From e98c0ebe28538775680ca550bc906a86ed0e32a9 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sat, 25 Oct 2025 00:14:22 +0000 Subject: [PATCH] Pin dependencies --- .github/workflows/publish-release-npm-package.yml | 4 ++-- .github/workflows/reusable-playwright-tests.yml | 10 +++++----- .github/workflows/sonarqube.yml | 4 ++-- .github/workflows/static-analysis.yaml | 6 +++--- .github/workflows/synapse-module.yml | 2 +- .github/workflows/tests.yml | 8 ++++---- modules/restricted-guests/synapse/Dockerfile | 2 +- packages/element-web-module-api/Dockerfile | 4 ++-- 8 files changed, 20 insertions(+), 20 deletions(-) diff --git a/.github/workflows/publish-release-npm-package.yml b/.github/workflows/publish-release-npm-package.yml index 9ebe4d5..7110ad5 100644 --- a/.github/workflows/publish-release-npm-package.yml +++ b/.github/workflows/publish-release-npm-package.yml @@ -17,10 +17,10 @@ jobs: id-token: write steps: - name: 🧮 Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 - name: 🔧 Yarn cache - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: cache: "yarn" registry-url: "https://registry.npmjs.org" diff --git a/.github/workflows/reusable-playwright-tests.yml b/.github/workflows/reusable-playwright-tests.yml index f10d7d5..46e7bee 100644 --- a/.github/workflows/reusable-playwright-tests.yml +++ b/.github/workflows/reusable-playwright-tests.yml @@ -14,11 +14,11 @@ jobs: name: Run Playwright end-to-end tests & upload html report runs-on: ubuntu-24.04-arm steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 with: repository: ${{ inputs.webapp-artifact && 'element-hq/element-modules' || github.repository }} - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: cache: "yarn" node-version: "lts/*" @@ -31,7 +31,7 @@ jobs: run: echo "version=$(yarn list --pattern @playwright/test --depth=0 --json --non-interactive --no-progress | jq -r '.data.trees[].name')" >> "$GITHUB_OUTPUT" - name: Cache playwright binaries - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 id: playwright-cache with: path: ~/.cache/ms-playwright @@ -43,7 +43,7 @@ jobs: - name: Fetch webapp if: inputs.webapp-artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: ${{ inputs.webapp-artifact }} path: webapp @@ -60,7 +60,7 @@ jobs: - name: Upload blob report to GitHub Actions Artifacts if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: playwright-html-report path: playwright-report diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index 9078d3f..e660b7f 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -38,7 +38,7 @@ jobs: fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis - name: 📥 Download artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: github-token: ${{ secrets.GITHUB_TOKEN }} run-id: ${{ github.event.workflow_run.id }} @@ -56,7 +56,7 @@ jobs: - name: "🩻 SonarCloud Scan" id: sonarcloud - uses: matrix-org/sonarcloud-workflow-action@v3.3 + uses: matrix-org/sonarcloud-workflow-action@6fa326fe328568a4800c431fe864826caff79b41 # v3.3 # workflow_run fails report against the develop commit always, we don't want that for PRs continue-on-error: ${{ github.event.workflow_run.head_branch != 'develop' }} with: diff --git a/.github/workflows/static-analysis.yaml b/.github/workflows/static-analysis.yaml index 1c87aef..693245c 100644 --- a/.github/workflows/static-analysis.yaml +++ b/.github/workflows/static-analysis.yaml @@ -24,14 +24,14 @@ jobs: - lint:prettier - lint:knip steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: cache: "yarn" node-version: "lts/*" - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: "3.11" diff --git a/.github/workflows/synapse-module.yml b/.github/workflows/synapse-module.yml index b3f9891..6214f20 100644 --- a/.github/workflows/synapse-module.yml +++ b/.github/workflows/synapse-module.yml @@ -17,7 +17,7 @@ jobs: env: DOCKER_IMAGE: ghcr.io/element-hq/synapse-guest-module steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 - name: Login to ghcr.io uses: docker/login-action@v3 diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index a8d8d22..3426e69 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -14,14 +14,14 @@ jobs: name: Run tests & upload coverage reports runs-on: ubuntu-24.04-arm steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: cache: "yarn" node-version: "lts/*" - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: "3.11" @@ -35,7 +35,7 @@ jobs: run: sed -ie 's/filename="/filename="modules\/restricted-guests\/synapse\//' modules/restricted-guests/synapse/coverage.xml - name: Upload Artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: coverage path: | diff --git a/modules/restricted-guests/synapse/Dockerfile b/modules/restricted-guests/synapse/Dockerfile index dc39a08..1e1d1e5 100644 --- a/modules/restricted-guests/synapse/Dockerfile +++ b/modules/restricted-guests/synapse/Dockerfile @@ -1,7 +1,7 @@ ARG DEBIAN_VERSION_NUMERIC=12 # Now copy it into our base image. -FROM gcr.io/distroless/base-nossl-debian${DEBIAN_VERSION_NUMERIC}:debug AS build +FROM gcr.io/distroless/base-nossl-debian${DEBIAN_VERSION_NUMERIC}:debug@sha256:12dbb4f46c5f712fe3da1c7a441602ee91eb87a5d46b0e725b4440b852000538 AS build FROM gcr.io/distroless/base-nossl-debian${DEBIAN_VERSION_NUMERIC} diff --git a/packages/element-web-module-api/Dockerfile b/packages/element-web-module-api/Dockerfile index 00d0e42..1c4b155 100644 --- a/packages/element-web-module-api/Dockerfile +++ b/packages/element-web-module-api/Dockerfile @@ -1,6 +1,6 @@ -ARG ELEMENT_VERSION=latest +ARG ELEMENT_VERSION=latest@sha256:6e91e641abe70dd02f1461b4f1ebf8f6807bfa381ec7f2c13e9e286c4e2b2918 -FROM --platform=$BUILDPLATFORM node:lts-alpine AS builder +FROM --platform=$BUILDPLATFORM node:lts-alpine@sha256:bd26af08779f746650d95a2e4d653b0fd3c8030c44284b6b98d701c9b5eb66b9 AS builder ARG BUILD_CONTEXT