diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a5d7f0a..d093d3d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,11 +26,11 @@ jobs: any: ${{ steps.yaml_changes.outputs.any_changed }} steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 - name: Check Docker - uses: tj-actions/changed-files@v47 + uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47 id: docker_changes with: files: | @@ -40,7 +40,7 @@ jobs: docker-compose*.yml .dockerignore - name: Check Shell - uses: tj-actions/changed-files@v47 + uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47 id: shell_changes with: files: | @@ -49,12 +49,12 @@ jobs: **/*.zsh scripts/** - name: Check Workflows - uses: tj-actions/changed-files@v47 + uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47 id: workflow_changes with: files: .github/workflows/** - name: Check YAML - uses: tj-actions/changed-files@v47 + uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47 id: yaml_changes with: files: | @@ -89,9 +89,9 @@ jobs: pull-requests: write steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Lint - uses: reviewdog/action-shellcheck@v1.32 + uses: reviewdog/action-shellcheck@4c07458293ac342d477251099501a718ae5ef86e # v1.32 with: github_token: ${{ secrets.GITHUB_TOKEN }} level: ${{ env.REVIEWDOG_LEVEL }} @@ -99,7 +99,7 @@ jobs: filter_mode: ${{ env.REVIEWDOG_FILTER_MODE }} fail_level: ${{ env.REVIEWDOG_FAIL_LEVEL }} - name: Format - uses: reviewdog/action-shfmt@v1.0.4 + uses: reviewdog/action-shfmt@d8f080930b9be5847b4f97e9f4122b81a82aaeac # v1.0.4 with: github_token: ${{ secrets.GITHUB_TOKEN }} level: ${{ env.REVIEWDOG_LEVEL }} @@ -115,7 +115,7 @@ jobs: pull-requests: write steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Validate uses: reviewdog/action-actionlint@f00ad0691526c10be4021a91b2510f0a769b14d0 # v1.68.0 with: @@ -134,9 +134,9 @@ jobs: pull-requests: write steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Lint - uses: reviewdog/action-hadolint@v1.50.2 + uses: reviewdog/action-hadolint@fc7ee4a9f71e521bc43e370819247b70e5327540 # v1.50.2 with: github_token: ${{ secrets.GITHUB_TOKEN }} level: ${{ env.REVIEWDOG_LEVEL }} @@ -155,9 +155,9 @@ jobs: pull-requests: write steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Lint - uses: reviewdog/action-yamllint@v1.21.0 + uses: reviewdog/action-yamllint@f01d8a48fd8d89f89895499fca2cff09f9e9e8c0 # v1.21.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} level: ${{ env.REVIEWDOG_LEVEL }} @@ -174,9 +174,9 @@ jobs: pull-requests: write steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Lint - uses: docker-compose-linter/dclint-github-action/reviewdog-action@v1.6.0 + uses: docker-compose-linter/dclint-github-action/reviewdog-action@18659f6a7956706cb67cf9c1ad5e55f4352cbc17 # v1.6.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} tool_name: dclint @@ -195,9 +195,9 @@ jobs: pull-requests: write steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Scan - uses: reviewdog/action-gitleaks@v1.8 + uses: reviewdog/action-gitleaks@2b7b5685e3e3eecddab5d30cfa04f18123031421 # v1.8 with: github_token: ${{ secrets.GITHUB_TOKEN }} level: error diff --git a/.github/workflows/cleanup.yml b/.github/workflows/cleanup.yml index ad64a0d..6b3dd41 100644 --- a/.github/workflows/cleanup.yml +++ b/.github/workflows/cleanup.yml @@ -36,7 +36,7 @@ jobs: service: [unrealircd, atheme, unrealircd-webpanel] steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Setup Cleanup Parameters id: params run: | diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index e3090b1..39443cd 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -31,7 +31,7 @@ jobs: deployments: write steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Get Image Versions id: images run: | diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 56faaf7..ad0b5e8 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -24,11 +24,11 @@ jobs: docker: ${{ steps.docker_changes.outputs.any_changed }} steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 - name: Check Docker - uses: tj-actions/changed-files@v47 + uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47 id: docker_changes with: files: | @@ -52,12 +52,12 @@ jobs: service: [unrealircd, atheme, unrealircd-webpanel] steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Setup Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 - name: Extract metadata id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 with: images: irc-atl-chat-${{ matrix.service }} tags: | @@ -78,7 +78,7 @@ jobs: echo "version=$PR_VERSION" >> "$GITHUB_OUTPUT" echo "Generated PR version: $PR_VERSION" - name: Build ${{ matrix.service }} - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 timeout-minutes: 10 with: context: ./${{ matrix.service == 'unrealircd-webpanel' && 'src/frontend/webpanel' || matrix.service == 'unrealircd' && 'src/backend/unrealircd' || matrix.service == 'atheme' && 'src/backend/atheme' }} @@ -98,7 +98,7 @@ jobs: echo "✅ Docker build validation for ${{ matrix.service }} completed successfully" echo "🔍 Build cache updated for faster future builds" - name: Scan Containerfile ${{ matrix.service }} - uses: reviewdog/action-trivy@v1.14.0 + uses: reviewdog/action-trivy@a1e6d7dd5520369c076d7ce639a16442938535d8 # v1.14.0 continue-on-error: true with: github_token: ${{ github.token }} @@ -123,18 +123,18 @@ jobs: service: [unrealircd, atheme, unrealircd-webpanel] steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Setup Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 - name: Login to Registry - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Extract metadata id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-${{ matrix.service }} tags: | @@ -158,7 +158,7 @@ jobs: echo "version=$RELEASE_VERSION" >> "$GITHUB_OUTPUT" echo "Generated release version: $RELEASE_VERSION" - name: Build & Push ${{ matrix.service }} - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 timeout-minutes: 15 with: context: ./${{ matrix.service == 'unrealircd-webpanel' && 'src/frontend/webpanel' || matrix.service == 'unrealircd' && 'src/backend/unrealircd' || matrix.service == 'atheme' && 'src/backend/atheme' }} @@ -174,7 +174,7 @@ jobs: BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') - name: Scan Final Image ${{ matrix.service }} if: always() - uses: reviewdog/action-trivy@v1.14.0 + uses: reviewdog/action-trivy@a1e6d7dd5520369c076d7ce639a16442938535d8 # v1.14.0 continue-on-error: true with: github_token: ${{ github.token }} @@ -198,9 +198,9 @@ jobs: service: [unrealircd, atheme, unrealircd-webpanel] steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Clean Old Images ${{ matrix.service }} - uses: actions/delete-package-versions@v5 + uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5 with: package-name: irc-atl-chat-${{ matrix.service }} package-type: container diff --git a/.github/workflows/maintenance.yml b/.github/workflows/maintenance.yml index 309e582..a2a4909 100644 --- a/.github/workflows/maintenance.yml +++ b/.github/workflows/maintenance.yml @@ -41,11 +41,11 @@ jobs: issues: write steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 - name: Convert - uses: alstr/todo-to-issue-action@v5.1.13 + uses: alstr/todo-to-issue-action@c45b007d85c8edf3365b139a9d4c65793e7c674f # v5.1.13 with: CLOSE_ISSUES: true INSERT_ISSUE_URLS: true @@ -71,7 +71,7 @@ jobs: service: [unrealircd, atheme, unrealircd-webpanel] steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Registry Size Check ${{ matrix.service }} id: registry_size run: | @@ -95,7 +95,7 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Clean Old Images ${{ matrix.service }} - uses: actions/delete-package-versions@v5 + uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5 with: package-name: irc-atl-chat-${{ matrix.service }} package-type: container @@ -133,7 +133,7 @@ jobs: packages: read steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 - name: Repository Health Summary diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 11decb6..995c64f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,7 +22,7 @@ jobs: is_prerelease: ${{ steps.version.outputs.is_prerelease }} steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 - name: Determine Version @@ -69,7 +69,7 @@ jobs: needs: [validate, wait] steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 - name: Generate Changelog @@ -110,7 +110,7 @@ jobs: } >> "$GITHUB_OUTPUT" fi - name: Create Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2 with: tag_name: ${{ needs.validate.outputs.version }} name: IRC.atl.chat Release ${{ needs.validate.outputs.version }} diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index d9df63b..71bca4c 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -20,11 +20,11 @@ jobs: yaml: ${{ steps.yaml_changes.outputs.any_changed }} steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: fetch-depth: 0 - name: Check Docker - uses: tj-actions/changed-files@v47 + uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47 id: docker_changes with: files: | @@ -33,14 +33,14 @@ jobs: compose.yaml docker-compose*.yml - name: Check Shell - uses: tj-actions/changed-files@v47 + uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47 id: shell_changes with: files: | **/*.sh scripts/** - name: Check YAML - uses: tj-actions/changed-files@v47 + uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47 id: yaml_changes with: files: | @@ -66,14 +66,14 @@ jobs: build-mode: none steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Initialize - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@45c373516f557556c15d420e3f5e0aa3d64366bc # v3 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} - name: Analyze - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@45c373516f557556c15d420e3f5e0aa3d64366bc # v3 with: category: /language:${{ matrix.language }} dependencies: @@ -85,9 +85,9 @@ jobs: pull-requests: write steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Review - uses: actions/dependency-review-action@v4 + uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4 with: fail-on-severity: high comment-summary-in-pr: always @@ -105,11 +105,11 @@ jobs: service: [unrealircd, atheme, unrealircd-webpanel] steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Setup Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 - name: Build for Security Scan - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 with: context: ./${{ matrix.service == 'unrealircd-webpanel' && 'src/frontend/webpanel' || matrix.service == 'unrealircd' && 'src/backend/unrealircd' || matrix.service == 'atheme' && 'src/backend/atheme' }} file: ./${{ matrix.service == 'unrealircd-webpanel' && 'src/frontend/webpanel/Containerfile' || matrix.service == 'unrealircd' && 'src/backend/unrealircd/Containerfile' || matrix.service == 'atheme' && 'src/backend/atheme/Containerfile' }} @@ -117,7 +117,7 @@ jobs: load: true tags: irc-atl-chat-${{ matrix.service }}:security-scan - name: Scan Container Image - uses: reviewdog/action-trivy@v1.14.0 + uses: reviewdog/action-trivy@a1e6d7dd5520369c076d7ce639a16442938535d8 # v1.14.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} trivy_command: image @@ -138,7 +138,7 @@ jobs: security-events: write steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Shell Script Security Analysis run: | echo "## 🔍 Shell Script Security Analysis" diff --git a/compose.yaml b/compose.yaml index e854342..0f801d6 100644 --- a/compose.yaml +++ b/compose.yaml @@ -164,7 +164,7 @@ services: # ============================================================================ ssl-monitor: # Image configuration - image: alpine:latest + image: alpine:latest@sha256:865b95f46d98cf867a156fe4a135ad3fe50d2056aa3f25ed31662dff6da4eb62 # Container configuration container_name: ssl-monitor diff --git a/src/frontend/webpanel/Containerfile b/src/frontend/webpanel/Containerfile index aae10bb..ed4c7ee 100644 --- a/src/frontend/webpanel/Containerfile +++ b/src/frontend/webpanel/Containerfile @@ -1,5 +1,5 @@ # hadolint ignore=DL3006 -FROM composer/composer AS builder +FROM composer/composer@sha256:969fb900253c0e71645cf74257d6c9206304573e8b246d1bc57f8ac1d64e12f4 AS builder WORKDIR /app @@ -8,7 +8,7 @@ RUN git clone --depth 1 https://github.com/unrealircd/unrealircd-webpanel.git . composer install --no-dev --optimize-autoloader # hadolint ignore=DL3006 -FROM trafex/php-nginx +FROM trafex/php-nginx@sha256:90665af9709e634ef3215c03dad3184a0656e860aecc468ef20737a507c76cd4 USER root