publish-dotnet.yaml @@ -13,9 +13,9 @@ jobs: publish: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/setup-dotnet@v5 + - uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 with: dotnet-version: "9.0.x" diff --git a/.github/workflows/test-publish-docs.yaml b/.github/workflows/test-publish-docs.yaml index e3f5f79f..b9b9a276 100644 --- a/.github/workflows/test-publish-docs.yaml +++ b/.github/workflows/test-publish-docs.yaml @@ -15,10 +15,10 @@ jobs: run: working-directory: docusaurus steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - - uses: actions/setup-node@v6 + - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 20 registry-url: https://npm.intility.com/ diff --git a/docusaurus/Dockerfile b/docusaurus/Dockerfile index 644fca2b..fcd501f9 100644 --- a/docusaurus/Dockerfile +++ b/docusaurus/Dockerfile @@ -1,4 +1,4 @@ -FROM node:12 AS build +FROM node@sha256:01627afeb110b3054ba4a1405541ca095c8bfca1cb6f2be9479c767a2711879e AS build # 12 WORKDIR /src @@ -8,6 +8,6 @@ RUN npm ci COPY . . RUN npm run build -FROM intility/nginx-unprivileged-react:1.18.2 +FROM intility/nginx-unprivileged-react@sha256:fbade102effffd21a991393ab6096eb537ded7a430aafd42a0037023f0994357 # 1.18.2 COPY --from=build /src/build /usr/share/nginx/html diff --git a/react/Dockerfile b/react/Dockerfile index d4388e45..3357f27d 100644 --- a/react/Dockerfile +++ b/react/Dockerfile @@ -1,5 +1,5 @@ # syntax=docker/dockerfile:1 -FROM node:lts-slim as build +FROM node@sha256:d8e448a56fc63242f70026718378bd4b00f8c82e78d20eefb199224a4d8e33d8 as build # lts-slim WORKDIR /src # .npmrc should be pre-configured with the registry @@ -16,7 +16,7 @@ RUN --mount=type=secret,id=NODE_AUTH_TOKEN,env=NODE_AUTH_TOKEN \ COPY . . RUN npm run build -FROM ghcr.io/intility/nginx-unprivileged-react:2.5.1 +FROM ghcr.io/intility/nginx-unprivileged-react@sha256:0e071176f68f689bd8b7fbdc30062af2b20f935e85c5a7daadec156c0277ea04 # 2.5.1 # Copy build files COPY --from=build /src/dist /usr/share/nginx/html diff --git a/react/Dockerfile.CI b/react/Dockerfile.CI index 51900210..62a7437a 100644 --- a/react/Dockerfile.CI +++ b/react/Dockerfile.CI @@ -1,5 +1,5 @@ # This Dockerfile requires running `npm run build` on the host first -FROM ghcr.io/intility/nginx-unprivileged-react:2.5.1 +FROM ghcr.io/intility/nginx-unprivileged-react@sha256:0e071176f68f689bd8b7fbdc30062af2b20f935e85c5a7daadec156c0277ea04 # 2.5.1 # Copy build files COPY dist/ /usr/share/nginx/html From c8f4f7e98cf245f8e25389cd3ff396030cafda67 Mon Sep 17 00:00:00 2001 From: Herman Jensen Date: Tue, 24 Mar 2026 14:02:21 +0100 Subject: [PATCH 2/3] chore: pin reusable workflow refs to SHA digests Pin intility/reusable-react and intility/reusable-dotnet workflow references in react and dotnet template workflows. Co-Authored-By: Claude Opus 4.6 (1M context) --- dotnet/iwebapi/.github/workflows/build-and-push.yaml | 2 +- dotnet/iworker/.github/workflows/build-and-push.yaml | 2 +- react/.github/workflows/main.yaml | 2 +- react/.github/workflows/pull-request.yaml | 2 +- react/.github/workflows/release.yaml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/dotnet/iwebapi/.github/workflows/build-and-push.yaml b/dotnet/iwebapi/.github/workflows/build-and-push.yaml index 09ce7ea2..1e8af106 100644 --- a/dotnet/iwebapi/.github/workflows/build-and-push.yaml +++ b/dotnet/iwebapi/.github/workflows/build-and-push.yaml @@ -17,6 +17,6 @@ jobs: id-token: write packages: write attestations: write - uses: intility/reusable-dotnet/.github/workflows/dotnet.yaml@v1.2.0 + uses: intility/reusable-dotnet/.github/workflows/dotnet.yaml@8af9348bcc7bc58e62f7e2fe4b1a46c932347ecc # v1.2.0 with: docker: ${{ github.event_name != 'pull_request' }} diff --git a/dotnet/iworker/.github/workflows/build-and-push.yaml b/dotnet/iworker/.github/workflows/build-and-push.yaml index d0b3a23a..a75f3a5a 100644 --- a/dotnet/iworker/.github/workflows/build-and-push.yaml +++ b/dotnet/iworker/.github/workflows/build-and-push.yaml @@ -17,7 +17,7 @@ jobs: id-token: write packages: write attestations: write - uses: intility/reusable-dotnet/.github/workflows/dotnet.yaml@v1.2.0 + uses: intility/reusable-dotnet/.github/workflows/dotnet.yaml@8af9348bcc7bc58e62f7e2fe4b1a46c932347ecc # v1.2.0 with: directory: ./ docker: ${{ github.event_name != 'pull_request' }} diff --git a/react/.github/workflows/main.yaml b/react/.github/workflows/main.yaml index cad9ce2d..58fed5d8 100644 --- a/react/.github/workflows/main.yaml +++ b/react/.github/workflows/main.yaml @@ -14,7 +14,7 @@ jobs: packages: write id-token: write attestations: write - uses: intility/reusable-react/.github/workflows/react.yaml@v1.1.1 + uses: intility/reusable-react/.github/workflows/react.yaml@d27705c0cb0641ffa68d59ac2d45af519528c70d # v1.1.1 with: # image will be pushed to ghcr.io/intility//react-app image-name: __DOCKER_IMAGE_NAME__ diff --git a/react/.github/workflows/pull-request.yaml b/react/.github/workflows/pull-request.yaml index ae5b6048..7cfe5b26 100644 --- a/react/.github/workflows/pull-request.yaml +++ b/react/.github/workflows/pull-request.yaml @@ -14,7 +14,7 @@ jobs: packages: write id-token: write attestations: write - uses: intility/reusable-react/.github/workflows/react.yaml@v1.1.1 + uses: intility/reusable-react/.github/workflows/react.yaml@d27705c0cb0641ffa68d59ac2d45af519528c70d # v1.1.1 with: # image will be pushed to ghcr.io/intility//react-app image-name: __DOCKER_IMAGE_NAME__ diff --git a/react/.github/workflows/release.yaml b/react/.github/workflows/release.yaml index deac683a..a1fefa58 100644 --- a/react/.github/workflows/release.yaml +++ b/react/.github/workflows/release.yaml @@ -14,7 +14,7 @@ jobs: packages: write id-token: write attestations: write - uses: intility/reusable-react/.github/workflows/react.yaml@v1.1.1 + uses: intility/reusable-react/.github/workflows/react.yaml@d27705c0cb0641ffa68d59ac2d45af519528c70d # v1.1.1 with: # image will be pushed to ghcr.io/intility//react-app image-name: __DOCKER_IMAGE_NAME__ From be724f97ce40c979f5457af257d0f936ad5d5cc4 Mon Sep 17 00:00:00 2001 From: Herman Jensen Date: Tue, 24 Mar 2026 14:04:38 +0100 Subject: [PATCH 3/3] chore: remove doc dockerfile --- docusaurus/Dockerfile | 13 ------------- 1 file changed, 13 deletions(-) delete mode 100644 docusaurus/Dockerfile diff --git a/docusaurus/Dockerfile b/docusaurus/Dockerfile deleted file mode 100644 index fcd501f9..00000000 --- a/docusaurus/Dockerfile +++ /dev/null @@ -1,13 +0,0 @@ -FROM node@sha256:01627afeb110b3054ba4a1405541ca095c8bfca1cb6f2be9479c767a2711879e AS build # 12 - -WORKDIR /src - -COPY package*.json . -RUN npm ci - -COPY . . -RUN npm run build - -FROM intility/nginx-unprivileged-react@sha256:fbade102effffd21a991393ab6096eb537ded7a430aafd42a0037023f0994357 # 1.18.2 - -COPY --from=build /src/build /usr/share/nginx/html