Merge pull request #25 from jkoelker/renovate/pin-dependencies

chore(deps): pin dependencies

Author: jkoelker

.github/workflows/ci.yaml

@@ -13,30 +13,30 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Run tests
         run: make test
 
   lint:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Run linter
         run: make lint
 
   tidy:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Check go mod tidy
         run: make tidy-ci
 
   build:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Build binary
         run: make docker-build

.github/workflows/container.yaml

@@ -17,18 +17,18 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Log in to Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5
         with:
           images: ghcr.io/jkoelker/schwab-proxy
           tags: |
@@ -37,7 +37,7 @@ jobs:
             type=semver,pattern={{version}}
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         with:
           context: .
           push: true

Dockerfile

@@ -1,5 +1,5 @@
 # Build stage
-FROM docker.io/golang:1.24.5-alpine AS builder
+FROM docker.io/golang:1.24.5-alpine@sha256:ddf52008bce1be455fe2b22d780b6693259aaf97b16383b6372f4b22dd33ad66 AS builder
 
 # Set build environment for static linking
 ENV CGO_ENABLED=0 \
@@ -38,7 +38,7 @@ RUN go build \
     ./cmd/schwab-proxy
 
 # Runtime stage - distroless for maximum security
-FROM gcr.io/distroless/static-debian12:nonroot
+FROM gcr.io/distroless/static-debian12:nonroot@sha256:627d6c5a23ad24e6bdff827f16c7b60e0289029b0c79e9f7ccd54ae3279fb45f
 
 LABEL org.opencontainers.image.source=https://github.com/jkoelker/schwab-proxy
 

Dockerfile.devkit

@@ -1,8 +1,8 @@
 # Get as many dependancies from official docker images to allow
 # `dependabot` to manage them for us.
-FROM docker.io/golangci/golangci-lint:v2.2.2 as golangci-lint
-FROM ghcr.io/hadolint/hadolint:2.12.0 as hadolint
-FROM docker.io/golang:1.24.5-alpine
+FROM docker.io/golangci/golangci-lint:v2.2.2@sha256:0f0e3fad35aa127e2823e79809727709bceb6b899ad17362b92a6148ba40c862 as golangci-lint
+FROM ghcr.io/hadolint/hadolint:2.12.0@sha256:30a8fd2e785ab6176eed53f74769e04f125afb2f74a6c52aef7d463583b6d45e as hadolint
+FROM docker.io/golang:1.24.5-alpine@sha256:ddf52008bce1be455fe2b22d780b6693259aaf97b16383b6372f4b22dd33ad66
 
 RUN apk add --no-cache \
     bash==5.2.37-r0 \