Pin dependencies

Author: renovate[bot]

.github/workflows/ci.yml

@@ -14,14 +14,14 @@ jobs:
     outputs:
       example-widget-mui-image-tag: ${{ steps.meta_example-widget-mui.outputs.version }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: '0'
           # don't persist the credentials so the changesets action doesn't use the
           # github actions token but the git token provided via environment variable
           persist-credentials: false
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 'lts/*'
           cache: 'yarn'
@@ -55,18 +55,18 @@ jobs:
         run: yarn check-api-report
 
       - name: Login to ghcr.io
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
 
       - name: Generate Docker metadata (example-widget-mui)
         id: meta_example-widget-mui
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5
         env:
           DOCKER_METADATA_PR_HEAD_SHA: true
         with:
@@ -79,7 +79,7 @@ jobs:
             type=sha,prefix=
 
       - name: Build and push (example-widget-mui)
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         id: dockerBuild
         with:
           push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' || github.event_name == 'pull_request' && secrets.GH_APP_OS_APP_ID != '' }}
@@ -114,17 +114,17 @@ jobs:
         run: echo $IMAGE_TAG
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 0 # need main branch to diff against
       - name: Set up Helm
-        uses: azure/setup-helm@v4
-      - uses: actions/setup-python@v5
+        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: '3.13'
           check-latest: true
       - name: Set up chart-testing
-        uses: helm/[email protected]
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
       - name: Check if Helm charts updated (run chart-testing list-changed)
         id: list-changed
         run: |
@@ -138,7 +138,7 @@ jobs:
         run: ct lint --validate-maintainers=false --target-branch ${{ github.event.repository.default_branch }}
       - name: Create kind cluster
         if: steps.list-changed.outputs.changed == 'true'
-        uses: helm/[email protected]
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
       - name: Prepare k8s cluster
         if: steps.list-changed.outputs.changed == 'true'
         run: |
@@ -155,9 +155,9 @@ jobs:
     env:
       DOCKER_PLATFORMS: linux/amd64,linux/arm64,linux/s390x
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 'lts/*'
           cache: 'yarn'
@@ -167,17 +167,17 @@ jobs:
         run: yarn install --frozen-lockfile
 
       - name: Login to ghcr.io
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
 
       - name: Generate docker tag
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
         id: vars
         with:
           script: |
@@ -190,7 +190,7 @@ jobs:
 
       - name: Generate Docker metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5
         with:
           images: ghcr.io/nordeck/matrix-widget-toolkit/widget-server
           labels: |
@@ -204,15 +204,15 @@ jobs:
             type=semver,pattern={{major}},value=${{ steps.vars.outputs.version }}
 
       - name: Build
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         with:
           context: containers/widget-server
           platforms: ${{ env.DOCKER_PLATFORMS }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 
       - name: Load
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         id: dockerLoad
         with:
           load: true
@@ -221,7 +221,7 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
 
       - name: Restore Cached Browsers
-        uses: actions/cache@v4
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
         with:
           path: ~/.cache/ms-playwright
           key: ${{ runner.os }}-browsers
@@ -235,7 +235,7 @@ jobs:
           IMAGE_ID: ${{ steps.dockerLoad.outputs.imageid }}
         run: yarn playwright test
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         if: always()
         with:
           name: playwright-report
@@ -270,7 +270,7 @@ jobs:
 
       - name: Build and push
         if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' && steps.tag-exists.outputs.result == 'false' }}
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         with:
           push: true
           context: containers/widget-server
@@ -296,7 +296,7 @@ jobs:
           private_key: ${{ secrets.GH_APP_OS_PRIVATE_KEY }}
 
       - name: Trigger Workflow
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
         with:
           github-token: ${{ steps.generate_token.outputs.token }}
           script: |

containers/widget-server/Dockerfile

@@ -1,4 +1,4 @@
-FROM nginx:1.27.4-alpine-perl
+FROM nginx:1.27.4-alpine-perl@sha256:b948629705bb94a3947846babda0a222577b1eadcc3e551bfafef47c7581666b
 
 # Install envsubst
 RUN apk add --no-cache gettext

example-widget-mui/Dockerfile

@@ -1,4 +1,4 @@
-FROM ghcr.io/nordeck/matrix-widget-toolkit/widget-server:1
+FROM ghcr.io/nordeck/matrix-widget-toolkit/widget-server:1@sha256:e20146b7f11dfb663874fed7a289e412ce6e8e623c6eb2261e35a220029ba042
 
 # Allow loading images from all HTTP(s) URLs and blobs
 ENV CSP_IMG_SRC="http: https: blob:"