diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5300c8e..cb19c94 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,11 +26,11 @@ jobs: any: ${{ steps.yaml_changes.outputs.any_changed }} steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: fetch-depth: 0 - name: Check Docker - uses: tj-actions/changed-files@v47 + uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47 id: docker_changes with: files: | @@ -40,7 +40,7 @@ jobs: docker-compose*.yml .dockerignore - name: Check Shell - uses: tj-actions/changed-files@v47 + uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47 id: shell_changes with: files: | @@ -49,12 +49,12 @@ jobs: **/*.zsh scripts/** - name: Check Workflows - uses: tj-actions/changed-files@v47 + uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47 id: workflow_changes with: files: .github/workflows/** - name: Check YAML - uses: tj-actions/changed-files@v47 + uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47 id: yaml_changes with: files: | @@ -89,9 +89,9 @@ jobs: pull-requests: write steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Lint - uses: reviewdog/action-shellcheck@v1.32 + uses: reviewdog/action-shellcheck@4c07458293ac342d477251099501a718ae5ef86e # v1.32 with: github_token: ${{ secrets.GITHUB_TOKEN }} level: ${{ env.REVIEWDOG_LEVEL }} @@ -99,7 +99,7 @@ jobs: filter_mode: ${{ env.REVIEWDOG_FILTER_MODE }} fail_level: ${{ env.REVIEWDOG_FAIL_LEVEL }} - name: Format - uses: reviewdog/action-shfmt@v1.0.4 + uses: reviewdog/action-shfmt@d8f080930b9be5847b4f97e9f4122b81a82aaeac # v1.0.4 with: github_token: ${{ secrets.GITHUB_TOKEN }} level: ${{ env.REVIEWDOG_LEVEL }} @@ -115,9 +115,9 @@ jobs: pull-requests: write steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Validate - uses: reviewdog/action-actionlint@v1.67.0 + uses: reviewdog/action-actionlint@95395aac8c053577d0bc67eb7b74936c660c6f66 # v1.67.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} level: ${{ env.REVIEWDOG_LEVEL }} @@ -134,9 +134,9 @@ jobs: pull-requests: write steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Lint - uses: reviewdog/action-hadolint@v1.50.2 + uses: reviewdog/action-hadolint@fc7ee4a9f71e521bc43e370819247b70e5327540 # v1.50.2 with: github_token: ${{ secrets.GITHUB_TOKEN }} level: ${{ env.REVIEWDOG_LEVEL }} @@ -155,9 +155,9 @@ jobs: pull-requests: write steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Lint - uses: reviewdog/action-yamllint@v1.21.0 + uses: reviewdog/action-yamllint@f01d8a48fd8d89f89895499fca2cff09f9e9e8c0 # v1.21.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} level: ${{ env.REVIEWDOG_LEVEL }} @@ -174,9 +174,9 @@ jobs: pull-requests: write steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Lint - uses: docker-compose-linter/dclint-github-action/reviewdog-action@v1.6.0 + uses: docker-compose-linter/dclint-github-action/reviewdog-action@18659f6a7956706cb67cf9c1ad5e55f4352cbc17 # v1.6.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} tool_name: dclint @@ -195,9 +195,9 @@ jobs: pull-requests: write steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Scan - uses: reviewdog/action-gitleaks@v1.8 + uses: reviewdog/action-gitleaks@2b7b5685e3e3eecddab5d30cfa04f18123031421 # v1.8 with: github_token: ${{ secrets.GITHUB_TOKEN }} level: error diff --git a/.github/workflows/cleanup.yml b/.github/workflows/cleanup.yml index ad64a0d..9097101 100644 --- a/.github/workflows/cleanup.yml +++ b/.github/workflows/cleanup.yml @@ -36,7 +36,7 @@ jobs: service: [unrealircd, atheme, unrealircd-webpanel] steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Setup Cleanup Parameters id: params run: | diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index e3090b1..8491daa 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -31,7 +31,7 @@ jobs: deployments: write steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Get Image Versions id: images run: | diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 56faaf7..201be1b 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -24,11 +24,11 @@ jobs: docker: ${{ steps.docker_changes.outputs.any_changed }} steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: fetch-depth: 0 - name: Check Docker - uses: tj-actions/changed-files@v47 + uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47 id: docker_changes with: files: | @@ -52,12 +52,12 @@ jobs: service: [unrealircd, atheme, unrealircd-webpanel] steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Setup Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 - name: Extract metadata id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5 with: images: irc-atl-chat-${{ matrix.service }} tags: | @@ -78,7 +78,7 @@ jobs: echo "version=$PR_VERSION" >> "$GITHUB_OUTPUT" echo "Generated PR version: $PR_VERSION" - name: Build ${{ matrix.service }} - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 timeout-minutes: 10 with: context: ./${{ matrix.service == 'unrealircd-webpanel' && 'src/frontend/webpanel' || matrix.service == 'unrealircd' && 'src/backend/unrealircd' || matrix.service == 'atheme' && 'src/backend/atheme' }} @@ -98,7 +98,7 @@ jobs: echo "✅ Docker build validation for ${{ matrix.service }} completed successfully" echo "🔍 Build cache updated for faster future builds" - name: Scan Containerfile ${{ matrix.service }} - uses: reviewdog/action-trivy@v1.14.0 + uses: reviewdog/action-trivy@a1e6d7dd5520369c076d7ce639a16442938535d8 # v1.14.0 continue-on-error: true with: github_token: ${{ github.token }} @@ -123,18 +123,18 @@ jobs: service: [unrealircd, atheme, unrealircd-webpanel] steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Setup Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 - name: Login to Registry - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Extract metadata id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-${{ matrix.service }} tags: | @@ -158,7 +158,7 @@ jobs: echo "version=$RELEASE_VERSION" >> "$GITHUB_OUTPUT" echo "Generated release version: $RELEASE_VERSION" - name: Build & Push ${{ matrix.service }} - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 timeout-minutes: 15 with: context: ./${{ matrix.service == 'unrealircd-webpanel' && 'src/frontend/webpanel' || matrix.service == 'unrealircd' && 'src/backend/unrealircd' || matrix.service == 'atheme' && 'src/backend/atheme' }} @@ -174,7 +174,7 @@ jobs: BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') - name: Scan Final Image ${{ matrix.service }} if: always() - uses: reviewdog/action-trivy@v1.14.0 + uses: reviewdog/action-trivy@a1e6d7dd5520369c076d7ce639a16442938535d8 # v1.14.0 continue-on-error: true with: github_token: ${{ github.token }} @@ -198,9 +198,9 @@ jobs: service: [unrealircd, atheme, unrealircd-webpanel] steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Clean Old Images ${{ matrix.service }} - uses: actions/delete-package-versions@v5 + uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5 with: package-name: irc-atl-chat-${{ matrix.service }} package-type: container diff --git a/.github/workflows/maintenance.yml b/.github/workflows/maintenance.yml index 309e582..b7b9fa1 100644 --- a/.github/workflows/maintenance.yml +++ b/.github/workflows/maintenance.yml @@ -41,11 +41,11 @@ jobs: issues: write steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: fetch-depth: 0 - name: Convert - uses: alstr/todo-to-issue-action@v5.1.13 + uses: alstr/todo-to-issue-action@c45b007d85c8edf3365b139a9d4c65793e7c674f # v5.1.13 with: CLOSE_ISSUES: true INSERT_ISSUE_URLS: true @@ -71,7 +71,7 @@ jobs: service: [unrealircd, atheme, unrealircd-webpanel] steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Registry Size Check ${{ matrix.service }} id: registry_size run: | @@ -95,7 +95,7 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Clean Old Images ${{ matrix.service }} - uses: actions/delete-package-versions@v5 + uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5 with: package-name: irc-atl-chat-${{ matrix.service }} package-type: container @@ -133,7 +133,7 @@ jobs: packages: read steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: fetch-depth: 0 - name: Repository Health Summary diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a164805..053e505 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,7 +22,7 @@ jobs: is_prerelease: ${{ steps.version.outputs.is_prerelease }} steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: fetch-depth: 0 - name: Determine Version @@ -48,7 +48,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Wait for Docker Build - uses: lewagon/wait-on-check-action@v1.4.0 + uses: lewagon/wait-on-check-action@0dceb95e7c4cad8cc7422aee3885998f5cab9c79 # v1.4.0 with: ref: ${{ github.sha }} check-name: Docker (Build & Push) @@ -56,7 +56,7 @@ jobs: wait-interval: 30 allowed-conclusions: success - name: Wait for Security Scan - uses: lewagon/wait-on-check-action@v1.4.0 + uses: lewagon/wait-on-check-action@0dceb95e7c4cad8cc7422aee3885998f5cab9c79 # v1.4.0 with: ref: ${{ github.sha }} check-name: Security (Docker Security) @@ -69,7 +69,7 @@ jobs: needs: [validate, wait] steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: fetch-depth: 0 - name: Generate Changelog @@ -110,7 +110,7 @@ jobs: } >> "$GITHUB_OUTPUT" fi - name: Create Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2 with: tag_name: ${{ needs.validate.outputs.version }} name: IRC.atl.chat Release ${{ needs.validate.outputs.version }} diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index d9df63b..ec2c5b9 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -20,11 +20,11 @@ jobs: yaml: ${{ steps.yaml_changes.outputs.any_changed }} steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: fetch-depth: 0 - name: Check Docker - uses: tj-actions/changed-files@v47 + uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47 id: docker_changes with: files: | @@ -33,14 +33,14 @@ jobs: compose.yaml docker-compose*.yml - name: Check Shell - uses: tj-actions/changed-files@v47 + uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47 id: shell_changes with: files: | **/*.sh scripts/** - name: Check YAML - uses: tj-actions/changed-files@v47 + uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47 id: yaml_changes with: files: | @@ -66,14 +66,14 @@ jobs: build-mode: none steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Initialize - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@5d5cd550d3e189c569da8f16ea8de2d821c9bf7a # v3 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} - name: Analyze - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@5d5cd550d3e189c569da8f16ea8de2d821c9bf7a # v3 with: category: /language:${{ matrix.language }} dependencies: @@ -85,9 +85,9 @@ jobs: pull-requests: write steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Review - uses: actions/dependency-review-action@v4 + uses: actions/dependency-review-action@45529485b5eb76184ced07362d2331fd9d26f03f # v4 with: fail-on-severity: high comment-summary-in-pr: always @@ -105,11 +105,11 @@ jobs: service: [unrealircd, atheme, unrealircd-webpanel] steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Setup Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 - name: Build for Security Scan - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 with: context: ./${{ matrix.service == 'unrealircd-webpanel' && 'src/frontend/webpanel' || matrix.service == 'unrealircd' && 'src/backend/unrealircd' || matrix.service == 'atheme' && 'src/backend/atheme' }} file: ./${{ matrix.service == 'unrealircd-webpanel' && 'src/frontend/webpanel/Containerfile' || matrix.service == 'unrealircd' && 'src/backend/unrealircd/Containerfile' || matrix.service == 'atheme' && 'src/backend/atheme/Containerfile' }} @@ -117,7 +117,7 @@ jobs: load: true tags: irc-atl-chat-${{ matrix.service }}:security-scan - name: Scan Container Image - uses: reviewdog/action-trivy@v1.14.0 + uses: reviewdog/action-trivy@a1e6d7dd5520369c076d7ce639a16442938535d8 # v1.14.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} trivy_command: image @@ -138,7 +138,7 @@ jobs: security-events: write steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Shell Script Security Analysis run: | echo "## 🔍 Shell Script Security Analysis" diff --git a/compose.yaml b/compose.yaml index e854342..1fd402a 100644 --- a/compose.yaml +++ b/compose.yaml @@ -164,7 +164,7 @@ services: # ============================================================================ ssl-monitor: # Image configuration - image: alpine:latest + image: alpine:latest@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412 # Container configuration container_name: ssl-monitor diff --git a/src/backend/atheme/Containerfile b/src/backend/atheme/Containerfile index 14c7708..57c204e 100644 --- a/src/backend/atheme/Containerfile +++ b/src/backend/atheme/Containerfile @@ -1,7 +1,7 @@ # ============================================================================ # BUILD STAGE - Compile Atheme from source # ============================================================================ -FROM alpine:3.22 AS builder +FROM alpine:3.22@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412 AS builder # Build arguments ARG ATHEME_VERSION="master" @@ -45,7 +45,7 @@ RUN sed -i "s/@MKDIR_P@/mkdir -p/g" /usr/src/atheme-src/modules/contrib/buildsys # ============================================================================ # RUNTIME STAGE - Minimal production container # ============================================================================ -FROM alpine:3.22 +FROM alpine:3.22@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412 # Runtime arguments ARG UID=1000 diff --git a/src/backend/unrealircd/Containerfile b/src/backend/unrealircd/Containerfile index c534b9b..5dd88bb 100644 --- a/src/backend/unrealircd/Containerfile +++ b/src/backend/unrealircd/Containerfile @@ -2,7 +2,7 @@ # BUILD STAGE - Compile UnrealIRCd from source # ============================================================================ # This stage compiles UnrealIRCd and preserves the source code for module management -FROM alpine:3.22 AS builder +FROM alpine:3.22@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412 AS builder # Build arguments ARG UNREALIRCD_VERSION=6.2.0.1 @@ -67,7 +67,7 @@ RUN make install # ============================================================================ # This stage includes the compiled UnrealIRCd plus source code and build tools # to enable third-party module installation and management -FROM alpine:3.22 +FROM alpine:3.22@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412 # Runtime arguments (inherit from builder stage) ARG UNREALIRCD_VERSION=6.2.0.1 diff --git a/src/frontend/webpanel/Containerfile b/src/frontend/webpanel/Containerfile index aae10bb..f69469c 100644 --- a/src/frontend/webpanel/Containerfile +++ b/src/frontend/webpanel/Containerfile @@ -1,5 +1,5 @@ # hadolint ignore=DL3006 -FROM composer/composer AS builder +FROM composer/composer@sha256:48f9c78ac5f34d88eaf609c0931046e870434d4990c08462433056bc11de9ca0 AS builder WORKDIR /app @@ -8,7 +8,7 @@ RUN git clone --depth 1 https://github.com/unrealircd/unrealircd-webpanel.git . composer install --no-dev --optimize-autoloader # hadolint ignore=DL3006 -FROM trafex/php-nginx +FROM trafex/php-nginx@sha256:e4b7fb9a5a693676786a3a66daa22e4898b947a91602e43a7219f0454f0a8dfe USER root