chrisryn/requestarr
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

ci: updated all workflows to be pinned to commit hashes ahead of renovate connection (#1989)

Browse Source 
* ci: updated all workflows to be pineed to commit hashes ahead of renovate connection

* ci: update doc links regex

* ci: bump version for codeql-action

* ci: bump version for action/cache to v4.2.0

* ci: adding package-manager-cache: false to the node v5 setup steps

* ci: remove the --include to test precedence as it was overriding

* chore: added missing @ from commit hash

* ci: updates to shas to bring up to latest, also update to renovate config to account for major versions

* chore: update renovate global minimum age settings

* updated node sha

* Apply suggestion from @M0NsTeRRR

Co-authored-by: Ludovic Ortega <ludovic.ortega@adminafk.fr>

* Apply suggestion from @M0NsTeRRR

Co-authored-by: Ludovic Ortega <ludovic.ortega@adminafk.fr>

* Apply suggestion from @M0NsTeRRR

Co-authored-by: Ludovic Ortega <ludovic.ortega@adminafk.fr>

* Apply suggestion from @M0NsTeRRR

* Apply suggestion from @M0NsTeRRR

---------

Co-authored-by: Ludovic Ortega <ludovic.ortega@adminafk.fr>
This commit is contained in:
Joe Harrison
2025-10-07 19:55:56 +01:00
committed by GitHub
parent 3ff1c061b8
commit 2e6a19d3b5
20 changed files with 101 additions and 96 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.github/renovate.json5 vendored
View File

@@ -4,13 +4,12 @@
"config:recommended", "config:recommended",
":dependencyDashboard", ":dependencyDashboard",
":timezone(UTC)", ":timezone(UTC)",
"docker:enableMajor",
"docker:pinDigests",
"group:nextjsMonorepo", "group:nextjsMonorepo",
"group:reactMonorepo", "group:reactMonorepo",
"group:typescript-eslintMonorepo", "group:typescript-eslintMonorepo",
"group:tailwindcssMonorepo", "group:tailwindcssMonorepo",
"github>seerr-team/seerr//.github/renovate/actions.json5", "github>seerr-team/seerr//.github/renovate/actions.json5",
"github>seerr-team/seerr//.github/renovate/docker.json5",
"github>seerr-team/seerr//.github/renovate/groups.json5", "github>seerr-team/seerr//.github/renovate/groups.json5",
"github>seerr-team/seerr//.github/renovate/helm.json5", "github>seerr-team/seerr//.github/renovate/helm.json5",
"github>seerr-team/seerr//.github/renovate/labels.json5", "github>seerr-team/seerr//.github/renovate/labels.json5",
@@ -20,5 +19,6 @@
"dependencyDashboardTitle": "Renovate Dashboard 🤖", "dependencyDashboardTitle": "Renovate Dashboard 🤖",
"suppressNotifications": ["prEditedNotification", "prIgnoreNotification"], "suppressNotifications": ["prEditedNotification", "prIgnoreNotification"],
"rebaseWhen": "conflicted", "rebaseWhen": "conflicted",
"labels": ["dependencies"] "labels": ["dependencies"],
"minimumReleaseAge": "7 days"
} }

1
.github/renovate/actions.json5 vendored
View File

@@ -8,7 +8,6 @@
{ {
matchManagers: ['github-actions'], matchManagers: ['github-actions'],
groupName: 'GitHub Actions', groupName: 'GitHub Actions',
minimumReleaseAge: '7 days',
}, },
], ],
} }

8
.github/renovate/docker.json5 vendored Normal file
View File

@@ -0,0 +1,8 @@
{
$schema: 'https://docs.renovatebot.com/renovate-schema.json',
extends: [
'docker:enableMajor',
'docker:pinDigests'
],
}

2
.github/renovate/groups.json5 vendored
View File

@@ -7,7 +7,6 @@
matchPackageNames: ['node'], matchPackageNames: ['node'],
matchManagers: ['dockerfile', 'npm'], matchManagers: ['dockerfile', 'npm'],
groupName: 'Node.js', groupName: 'Node.js',
minimumReleaseAge: '7 days',
commitMessageTopic: 'Node.js', commitMessageTopic: 'Node.js',
}, },
@@ -15,7 +14,6 @@
{ {
matchPackageNames: ['pg', 'sqlite3', 'typeorm'], matchPackageNames: ['pg', 'sqlite3', 'typeorm'],
groupName: 'Database', groupName: 'Database',
minimumReleaseAge: '7 days',
}, },
], ],
} }

1
.github/renovate/helm.json5 vendored
View File

@@ -5,6 +5,7 @@
{ {
matchManagers: ['helm-values'], matchManagers: ['helm-values'],
matchFileNames: ['charts/*/values.yaml'], matchFileNames: ['charts/*/values.yaml'],
minimumReleaseAge: '0'
}, },
], ],

26
.github/workflows/ci.yml vendored
View File

@@ -26,12 +26,12 @@ jobs:
container: node:22-alpine container: node:22-alpine
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with: with:
persist-credentials: false persist-credentials: false
- name: Pnpm Setup - name: Pnpm Setup
uses: pnpm/action-setup@v4 uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
- name: Get pnpm store directory - name: Get pnpm store directory
shell: sh shell: sh
@@ -39,7 +39,7 @@ jobs:
echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
- name: Setup pnpm cache - name: Setup pnpm cache
uses: actions/cache@v4 uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with: with:
path: ${{ env.STORE_PATH }} path: ${{ env.STORE_PATH }}
key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }} key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
@@ -75,7 +75,7 @@ jobs:
runs-on: ${{ matrix.runner }} runs-on: ${{ matrix.runner }}
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with: with:
persist-credentials: false persist-credentials: false
@@ -84,10 +84,10 @@ jobs:
run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT" run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT"
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
- name: Warm cache (no push) — ${{ matrix.platform }} - name: Warm cache (no push) — ${{ matrix.platform }}
uses: docker/build-push-action@v6 uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with: with:
context: . context: .
file: ./Dockerfile file: ./Dockerfile
@@ -111,7 +111,7 @@ jobs:
id-token: write id-token: write
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with: with:
persist-credentials: false persist-credentials: false
@@ -120,16 +120,16 @@ jobs:
run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT" run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT"
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
- name: Log in to Docker Hub - name: Log in to Docker Hub
uses: docker/login-action@v3 uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with: with:
username: ${{ secrets.DOCKER_USERNAME }} username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }} password: ${{ secrets.DOCKER_TOKEN }}
- name: Log in to GitHub Container Registry - name: Log in to GitHub Container Registry
uses: docker/login-action@v3 uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with: with:
registry: ghcr.io registry: ghcr.io
username: ${{ github.repository_owner }} username: ${{ github.repository_owner }}
@@ -137,7 +137,7 @@ jobs:
- name: Extract metadata - name: Extract metadata
id: meta id: meta
uses: docker/metadata-action@v5 uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
with: with:
images: | images: |
${{ github.repository }} ${{ github.repository }}
@@ -149,7 +149,7 @@ jobs:
org.opencontainers.image.created=${{ steps.ts.outputs.TIMESTAMP }} org.opencontainers.image.created=${{ steps.ts.outputs.TIMESTAMP }}
- name: Build & Push (multi-arch, single tag) - name: Build & Push (multi-arch, single tag)
uses: docker/build-push-action@v6 uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with: with:
context: . context: .
file: ./Dockerfile file: ./Dockerfile
@@ -184,7 +184,7 @@ jobs:
fi fi
- name: Post Status to Discord - name: Post Status to Discord
uses: sarisia/actions-status-discord@v1 uses: sarisia/actions-status-discord@58667542682a27f270460405363e3a982f57a7ee # v1.0.0
with: with:
webhook: ${{ secrets.DISCORD_WEBHOOK }} webhook: ${{ secrets.DISCORD_WEBHOOK }}
status: ${{ steps.status.outputs.status }} status: ${{ steps.status.outputs.status }}

8
.github/workflows/codeql.yml vendored
View File

@@ -37,20 +37,20 @@ jobs:
language: [actions, javascript] language: [actions, javascript]
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with: with:
persist-credentials: false persist-credentials: false
- name: Initialize CodeQL - name: Initialize CodeQL
uses: github/codeql-action/init@v3 uses: github/codeql-action/init@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
with: with:
languages: ${{ matrix.language }} languages: ${{ matrix.language }}
queries: +security-and-quality queries: +security-and-quality
- name: Autobuild - name: Autobuild
uses: github/codeql-action/autobuild@v3 uses: github/codeql-action/autobuild@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
- name: Perform CodeQL Analysis - name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3 uses: github/codeql-action/analyze@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
with: with:
category: '/language:${{ matrix.language }}' category: '/language:${{ matrix.language }}'

2
.github/workflows/conflict_labeler.yml vendored
View File

@@ -27,7 +27,7 @@ jobs:
pull-requests: write pull-requests: write
steps: steps:
- name: Apply label - name: Apply label
uses: eps1lon/actions-label-merge-conflict@v3 uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3
with: with:
dirtyLabel: 'merge conflict' dirtyLabel: 'merge conflict'
commentOnDirty: 'This pull request has merge conflicts. Please resolve the conflicts so the PR can be successfully reviewed and merged.' commentOnDirty: 'This pull request has merge conflicts. Please resolve the conflicts so the PR can be successfully reviewed and merged.'

11
.github/workflows/cypress.yml vendored
View File

@@ -37,23 +37,24 @@ jobs:
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with: with:
persist-credentials: false persist-credentials: false
- name: Set up Node.js - name: Set up Node.js
uses: actions/setup-node@v4 uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
with: with:
node-version-file: package.json node-version-file: package.json
package-manager-cache: false
- name: Pnpm Setup - name: Pnpm Setup
uses: pnpm/action-setup@v4 uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
- name: Install dependencies - name: Install dependencies
run: pnpm install --frozen-lockfile run: pnpm install --frozen-lockfile
- name: Setup cypress cache - name: Setup cypress cache
uses: actions/cache@v4 uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with: with:
path: ~/.cache/Cypress path: ~/.cache/Cypress
key: ${{ runner.os }}-cypress-store-${{ hashFiles('**/pnpm-lock.yaml') }} key: ${{ runner.os }}-cypress-store-${{ hashFiles('**/pnpm-lock.yaml') }}
@@ -66,7 +67,7 @@ jobs:
run: pnpm exec cypress install run: pnpm exec cypress install
- name: Cypress run - name: Cypress run
uses: cypress-io/github-action@v6 uses: cypress-io/github-action@b8ba51a856ba5f4c15cf39007636d4ab04f23e3c # v6.10.2
with: with:
install: false install: false
build: pnpm cypress:build build: pnpm cypress:build

13
.github/workflows/docs-deploy.yml vendored
View File

@@ -22,18 +22,19 @@ jobs:
name: Build Docusaurus name: Build Docusaurus
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with: with:
fetch-depth: 0 fetch-depth: 0
persist-credentials: false persist-credentials: false
- name: Set up Node.js - name: Set up Node.js
uses: actions/setup-node@v4 uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
with: with:
node-version-file: package.json node-version-file: package.json
package-manager-cache: false
- name: Pnpm Setup - name: Pnpm Setup
uses: pnpm/action-setup@v4 uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
- name: Get pnpm store directory - name: Get pnpm store directory
shell: sh shell: sh
@@ -41,7 +42,7 @@ jobs:
echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
- name: Setup pnpm cache - name: Setup pnpm cache
uses: actions/cache@v4 uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with: with:
path: ${{ env.STORE_PATH }} path: ${{ env.STORE_PATH }}
key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }} key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
@@ -58,7 +59,7 @@ jobs:
run: pnpm build run: pnpm build
- name: Upload Build Artifact - name: Upload Build Artifact
uses: actions/upload-pages-artifact@v4 uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b6 # v4.0.0
with: with:
path: gen-docs/build path: gen-docs/build
@@ -76,4 +77,4 @@ jobs:
steps: steps:
- name: Deploy to GitHub Pages - name: Deploy to GitHub Pages
id: deployment id: deployment
uses: actions/deploy-pages@v4 uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5

15
.github/workflows/docs-link-check.yml vendored
View File

@@ -36,27 +36,22 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with: with:
fetch-depth: 0 fetch-depth: 0
persist-credentials: false persist-credentials: false
- name: Run Lychee link checker - name: Run Lychee link checker
uses: lycheeverse/lychee-action@v2 uses: lycheeverse/lychee-action@885c65f3dc543b57c898c8099f4e08c8afd178a2 # v2.6.1
with: with:
fail: false fail: false
args: >- args: >-
--verbose --verbose
--no-progress --no-progress
--accept 200..204,300..304,307,308,404,429,999 --accept 200..204,300..304,307,308,404,429,999
--include '^(http|https)://.*'
--exclude '^file://' --exclude '^file://'
--exclude '^https?://localhost' --exclude '^https?://(localhost|127\.0\.0\.1|0\.0\.0\.0|\[::1\]|\[::\])'
--exclude '^https?://127\.0\.0\.1' --exclude '^https?://support\.discord\.com'
--exclude '^https?://0\.0\.0\.0'
--exclude '^https?://\[\:\:1\]'
--exclude '^https?://\[\:\:\]'
--exclude '^https?://support.discord.com'
'./docs/**/*.md' './docs/**/*.md'
'./docs/**/*.mdx' './docs/**/*.mdx'
'./gen-docs/**/*.md' './gen-docs/**/*.md'
@@ -65,7 +60,7 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload Lychee report - name: Upload Lychee report
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with: with:
name: lychee-report name: lychee-report
path: | path: |

22
.github/workflows/helm.yml vendored
View File

@@ -28,19 +28,19 @@ jobs:
has_artifacts: ${{ steps.check-artifacts.outputs.has_artifacts }} has_artifacts: ${{ steps.check-artifacts.outputs.has_artifacts }}
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with: with:
fetch-depth: 0 fetch-depth: 0
persist-credentials: false persist-credentials: false
- name: Install helm - name: Install helm
uses: azure/setup-helm@v4 uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
- name: Install Oras - name: Install Oras
uses: oras-project/setup-oras@v1 uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1.2.4
- name: Login to GitHub Container Registry - name: Login to GitHub Container Registry
uses: docker/login-action@v3 uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with: with:
registry: ghcr.io registry: ghcr.io
username: ${{ github.actor }} username: ${{ github.actor }}
@@ -76,7 +76,7 @@ jobs:
fi fi
- name: Upload artifacts - name: Upload artifacts
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
if: steps.check-artifacts.outputs.has_artifacts == 'true' if: steps.check-artifacts.outputs.has_artifacts == 'true'
with: with:
name: artifacts name: artifacts
@@ -93,28 +93,28 @@ jobs:
if: needs.package-helm-chart.outputs.has_artifacts == 'true' if: needs.package-helm-chart.outputs.has_artifacts == 'true'
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with: with:
fetch-depth: 0 fetch-depth: 0
persist-credentials: false persist-credentials: false
- name: Install helm - name: Install helm
uses: azure/setup-helm@v4 uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
- name: Install Oras - name: Install Oras
uses: oras-project/setup-oras@v1 uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1.2.4
- name: Install Cosign - name: Install Cosign
uses: sigstore/cosign-installer@v3 uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
- name: Downloads artifacts - name: Downloads artifacts
uses: actions/download-artifact@v4 uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
with: with:
name: artifacts name: artifacts
path: .cr-release-packages/ path: .cr-release-packages/
- name: Login to GitHub Container Registry - name: Login to GitHub Container Registry
uses: docker/login-action@v3 uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with: with:
registry: ghcr.io registry: ghcr.io
username: ${{ github.actor }} username: ${{ github.actor }}

8
.github/workflows/lint-helm-charts.yml vendored
View File

@@ -28,19 +28,19 @@ jobs:
contents: read contents: read
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with: with:
fetch-depth: 0 fetch-depth: 0
persist-credentials: false persist-credentials: false
- name: Set up Helm - name: Set up Helm
uses: azure/setup-helm@v4 uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
- name: Set up chart-testing - name: Set up chart-testing
uses: helm/chart-testing-action@v2 uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
- name: Ensure documentation is updated - name: Ensure documentation is updated
uses: docker://jnorwood/helm-docs:v1.14.2 uses: docker://jnorwood/helm-docs@sha256:7e562b49ab6b1dbc50c3da8f2dd6ffa8a5c6bba327b1c6335cc15ce29267979c # v1.14.2
- name: Run chart-testing (list-changed) - name: Run chart-testing (list-changed)
id: list-changed id: list-changed

18
.github/workflows/preview.yml vendored
View File

@@ -30,7 +30,7 @@ jobs:
runs-on: ${{ matrix.runner }} runs-on: ${{ matrix.runner }}
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with: with:
persist-credentials: false persist-credentials: false
@@ -39,7 +39,7 @@ jobs:
run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT" run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT"
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
- name: Derive preview version from tag - name: Derive preview version from tag
id: ver id: ver
@@ -52,7 +52,7 @@ jobs:
echo "Building preview version: ${VER}" echo "Building preview version: ${VER}"
- name: Warm cache (no push) — ${{ matrix.platform }} - name: Warm cache (no push) — ${{ matrix.platform }}
uses: docker/build-push-action@v6 uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with: with:
context: . context: .
file: ./Dockerfile file: ./Dockerfile
@@ -76,7 +76,7 @@ jobs:
id-token: write id-token: write
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with: with:
persist-credentials: false persist-credentials: false
@@ -85,16 +85,16 @@ jobs:
run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT" run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT"
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
- name: Log in to Docker Hub - name: Log in to Docker Hub
uses: docker/login-action@v3 uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with: with:
username: ${{ secrets.DOCKER_USERNAME }} username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }} password: ${{ secrets.DOCKER_TOKEN }}
- name: Log in to GitHub Container Registry - name: Log in to GitHub Container Registry
uses: docker/login-action@v3 uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with: with:
registry: ghcr.io registry: ghcr.io
username: ${{ github.repository_owner }} username: ${{ github.repository_owner }}
@@ -112,7 +112,7 @@ jobs:
- name: Extract metadata - name: Extract metadata
id: meta id: meta
uses: docker/metadata-action@v5 uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
with: with:
images: | images: |
${{ github.repository }} ${{ github.repository }}
@@ -124,7 +124,7 @@ jobs:
org.opencontainers.image.created=${{ steps.ts.outputs.TIMESTAMP }} org.opencontainers.image.created=${{ steps.ts.outputs.TIMESTAMP }}
- name: Build & Push (multi-arch, single tag) - name: Build & Push (multi-arch, single tag)
uses: docker/build-push-action@v6 uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with: with:
context: . context: .
file: ./Dockerfile file: ./Dockerfile

33
.github/workflows/release.yml vendored
View File

@@ -23,18 +23,19 @@ jobs:
new_release_version: ${{ steps.release.outputs.new_release_version }} new_release_version: ${{ steps.release.outputs.new_release_version }}
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with: with:
fetch-depth: 0 fetch-depth: 0
persist-credentials: false persist-credentials: false
- name: Set up Node.js - name: Set up Node.js
uses: actions/setup-node@v4 uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
with: with:
node-version-file: package.json node-version-file: package.json
package-manager-cache: false
- name: Pnpm Setup - name: Pnpm Setup
uses: pnpm/action-setup@v4 uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
- name: Get pnpm store directory - name: Get pnpm store directory
shell: sh shell: sh
@@ -42,7 +43,7 @@ jobs:
echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
- name: Setup pnpm cache - name: Setup pnpm cache
uses: actions/cache@v4 uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with: with:
path: ${{ env.STORE_PATH }} path: ${{ env.STORE_PATH }}
key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }} key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
@@ -54,7 +55,7 @@ jobs:
- name: Release - name: Release
id: release id: release
uses: cycjimmy/semantic-release-action@v5 uses: cycjimmy/semantic-release-action@9cc899c47e6841430bbaedb43de1560a568dfd16 # v5.0.0
with: with:
extra_plugins: | extra_plugins: |
@semantic-release/git@10 @semantic-release/git@10
@@ -79,7 +80,7 @@ jobs:
runs-on: ${{ matrix.runner }} runs-on: ${{ matrix.runner }}
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with: with:
persist-credentials: false persist-credentials: false
@@ -88,10 +89,10 @@ jobs:
run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT" run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT"
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
- name: Warm cache (no push) — ${{ matrix.platform }} - name: Warm cache (no push) — ${{ matrix.platform }}
uses: docker/build-push-action@v6 uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with: with:
context: . context: .
file: ./Dockerfile file: ./Dockerfile
@@ -116,7 +117,7 @@ jobs:
packages: write packages: write
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with: with:
persist-credentials: false persist-credentials: false
@@ -125,16 +126,16 @@ jobs:
run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT" run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT"
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
- name: Log in to Docker Hub - name: Log in to Docker Hub
uses: docker/login-action@v3 uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with: with:
username: ${{ secrets.DOCKER_USERNAME }} username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }} password: ${{ secrets.DOCKER_TOKEN }}
- name: Log in to GitHub Container Registry - name: Log in to GitHub Container Registry
uses: docker/login-action@v3 uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with: with:
registry: ghcr.io registry: ghcr.io
username: ${{ github.repository_owner }} username: ${{ github.repository_owner }}
@@ -142,7 +143,7 @@ jobs:
- name: Extract metadata - name: Extract metadata
id: meta id: meta
uses: docker/metadata-action@v5 uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
with: with:
images: | images: |
${{ github.repository }} ${{ github.repository }}
@@ -153,7 +154,7 @@ jobs:
org.opencontainers.image.created=${{ steps.ts.outputs.TIMESTAMP }} org.opencontainers.image.created=${{ steps.ts.outputs.TIMESTAMP }}
- name: Build & Push (multi-arch, single tag) - name: Build & Push (multi-arch, single tag)
uses: docker/build-push-action@v6 uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with: with:
context: . context: .
file: ./Dockerfile file: ./Dockerfile
@@ -191,7 +192,7 @@ jobs:
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
steps: steps:
- name: Get Build Job Status - name: Get Build Job Status
uses: technote-space/workflow-conclusion-action@v3 uses: technote-space/workflow-conclusion-action@45ce8e0eb155657ab8ccf346ade734257fd196a5 # v3.0.3
- name: Combine Job Status - name: Combine Job Status
id: status id: status
@@ -204,7 +205,7 @@ jobs:
fi fi
- name: Post Status to Discord - name: Post Status to Discord
uses: sarisia/actions-status-discord@v1 uses: sarisia/actions-status-discord@58667542682a27f270460405363e3a982f57a7ee # v1.0.0
with: with:
webhook: ${{ secrets.DISCORD_WEBHOOK }} webhook: ${{ secrets.DISCORD_WEBHOOK }}
status: ${{ steps.status.outputs.status }} status: ${{ steps.status.outputs.status }}

2
.github/workflows/stale.yml vendored
View File

@@ -21,7 +21,7 @@ jobs:
issues: write issues: write
pull-requests: write pull-requests: write
steps: steps:
- uses: actions/stale@v10.1.0 - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0
with: with:
any-of-labels: "pending author's response" any-of-labels: "pending author's response"
exempt-issue-labels: 'confirmed' exempt-issue-labels: 'confirmed'

9
.github/workflows/test-docs-deploy.yml vendored
View File

@@ -24,18 +24,19 @@ jobs:
permissions: permissions:
contents: read contents: read
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with: with:
fetch-depth: 0 fetch-depth: 0
persist-credentials: false persist-credentials: false
- name: Set up Node.js - name: Set up Node.js
uses: actions/setup-node@v4 uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
with: with:
node-version-file: package.json node-version-file: package.json
package-manager-cache: false
- name: Pnpm Setup - name: Pnpm Setup
uses: pnpm/action-setup@v4 uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
- name: Get pnpm store directory - name: Get pnpm store directory
shell: sh shell: sh
@@ -43,7 +44,7 @@ jobs:
echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
- name: Setup pnpm cache - name: Setup pnpm cache
uses: actions/cache@v4 uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with: with:
path: ${{ env.STORE_PATH }} path: ${{ env.STORE_PATH }}
key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }} key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}

6
.github/workflows/trivy-scan.yml vendored
View File

@@ -34,13 +34,13 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with: with:
fetch-depth: 0 fetch-depth: 0
persist-credentials: false persist-credentials: false
- name: Cache Trivy DB - name: Cache Trivy DB
uses: actions/cache@v4 uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with: with:
path: .trivycache path: .trivycache
key: trivy-${{ runner.os }}-${{ hashFiles('**/Dockerfile') }} key: trivy-${{ runner.os }}-${{ hashFiles('**/Dockerfile') }}
@@ -56,6 +56,6 @@ jobs:
ignore-unfixed: true ignore-unfixed: true
- name: Upload SARIF to code scanning - name: Upload SARIF to code scanning
uses: github/codeql-action/upload-sarif@v3 uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
with: with:
sarif_file: trivy.sarif sarif_file: trivy.sarif

4
Dockerfile
View File

@@ -1,4 +1,4 @@
FROM node:22-alpine AS build_image FROM node:22.20.0-alpine3.22@sha256:096829fd4bb8c2ce2340ed64dd2f857951f8704325f7acf53e3dc0561c36a214 AS build_image
ARG SOURCE_DATE_EPOCH ARG SOURCE_DATE_EPOCH
ARG TARGETPLATFORM ARG TARGETPLATFORM
@@ -33,7 +33,7 @@ RUN pnpm prune --prod --ignore-scripts && \
touch config/DOCKER && \ touch config/DOCKER && \
echo "{\"commitTag\": \"${COMMIT_TAG}\"}" > committag.json echo "{\"commitTag\": \"${COMMIT_TAG}\"}" > committag.json
FROM node:22-alpine FROM node:22.20.0-alpine3.22@sha256:096829fd4bb8c2ce2340ed64dd2f857951f8704325f7acf53e3dc0561c36a214
ENV PNPM_HOME="/pnpm" ENV PNPM_HOME="/pnpm"
ENV PATH="$PNPM_HOME:$PATH" ENV PATH="$PNPM_HOME:$PATH"

2
Dockerfile.local
View File

@@ -1,4 +1,4 @@
FROM node:22-alpine FROM node:22.20.0-alpine3.22@sha256:096829fd4bb8c2ce2340ed64dd2f857951f8704325f7acf53e3dc0561c36a214
ENV PNPM_HOME="/pnpm" ENV PNPM_HOME="/pnpm"
ENV PATH="$PNPM_HOME:$PATH" ENV PATH="$PNPM_HOME:$PATH"