- Pin dependencies

.github/workflows/check-pr-title.yml

@@ -16,4 +16,4 @@ jobs:
     runs-on: ubuntu-22.04
 
     steps:
-      - uses: blumilksoftware/[email protected]
+      - uses: blumilksoftware/action-pr-title@e05fc76a1cc45b33644f1de51218be43ac121dd0 # v1.2.0

.github/workflows/deploy-to-beta-manually.yml

@@ -22,7 +22,7 @@ jobs:
         run: echo "BRANCH_NAME=$GITHUB_REF_NAME" >> $GITHUB_ENV
 
       - name: checkout
-        uses: actions/[email protected]
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           fetch-depth: 0
           ref: ${{ env.BRANCH_NAME }}
@@ -37,10 +37,10 @@ jobs:
         run: echo "DEPLOYMENT_PROJECT_VERSION=$(bash ./environment/prod/deployment/scripts/version.sh --long)" >> $GITHUB_ENV
 
       - name: set up Docker Buildx
-        uses: docker/[email protected]
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
 
       - name: login to GitHub Container Registry
-        uses: docker/[email protected]
+        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
         with:
           registry: ${{ env.DOCKER_REGISTRY }}
           username: ${{ env.DOCKER_REGISTRY_USER_NAME }}
@@ -51,14 +51,14 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/[email protected]
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
         with:
           images: ${{ env.DOCKER_IMAGE_NAME }}
           tags: type=raw,value=beta
           context: git
 
       - name: build and push image
-        uses: docker/[email protected]
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
         with:
           context: .
           file: ./environment/prod/app/Dockerfile
@@ -70,7 +70,7 @@ jobs:
           cache-to: type=gha, ref=${{ env.DOCKER_IMAGE_NAME }}-beta-build-cache, mode=max
 
       - name: copy files via ssh
-        uses: appleboy/[email protected]
+        uses: appleboy/scp-action@917f8b81dfc1ccd331fef9e2d61bdc6c8be94634 # v0.1.7
         with:
           timeout: 10s
           command_timeout: 10m
@@ -84,7 +84,7 @@ jobs:
           rm: true
 
       - name: run deployment script over ssh
-        uses: appleboy/[email protected]
+        uses: appleboy/ssh-action@029f5b4aeeeb58fdfe1410a5d17f967dacf36262 # v1.0.3
         with:
           timeout: 10s
           command_timeout: 10m

.github/workflows/deploy-to-prod.yml

@@ -20,16 +20,16 @@ jobs:
       DOCKER_REGISTRY_PROJECT_NAME: ${{ github.event.repository.name }}
     steps:
       - name: checkout
-        uses: actions/[email protected]
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
 
       - name: set deployment project version
         run: echo "DEPLOYMENT_PROJECT_VERSION=$(bash ./environment/prod/deployment/scripts/version.sh --long)" >> $GITHUB_ENV
 
       - name: set up Docker Buildx
-        uses: docker/[email protected]
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
 
       - name: login to GitHub Container Registry
-        uses: docker/[email protected]
+        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
         with:
           registry: ${{ env.DOCKER_REGISTRY }}
           username: ${{ env.DOCKER_REGISTRY_USER_NAME }}
@@ -40,7 +40,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/[email protected]
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
         with:
           images: ${{ env.DOCKER_IMAGE_NAME }}
           tags: |
@@ -49,7 +49,7 @@ jobs:
           context: workflow
 
       - name: build and push image
-        uses: docker/[email protected]
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
         with:
           context: .
           file: ./environment/prod/app/Dockerfile
@@ -61,7 +61,7 @@ jobs:
           cache-to: type=gha, ref=${{ env.DOCKER_IMAGE_NAME }}-prod-build-cache, mode=max
 
       - name: copy files via ssh
-        uses: appleboy/[email protected]
+        uses: appleboy/scp-action@917f8b81dfc1ccd331fef9e2d61bdc6c8be94634 # v0.1.7
         with:
           timeout: 10s
           command_timeout: 10m
@@ -74,7 +74,7 @@ jobs:
           target: ${{ secrets.TOBY_VPS_LIVE_APP_PATH }}
           rm: true
 
-      - uses: appleboy/[email protected]
+      - uses: appleboy/ssh-action@029f5b4aeeeb58fdfe1410a5d17f967dacf36262 # v1.0.3
         with:
           timeout: 10s
           command_timeout: 10m

.github/workflows/run-command-on-beta.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: run php artisan command
-        uses: appleboy/[email protected]
+        uses: appleboy/ssh-action@029f5b4aeeeb58fdfe1410a5d17f967dacf36262 # v1.0.3
         with:
           timeout: 10s
           command_timeout: 10m

.github/workflows/test-and-lint-js.yml

@@ -23,17 +23,17 @@ jobs:
     runs-on: ubuntu-22.04
 
     steps:
-      - uses: actions/[email protected]
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
 
       - name: Cache dependencies
-        uses: actions/[email protected]
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           path: node_modules
           key: ${{ runner.os }}-npm-dependencies-${{ hashFiles('package.lock') }}
           restore-keys: ${{ runner.os }}-npm-dependencies
 
       - name: Set up node
-        uses: actions/[email protected]
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
           node-version: 22
 

.github/workflows/test-and-lint-php.yml

@@ -24,7 +24,7 @@ jobs:
     runs-on: ubuntu-22.04
     services:
       pgsql:
-        image: postgres:15
+        image: postgres:15@sha256:4b4da96c37fefd6f28c3f58e7470bbc6d2cb34ac5641b9df7221d962eb4bc55d
         env:
           POSTGRES_DB: toby
           POSTGRES_USER: toby
@@ -34,20 +34,20 @@ jobs:
           - 5432:5432
 
     steps:
-      - uses: actions/[email protected]
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
 
       - name: Validate composer.json and composer.lock
         run: composer validate
 
       - name: Cache dependencies
-        uses: actions/[email protected]
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           path: vendor
           key: ${{ runner.os }}-composer-dependencies-${{ hashFiles('composer.lock') }}
           restore-keys: ${{ runner.os }}-composer-dependencies
 
       - name: Setup PHP
-        uses: shivammathur/[email protected]
+        uses: shivammathur/setup-php@c665c7a15b5295c2488ac8a87af9cb806cd72198 # 2.30.4
         with:
           php-version: 8.3
           extensions: dom, curl, libxml, mbstring, zip, pcntl, pdo, pdo_pgsql, intl, gd

docker-compose.yml

@@ -38,7 +38,7 @@ services:
         condition: service_healthy
 
   database:
-    image: postgres:15
+    image: postgres:15@sha256:4b4da96c37fefd6f28c3f58e7470bbc6d2cb34ac5641b9df7221d962eb4bc55d
     container_name: toby-db-dev
     environment:
       - PGPASSWORD=${DOCKER_DEV_DB_ROOT_PASSWORD}
@@ -59,7 +59,7 @@ services:
     restart: unless-stopped
 
   redis:
-    image: redis:7.0-alpine3.16
+    image: redis:7.0-alpine3.16@sha256:2700d5097763fda285c463f4eefc3d0730a2df2a9d48e66707b19d5a5e5f23d4
     container_name: toby-redis-dev
     healthcheck:
       test: [ "CMD-SHELL", "redis-cli ping | grep PONG" ]
@@ -75,7 +75,7 @@ services:
     restart: unless-stopped
 
   mailpit:
-    image: axllent/mailpit:v1.9
+    image: axllent/mailpit:v1.9@sha256:47b6dbbae83e523b407f47ddf93f71ba71e75554ddb4c255d81f3b9b8487103e
     container_name: toby-mailpit-dev
     labels:
       - "traefik.enable=true"
@@ -99,7 +99,7 @@ services:
     restart: unless-stopped
 
   selenium:
-    image: selenium/standalone-chrome
+    image: selenium/standalone-chrome@sha256:f0037767d53479c9c7c7126a84135a06ba38748e0d47b9efca865c82d4345c38
     container_name: toby-selenium-dev
     volumes:
       - /dev/shm:/dev/shm

environment/dev/app/Dockerfile

@@ -3,7 +3,7 @@ ARG PHP_MODULE_NAME=php${PHP_VERSION}
 # https://github.com/nginx/unit/tags
 ARG UNIT_VERSION=1.31.1-1
 
-FROM alpine:3.19.0 as secops-tools
+FROM alpine:3.19.0@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48 as secops-tools
 
 # https://github.com/FiloSottile/age/releases
 ARG AGE_VERSION="1.1.1"
@@ -19,10 +19,10 @@ RUN wget --output-document age.tar.gz "https://github.com/FiloSottile/age/releas
     && chmod +x /usr/local/bin/sops
 
 # https://hub.docker.com/r/composer/composer
-FROM composer/composer:2.7.4-bin as composer-bin
+FROM composer/composer:2.7.4-bin@sha256:d75832c5b2b08ced21d724948cd30674c06b400ca2768eeb5934a3682e690b58 as composer-bin
 
 # https://hub.docker.com/_/node
-FROM node:22.1.0-bullseye-slim as node
+FROM node:22.1.0-bullseye-slim@sha256:d5a435ce3230983b4d359cdc79341fd0b3482aeb445f2fbc04d0e23ecb211dd4 as node
 
 FROM php:${PHP_VERSION}-cli-bullseye as unit-modules-builder
 

environment/prod/app/Dockerfile

@@ -4,7 +4,7 @@ ARG PHP_MODULE_NAME=php${PHP_VERSION}
 ARG UNIT_VERSION=1.31.1-1
 
 ### PHP DEPENDENCIES ###
-FROM composer:2.7.4 as vendor
+FROM composer:2.7.4@sha256:ee4676ef56f97c82f11b421717386bcf9353a53bee9276c414ad80a0a4dc0e02 as vendor
 
 WORKDIR /app_composer_dependencies
 
@@ -19,7 +19,7 @@ RUN composer install \
     --ignore-platform-reqs
 
 ### FRONTEND ###
-FROM node:22.1.0-bullseye-slim as frontend
+FROM node:22.1.0-bullseye-slim@sha256:d5a435ce3230983b4d359cdc79341fd0b3482aeb445f2fbc04d0e23ecb211dd4 as frontend
 
 WORKDIR /app_frontend_dependencies
 

environment/prod/deployment/beta/docker-compose.beta.yml

@@ -46,7 +46,7 @@ services:
       - .deployment
 
   toby-beta-database:
-    image: postgres:15
+    image: postgres:15@sha256:4b4da96c37fefd6f28c3f58e7470bbc6d2cb34ac5641b9df7221d962eb4bc55d
     container_name: toby-beta-database
     environment:
       - PGPASSWORD=${DOCKER_TOBY_BETA_DB_ROOT_PASSWORD:? variable DOCKER_TOBY_BETA_DB_ROOT_PASSWORD not set}
@@ -65,7 +65,7 @@ services:
     restart: unless-stopped
 
   toby-beta-redis:
-    image: redis:7.0-alpine3.16
+    image: redis:7.0-alpine3.16@sha256:2700d5097763fda285c463f4eefc3d0730a2df2a9d48e66707b19d5a5e5f23d4
     container_name: toby-beta-redis
     healthcheck:
       test: [ "CMD-SHELL", "redis-cli ping | grep PONG" ]

environment/prod/deployment/prod/docker-compose.prod.yml

@@ -50,7 +50,7 @@ services:
       - .deployment
 
   toby-prod-database:
-    image: postgres:15
+    image: postgres:15@sha256:4b4da96c37fefd6f28c3f58e7470bbc6d2cb34ac5641b9df7221d962eb4bc55d
     container_name: toby-prod-database
     environment:
       - PGPASSWORD=${DOCKER_TOBY_PROD_DB_ROOT_PASSWORD:? variable DOCKER_TOBY_PROD_DB_ROOT_PASSWORD not set}
@@ -69,7 +69,7 @@ services:
     restart: unless-stopped
 
   toby-prod-redis:
-    image: redis:7.0-alpine3.16
+    image: redis:7.0-alpine3.16@sha256:2700d5097763fda285c463f4eefc3d0730a2df2a9d48e66707b19d5a5e5f23d4
     container_name: toby-prod-redis
     healthcheck:
       test: [ "CMD-SHELL", "redis-cli ping | grep PONG" ]