From 50e9f3991e52d061780d5cec0ca63c15f51b683d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 5 Jul 2026 12:43:06 +0000 Subject: [PATCH] Pin dependencies --- .../workflows/build-toolkit-docker-image.yaml | 10 +++++----- backup/Dockerfile | 2 +- docker/caddy/docker-compose.yaml | 2 +- docker/immich/docker-compose.yaml | 10 +++++----- docker/kestra/docker-compose.yml | 4 ++-- docker/mafl/docker-compose.yaml | 2 +- docker/minio/docker-compose.yaml | 2 +- docker/pocket-id/docker-compose.yaml | 2 +- docker/portainer/docker-compose.yaml | 2 +- docker/semaphore/docker-compose.yaml | 2 +- docker/upsnap/docker-compose.yaml | 2 +- immich/Dockerfile | 2 +- k8s/linkding/base/deployment.yaml | 2 +- k8s/lldap/base/deployment.yaml | 2 +- .../overlays/production/kustomization.yaml | 2 +- k8s/mafl/base/deployment.yaml | 2 +- k8s/opengist/base/deployment.yaml | 2 +- k8s/papra/base/deployment.yaml | 2 +- .../overlays/production/kustomization.yaml | 2 +- k8s/subscription-manager/base/deployment.yaml | 2 +- .../all-in-one/cronjob-all-in-one.yaml | 2 +- k8s/vault/export-and-backup/base/cronjob.yaml | 2 +- .../overlays/ionos.com/cronjob-patch.yaml | 4 ++-- .../truenas.tryrocket.cloud/cronjob-patch.yaml | 2 +- .../vault-export-and-backup-cronjob.yaml | 6 +++--- .../export-and-backup-cronjob-3.yaml | 10 +++++----- .../export-and-backup-cronjob.yaml | 18 +++++++++--------- .../export-and-backup/all-in-one-cronjob.yaml | 2 +- .../backup-config/cronjob.yaml | 4 ++-- .../backup-config/ionos.com/cronjob-patch.yaml | 2 +- .../truenas.tryrocket.cloud/cronjob-patch.yaml | 2 +- toolkit/Dockerfile | 2 +- 32 files changed, 57 insertions(+), 57 deletions(-) diff --git a/.github/workflows/build-toolkit-docker-image.yaml b/.github/workflows/build-toolkit-docker-image.yaml index 3a48f903b..35db6a976 100644 --- a/.github/workflows/build-toolkit-docker-image.yaml +++ b/.github/workflows/build-toolkit-docker-image.yaml @@ -19,20 +19,20 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2 - name: Log in to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push Docker image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: context: toolkit/ push: true @@ -41,7 +41,7 @@ jobs: ghcr.io/${{ github.repository }}:toolkit-${{ github.sha }} - name: Build and push Docker image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: context: immich/ push: true diff --git a/backup/Dockerfile b/backup/Dockerfile index 7eb7026f3..10f6a6763 100644 --- a/backup/Dockerfile +++ b/backup/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:trixie-slim +FROM debian:trixie-slim@sha256:28de0877c2189802884ccd20f15ee41c203573bd87bb6b883f5f46362d24c5c2 RUN apt-get update && \ apt-get install -y wget ca-certificates tar just restic ansible unzip && \ diff --git a/docker/caddy/docker-compose.yaml b/docker/caddy/docker-compose.yaml index 37aa6fbd4..5981b56c1 100644 --- a/docker/caddy/docker-compose.yaml +++ b/docker/caddy/docker-compose.yaml @@ -1,6 +1,6 @@ services: caddy: - image: ghcr.io/caddybuilds/caddy-cloudflare:latest + image: ghcr.io/caddybuilds/caddy-cloudflare:latest@sha256:62639363ceb043393da9c3895d7c97a9a49ccf840bea0cc7e6479465d12ade96 container_name: caddy restart: unless-stopped ports: diff --git a/docker/immich/docker-compose.yaml b/docker/immich/docker-compose.yaml index 41f9e8db0..86d79b441 100644 --- a/docker/immich/docker-compose.yaml +++ b/docker/immich/docker-compose.yaml @@ -14,7 +14,7 @@ services: UMASK_SET: "002" healthcheck: disable: false - image: ghcr.io/immich-app/immich-machine-learning:v1.138.0 + image: ghcr.io/immich-app/immich-machine-learning:v1.138.0@sha256:25fca00128f10444303c93829516927bd14804ccbe9b7450eb41c64c722c5ac4 platform: linux/amd64 privileged: false restart: unless-stopped @@ -30,7 +30,7 @@ services: nocopy: false database: - image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0 + image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0@sha256:c570d9e1c2494f65d2a0a379a7f6df66e8441964254a30aa62cc58e8ebf1dee0 environment: NVIDIA_VISIBLE_DEVICES: void POSTGRES_DB: ${POSTGRES_DB} @@ -52,7 +52,7 @@ services: type: bind pgvecto: - image: tensorchord/pgvecto-rs:pg15-v0.2.0 + image: tensorchord/pgvecto-rs:pg15-v0.2.0@sha256:104a26ad4d0446c54a46d3a694c6193ef018c5ad4f9d9faf7765ab09cb9ffe06 cap_drop: - ALL environment: @@ -161,7 +161,7 @@ services: UMASK_SET: "002" healthcheck: disable: false - image: ghcr.io/immich-app/immich-server:v1.138.0 + image: ghcr.io/immich-app/immich-server:v1.138.0@sha256:12cee930e2cc211a95acae12ad780c0b2eecaea0479a06e255c73a4deb0b3efb #platform: linux/amd64 #ports: # - mode: ingress @@ -227,7 +227,7 @@ services: - "traefik.http.services.immich-dashboard.loadbalancer.server.port=30041" traefik: - image: traefik:v3.5.0 + image: traefik:v3.5.0@sha256:4e7175cfe19be83c6b928cae49dde2f2788fb307189a4dc9550b67acf30c11a5 container_name: traefik restart: unless-stopped #read_only: true diff --git a/docker/kestra/docker-compose.yml b/docker/kestra/docker-compose.yml index c689ab818..44c5e93ff 100644 --- a/docker/kestra/docker-compose.yml +++ b/docker/kestra/docker-compose.yml @@ -8,7 +8,7 @@ volumes: services: postgres: - image: postgres + image: postgres@sha256:4aabea78cf39b90e834caf3af7d602a18565f6fe2508705c8d01aa63245c2e20 volumes: - postgres-data:/var/lib/postgresql/data environment: @@ -22,7 +22,7 @@ services: retries: 10 kestra: - image: kestra/kestra:latest + image: kestra/kestra:latest@sha256:956f128e7ed6665feb56eb007f4939514c5b25ed0500c74d405f11be1a6ac090 pull_policy: always # Note that this setup with a root user is intended for development purpose. # Our base image runs without root, but the Docker Compose implementation needs root to access the Docker socket diff --git a/docker/mafl/docker-compose.yaml b/docker/mafl/docker-compose.yaml index ffb516f40..8f128f145 100644 --- a/docker/mafl/docker-compose.yaml +++ b/docker/mafl/docker-compose.yaml @@ -1,6 +1,6 @@ services: mafl: - image: hywax/mafl + image: hywax/mafl@sha256:2c89020be334b341da41a6b95830b1b52b1b9f43c9f16d09c0ab4e9dad3ea4ad container_name: mafl restart: unless-stopped volumes: diff --git a/docker/minio/docker-compose.yaml b/docker/minio/docker-compose.yaml index 9240a4eba..e8b3b1e11 100644 --- a/docker/minio/docker-compose.yaml +++ b/docker/minio/docker-compose.yaml @@ -1,6 +1,6 @@ services: minio: - image: quay.io/minio/minio:RELEASE.2025-03-12T18-04-18Z + image: quay.io/minio/minio:RELEASE.2025-03-12T18-04-18Z@sha256:46b3009bf7041eefbd90bd0d2b38c6ddc24d20a35d609551a1802c558c1c958f command: server /data --console-address ":9002" restart: unless-stopped ports: diff --git a/docker/pocket-id/docker-compose.yaml b/docker/pocket-id/docker-compose.yaml index ebe9b86c7..654d4585a 100644 --- a/docker/pocket-id/docker-compose.yaml +++ b/docker/pocket-id/docker-compose.yaml @@ -1,6 +1,6 @@ services: pocket-id: - image: ghcr.io/pocket-id/pocket-id + image: ghcr.io/pocket-id/pocket-id@sha256:a2a38a96699d7483d65b5849b015d954f294938306a03a9c0699bc5b79554e86 container_name: pocket-id restart: unless-stopped environment: diff --git a/docker/portainer/docker-compose.yaml b/docker/portainer/docker-compose.yaml index e92577810..46900101b 100644 --- a/docker/portainer/docker-compose.yaml +++ b/docker/portainer/docker-compose.yaml @@ -1,6 +1,6 @@ services: portainer: - image: portainer/portainer-ce:latest + image: portainer/portainer-ce:latest@sha256:5f9b4bda5582fc72c07d730f86168205f4042d82c9cde011c9146b12496e4625 container_name: portainer restart: unless-stopped ports: diff --git a/docker/semaphore/docker-compose.yaml b/docker/semaphore/docker-compose.yaml index 670820b9e..bcc2e7da6 100644 --- a/docker/semaphore/docker-compose.yaml +++ b/docker/semaphore/docker-compose.yaml @@ -1,6 +1,6 @@ services: semaphore: - image: semaphoreui/semaphore:v2.13.1 + image: semaphoreui/semaphore:v2.13.1@sha256:db69c024e924bd2ac158b1e5e3534d1d7b60dc22ea232b050ec7eee28af34471 container_name: semaphore environment: TZ: Europe/Berlin diff --git a/docker/upsnap/docker-compose.yaml b/docker/upsnap/docker-compose.yaml index 2696c2474..fee439a5e 100644 --- a/docker/upsnap/docker-compose.yaml +++ b/docker/upsnap/docker-compose.yaml @@ -1,7 +1,7 @@ services: upsnap: container_name: upsnap - image: ghcr.io/seriousm4x/upsnap:5 + image: ghcr.io/seriousm4x/upsnap:5@sha256:92ac19e946e2a4fffbd5049ff230485cbceacd002696a9ca8d4f5449f27d7c5d network_mode: host restart: unless-stopped volumes: diff --git a/immich/Dockerfile b/immich/Dockerfile index b55112cd1..3891163f1 100644 --- a/immich/Dockerfile +++ b/immich/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:trixie-slim +FROM debian:trixie-slim@sha256:28de0877c2189802884ccd20f15ee41c203573bd87bb6b883f5f46362d24c5c2 RUN apt-get update && \ apt-get install -y \ diff --git a/k8s/linkding/base/deployment.yaml b/k8s/linkding/base/deployment.yaml index 70f1798d8..c59b86e0e 100644 --- a/k8s/linkding/base/deployment.yaml +++ b/k8s/linkding/base/deployment.yaml @@ -17,7 +17,7 @@ spec: spec: containers: - name: linkding - image: sissbruecker/linkding:latest + image: sissbruecker/linkding:latest@sha256:61b2eb9eed8e5772a473fb7f1f8923e046cb8cbbeb50e88150afd5ff287d4060 imagePullPolicy: IfNotPresent ports: - containerPort: 9090 diff --git a/k8s/lldap/base/deployment.yaml b/k8s/lldap/base/deployment.yaml index 16694f9fd..95ff4e270 100644 --- a/k8s/lldap/base/deployment.yaml +++ b/k8s/lldap/base/deployment.yaml @@ -17,7 +17,7 @@ spec: spec: containers: - name: lldap - image: lldap/lldap:stable-alpine + image: lldap/lldap:stable-alpine@sha256:2a8454b668c1aba7157e832eab0e242e1e7eb5fb7591d7e7774ba05286511ca8 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/k8s/lldap/overlays/production/kustomization.yaml b/k8s/lldap/overlays/production/kustomization.yaml index a69bdb728..3079488c7 100644 --- a/k8s/lldap/overlays/production/kustomization.yaml +++ b/k8s/lldap/overlays/production/kustomization.yaml @@ -12,4 +12,4 @@ namespace: lldap images: - name: lldap/lldap:latest - newTag: stable + newTag: stable@sha256:2a8454b668c1aba7157e832eab0e242e1e7eb5fb7591d7e7774ba05286511ca8 diff --git a/k8s/mafl/base/deployment.yaml b/k8s/mafl/base/deployment.yaml index c8fc12e8c..7f027b0b3 100644 --- a/k8s/mafl/base/deployment.yaml +++ b/k8s/mafl/base/deployment.yaml @@ -22,7 +22,7 @@ spec: spec: containers: - name: mafl - image: hywax/mafl:latest + image: hywax/mafl:latest@sha256:2c89020be334b341da41a6b95830b1b52b1b9f43c9f16d09c0ab4e9dad3ea4ad imagePullPolicy: IfNotPresent ports: - containerPort: 3000 diff --git a/k8s/opengist/base/deployment.yaml b/k8s/opengist/base/deployment.yaml index de00a47d6..f6be9b1ff 100644 --- a/k8s/opengist/base/deployment.yaml +++ b/k8s/opengist/base/deployment.yaml @@ -18,7 +18,7 @@ spec: dnsPolicy: ClusterFirst containers: - name: opengist - image: ghcr.io/thomiceli/opengist:latest + image: ghcr.io/thomiceli/opengist:latest@sha256:dddc26031d1320ebb4bc5b913b3c42a9cb84c7528192d387f99ddcbbe57b0085 imagePullPolicy: IfNotPresent env: - name: TZ diff --git a/k8s/papra/base/deployment.yaml b/k8s/papra/base/deployment.yaml index eb77edabe..f64ede6e6 100644 --- a/k8s/papra/base/deployment.yaml +++ b/k8s/papra/base/deployment.yaml @@ -18,7 +18,7 @@ spec: dnsPolicy: ClusterFirst containers: - name: papra - image: ghcr.io/papra-hq/papra:latest + image: ghcr.io/papra-hq/papra:latest@sha256:a7a42e228f73f229d1e2dcd53de7b67503f1756d1aa3a894ab175dba8030c0e8 imagePullPolicy: IfNotPresent env: - name: TZ diff --git a/k8s/papra/overlays/production/kustomization.yaml b/k8s/papra/overlays/production/kustomization.yaml index 4411c1701..0a7e4f748 100644 --- a/k8s/papra/overlays/production/kustomization.yaml +++ b/k8s/papra/overlays/production/kustomization.yaml @@ -10,4 +10,4 @@ resources: # https://github.com/thomiceli/opengist/releases images: - name: ghcr.io/papra-hq/papra - newTag: latest + newTag: latest@sha256:a7a42e228f73f229d1e2dcd53de7b67503f1756d1aa3a894ab175dba8030c0e8 diff --git a/k8s/subscription-manager/base/deployment.yaml b/k8s/subscription-manager/base/deployment.yaml index 081e9b2ac..039fe3fd7 100644 --- a/k8s/subscription-manager/base/deployment.yaml +++ b/k8s/subscription-manager/base/deployment.yaml @@ -22,7 +22,7 @@ spec: spec: containers: - name: subscription-manager - image: dh1011/subscription-manager:latest + image: dh1011/subscription-manager:latest@sha256:c31e59992cc445236e48260ed5a6574d083856926a1a9c50be28b2b71b8e50bc imagePullPolicy: IfNotPresent ports: - containerPort: 3000 diff --git a/k8s/vault/export-and-backup/all-in-one/cronjob-all-in-one.yaml b/k8s/vault/export-and-backup/all-in-one/cronjob-all-in-one.yaml index 7df3dfbeb..7adc26c41 100644 --- a/k8s/vault/export-and-backup/all-in-one/cronjob-all-in-one.yaml +++ b/k8s/vault/export-and-backup/all-in-one/cronjob-all-in-one.yaml @@ -17,7 +17,7 @@ spec: restartPolicy: Never containers: - name: backup-vault-export - image: ghcr.io/tryrocket-cloud/home-ops:toolkit + image: ghcr.io/tryrocket-cloud/home-ops:toolkit@sha256:8397d0087e2213c0d6a10af0d1caf53159c01852c71eebfb7100508187883ba8 imagePullPolicy: Always env: - name: RESTIC_CACHE_DIR diff --git a/k8s/vault/export-and-backup/base/cronjob.yaml b/k8s/vault/export-and-backup/base/cronjob.yaml index 293275d48..f18a220b6 100644 --- a/k8s/vault/export-and-backup/base/cronjob.yaml +++ b/k8s/vault/export-and-backup/base/cronjob.yaml @@ -15,7 +15,7 @@ spec: restartPolicy: Never initContainers: - name: export-hashicorp-vault - image: ghcr.io/jonasvinther/medusa:latest + image: ghcr.io/jonasvinther/medusa:latest@sha256:bc4696d3328bed5a0712318d643766e36c87d2ae836d14170d010df6abf0447d imagePullPolicy: IfNotPresent command: ["./medusa", "export", "$(VAULT_PATH)", "-o", "/export/vault-export.json"] env: diff --git a/k8s/vault/export-and-backup/overlays/ionos.com/cronjob-patch.yaml b/k8s/vault/export-and-backup/overlays/ionos.com/cronjob-patch.yaml index 9291037ce..be55d3fe9 100644 --- a/k8s/vault/export-and-backup/overlays/ionos.com/cronjob-patch.yaml +++ b/k8s/vault/export-and-backup/overlays/ionos.com/cronjob-patch.yaml @@ -11,7 +11,7 @@ spec: spec: containers: - name: ionos-com-objectstorage-eu-central-3-s3-kopia-backup - image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup + image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:4c4de26939eefb64f6a91430b38760f2364fda65e5ec3c787eb79fc4e53a6a36 imagePullPolicy: Always env: - name: EXPORT_JSON @@ -60,7 +60,7 @@ spec: mountPath: /export readOnly: true - name: ionos-com-objectstorage-eu-central-3-s3-restic-backup - image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup + image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:4c4de26939eefb64f6a91430b38760f2364fda65e5ec3c787eb79fc4e53a6a36 imagePullPolicy: Always env: - name: EXPORT_JSON diff --git a/k8s/vault/export-and-backup/overlays/truenas.tryrocket.cloud/cronjob-patch.yaml b/k8s/vault/export-and-backup/overlays/truenas.tryrocket.cloud/cronjob-patch.yaml index 16f8e5980..281d0f99e 100644 --- a/k8s/vault/export-and-backup/overlays/truenas.tryrocket.cloud/cronjob-patch.yaml +++ b/k8s/vault/export-and-backup/overlays/truenas.tryrocket.cloud/cronjob-patch.yaml @@ -11,7 +11,7 @@ spec: spec: containers: - name: truenas-tryrocket-cloud-objectstorage-backup - image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup + image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:4c4de26939eefb64f6a91430b38760f2364fda65e5ec3c787eb79fc4e53a6a36 imagePullPolicy: Always env: - name: VAULT_EXPORT_JSON diff --git a/k8s/vault/export-and-backup/vault-export-and-backup-cronjob.yaml b/k8s/vault/export-and-backup/vault-export-and-backup-cronjob.yaml index d48fff071..909ec9488 100644 --- a/k8s/vault/export-and-backup/vault-export-and-backup-cronjob.yaml +++ b/k8s/vault/export-and-backup/vault-export-and-backup-cronjob.yaml @@ -17,7 +17,7 @@ spec: restartPolicy: Never initContainers: - name: export-hashicorp-vault - image: ghcr.io/jonasvinther/medusa:latest + image: ghcr.io/jonasvinther/medusa:latest@sha256:bc4696d3328bed5a0712318d643766e36c87d2ae836d14170d010df6abf0447d imagePullPolicy: IfNotPresent command: ["./medusa", "export", "$(VAULT_PATH)", "-o", "/export/vault-export.json"] env: @@ -36,7 +36,7 @@ spec: containers: - name: ionos-com-objectstorage-eu-central-3-s3-kopia-backup - image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup + image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:4c4de26939eefb64f6a91430b38760f2364fda65e5ec3c787eb79fc4e53a6a36 imagePullPolicy: Always env: - name: EXPORT_JSON @@ -85,7 +85,7 @@ spec: # - name: backup-cache-volume # mountPath: /cache - name: ionos-com-objectstorage-eu-central-3-s3-restic-backup - image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup + image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:4c4de26939eefb64f6a91430b38760f2364fda65e5ec3c787eb79fc4e53a6a36 imagePullPolicy: Always env: - name: EXPORT_JSON diff --git a/k8s/vaultwarden/export-and-backup-2/export-and-backup-cronjob-3.yaml b/k8s/vaultwarden/export-and-backup-2/export-and-backup-cronjob-3.yaml index 00ec23473..6dbb2873d 100644 --- a/k8s/vaultwarden/export-and-backup-2/export-and-backup-cronjob-3.yaml +++ b/k8s/vaultwarden/export-and-backup-2/export-and-backup-cronjob-3.yaml @@ -42,7 +42,7 @@ spec: initContainers: - name: vaultwarden-export - image: ghcr.io/tryrocket-cloud/home-ops:toolkit-38dfa08a823162b91b8b4b579a025a471c475a33 + image: ghcr.io/tryrocket-cloud/home-ops:toolkit-38dfa08a823162b91b8b4b579a025a471c475a33@sha256:0bfead9e4ae9f6b86fc8b14f89cc8a396909dbc9a08acc7246cd60892a3ced84 imagePullPolicy: IfNotPresent env: - name: TZ @@ -134,7 +134,7 @@ spec: echo "All jobs finished!" - name: restic-s3-policy - image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a + image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a@sha256:2a9ba7ee98f0af4a7fbad3ef11e8acb388024c2e95936c825fae014b9c8da164 imagePullPolicy: IfNotPresent env: - name: TZ @@ -177,7 +177,7 @@ spec: containers: - name: restic-ionos-backup - image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a + image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a@sha256:2a9ba7ee98f0af4a7fbad3ef11e8acb388024c2e95936c825fae014b9c8da164 imagePullPolicy: IfNotPresent env: - name: TZ @@ -236,7 +236,7 @@ spec: run_restic_backup - name: kopia-ionos-backup - image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a + image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a@sha256:2a9ba7ee98f0af4a7fbad3ef11e8acb388024c2e95936c825fae014b9c8da164 imagePullPolicy: IfNotPresent env: - name: TZ @@ -302,7 +302,7 @@ spec: run_kopia_backup - name: deny-all-s3-policy - image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a + image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a@sha256:2a9ba7ee98f0af4a7fbad3ef11e8acb388024c2e95936c825fae014b9c8da164 volumeMounts: - name: signals mountPath: /signals diff --git a/k8s/vaultwarden/export-and-backup-2/export-and-backup-cronjob.yaml b/k8s/vaultwarden/export-and-backup-2/export-and-backup-cronjob.yaml index 2fbd17692..55a3ae7ef 100644 --- a/k8s/vaultwarden/export-and-backup-2/export-and-backup-cronjob.yaml +++ b/k8s/vaultwarden/export-and-backup-2/export-and-backup-cronjob.yaml @@ -49,7 +49,7 @@ spec: initContainers: - name: healthcheck-start - image: curlimages/curl + image: curlimages/curl@sha256:7c12af72ceb38b7432ab85e1a265cff6ae58e06f95539d539b654f2cfa64bb13 envFrom: - secretRef: name: healthchecksio @@ -60,7 +60,7 @@ spec: curl -fsS -m 10 --retry 5 https://hc-ping.com/$HC_UUID/start - name: get-vaultwarden-version - image: alpine:3.21 + image: alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d env: - name: VAULTWARDEN_HOST value: vaultwarden.tryrocket.cloud @@ -88,7 +88,7 @@ spec: mountPath: /export - name: export-2967ac9f-f0e5-4881-8be5-9d08371a167a - image: debian:bookworm-slim + image: debian:bookworm-slim@sha256:60eac759739651111db372c07be67863818726f754804b8707c90979bda511df env: - name: VAULTWARDEN_HOST value: vaultwarden.tryrocket.cloud @@ -139,7 +139,7 @@ spec: mountPath: /export - name: encrypt-with-age - image: alpine:3.21 + image: alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d env: - name: VAULTWARDEN_USER_ID value: 2967ac9f-f0e5-4881-8be5-9d08371a167a @@ -178,7 +178,7 @@ spec: mountPath: /export - name: configure-s3-access-allowance - image: public.ecr.aws/aws-cli/aws-cli:latest + image: public.ecr.aws/aws-cli/aws-cli:latest@sha256:177c3f33d8b4b3d531a857b54289e8b101790ea9016c78431c417d8e681e7b2e command: ["/bin/sh","-c"] args: - | @@ -208,7 +208,7 @@ spec: readOnly: true - name: restic - image: restic/restic:0.18.0 + image: restic/restic:0.18.0@sha256:4cf4a61ef9786f4de53e9de8c8f5c040f33830eb0a10bf3d614410ee2fcb6120 envFrom: - secretRef: name: restic @@ -244,7 +244,7 @@ spec: mountPath: /export - name: configure-s3-access-block - image: public.ecr.aws/aws-cli/aws-cli:latest + image: public.ecr.aws/aws-cli/aws-cli:latest@sha256:177c3f33d8b4b3d531a857b54289e8b101790ea9016c78431c417d8e681e7b2e command: ["/bin/sh","-c"] args: - | @@ -273,7 +273,7 @@ spec: readOnly: true - name: healthcheck-ping - image: curlimages/curl + image: curlimages/curl@sha256:7c12af72ceb38b7432ab85e1a265cff6ae58e06f95539d539b654f2cfa64bb13 envFrom: - secretRef: name: healthchecksio @@ -285,5 +285,5 @@ spec: containers: - name: teardown - image: alpine + image: alpine@sha256:28bd5fe8b56d1bd048e5babf5b10710ebe0bae67db86916198a6eec434943f8b command: ["sh","-c","echo backup done!"] \ No newline at end of file diff --git a/k8s/vaultwarden/export-and-backup/all-in-one-cronjob.yaml b/k8s/vaultwarden/export-and-backup/all-in-one-cronjob.yaml index e01eed4cc..c4352c053 100644 --- a/k8s/vaultwarden/export-and-backup/all-in-one-cronjob.yaml +++ b/k8s/vaultwarden/export-and-backup/all-in-one-cronjob.yaml @@ -17,7 +17,7 @@ spec: restartPolicy: Never containers: - name: test-restic-backup - image: ghcr.io/tryrocket-cloud/home-ops:toolkit + image: ghcr.io/tryrocket-cloud/home-ops:toolkit@sha256:8397d0087e2213c0d6a10af0d1caf53159c01852c71eebfb7100508187883ba8 imagePullPolicy: Always env: - name: RESTIC_CACHE_DIR diff --git a/k8s/vaultwarden/export-and-backup/backup-config/cronjob.yaml b/k8s/vaultwarden/export-and-backup/backup-config/cronjob.yaml index fa66a5406..da3fa3e3b 100644 --- a/k8s/vaultwarden/export-and-backup/backup-config/cronjob.yaml +++ b/k8s/vaultwarden/export-and-backup/backup-config/cronjob.yaml @@ -15,7 +15,7 @@ spec: restartPolicy: Never initContainers: - name: get-vaultwarden-version - image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup + image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:4c4de26939eefb64f6a91430b38760f2364fda65e5ec3c787eb79fc4e53a6a36 command: ["/bin/sh", "-c"] args: - | @@ -46,7 +46,7 @@ spec: - name: vaultwarden-export-volume mountPath: /export - name: export-vaultwarden-user-vault - image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup + image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:4c4de26939eefb64f6a91430b38760f2364fda65e5ec3c787eb79fc4e53a6a36 imagePullPolicy: Always env: - name: NODE_NO_WARNINGS diff --git a/k8s/vaultwarden/export-and-backup/backup-config/ionos.com/cronjob-patch.yaml b/k8s/vaultwarden/export-and-backup/backup-config/ionos.com/cronjob-patch.yaml index 16d2e8ba8..0d3c3eb61 100644 --- a/k8s/vaultwarden/export-and-backup/backup-config/ionos.com/cronjob-patch.yaml +++ b/k8s/vaultwarden/export-and-backup/backup-config/ionos.com/cronjob-patch.yaml @@ -11,7 +11,7 @@ spec: spec: containers: - name: ionos-com-objectstorage-eu-central-3-s3-kopia-backup - image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup + image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:4c4de26939eefb64f6a91430b38760f2364fda65e5ec3c787eb79fc4e53a6a36 imagePullPolicy: Always env: - name: VAULTWARDEN_EXPORT_JSON diff --git a/k8s/vaultwarden/export-and-backup/backup-config/overlays/truenas.tryrocket.cloud/cronjob-patch.yaml b/k8s/vaultwarden/export-and-backup/backup-config/overlays/truenas.tryrocket.cloud/cronjob-patch.yaml index 47d5597e9..b28844450 100644 --- a/k8s/vaultwarden/export-and-backup/backup-config/overlays/truenas.tryrocket.cloud/cronjob-patch.yaml +++ b/k8s/vaultwarden/export-and-backup/backup-config/overlays/truenas.tryrocket.cloud/cronjob-patch.yaml @@ -11,7 +11,7 @@ spec: spec: containers: - name: truenas-tryrocket-cloud-objectstorage-backup - image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup + image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:4c4de26939eefb64f6a91430b38760f2364fda65e5ec3c787eb79fc4e53a6a36 imagePullPolicy: Always env: - name: VAULTWARDEN_EXPORT_JSON diff --git a/toolkit/Dockerfile b/toolkit/Dockerfile index 6886ea0bc..85d28d761 100644 --- a/toolkit/Dockerfile +++ b/toolkit/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:bookworm-slim +FROM debian:bookworm-slim@sha256:60eac759739651111db372c07be67863818726f754804b8707c90979bda511df ENV DEBIAN_FRONTEND=noninteractive