From ecfa38f11e56f36c85712bd344ca9c4280d95d31 Mon Sep 17 00:00:00 2001 From: Jonathan Perret Date: Fri, 27 Feb 2026 18:17:40 +0100 Subject: [PATCH] =?UTF-8?q?=E2=AC=86=EF=B8=8F=20(actions)=20upgrade=20and?= =?UTF-8?q?=20pin=20GitHub=20actions?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit To latest stable versions. --- .github/workflows/build-docker.yml | 12 ++++++------ .github/workflows/ci-tests.yml | 18 +++++++++--------- Dockerfile | 3 ++- 3 files changed, 17 insertions(+), 16 deletions(-) diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index 7b45922..28c7079 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -17,14 +17,14 @@ jobs: packages: write steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 with: images: ghcr.io/${{ github.repository }} tags: | @@ -36,14 +36,14 @@ jobs: type=raw,value=latest,enable={{is_default_branch}} - name: Login to Github Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ github.token }} - name: Build and push - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: context: . target: production @@ -59,7 +59,7 @@ jobs: needs: - build-and-push steps: - - uses: numerique-gouv/action-argocd-webhook-notification@main + - uses: numerique-gouv/action-argocd-webhook-notification@cac2ee67896eb13e84e804f60c4271370424eaa8 # main id: notify with: deployment_repo_path: "${{ github.repository }}" diff --git a/.github/workflows/ci-tests.yml b/.github/workflows/ci-tests.yml index 022ef6e..a004600 100644 --- a/.github/workflows/ci-tests.yml +++ b/.github/workflows/ci-tests.yml @@ -16,7 +16,7 @@ jobs: if: github.event_name == 'pull_request' # Makes sense only for pull requests steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - name: show @@ -39,7 +39,7 @@ jobs: github.event_name == 'pull_request' steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - name: Check that the CHANGELOG has been modified in the current branch @@ -49,7 +49,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Check CHANGELOG max line length run: | max_line_length=$(cat CHANGELOG.md | grep -Ev "^\[.*\]: https://github.com" | wc -L) @@ -65,9 +65,9 @@ jobs: working-directory: src/satosa steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Python - uses: actions/setup-python@v3 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: '3.14' - name: Install development dependencies @@ -89,9 +89,9 @@ jobs: working-directory: src/satosa steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Python - uses: actions/setup-python@v3 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: '3.14' - name: Install development dependencies @@ -110,7 +110,7 @@ jobs: image: ghcr.io/helmfile/helmfile:v1.2.0 steps: - - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 id: app-token with: app-id: ${{ secrets.APP_ID }} @@ -119,7 +119,7 @@ jobs: repositories: secrets - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: recursive token: ${{ steps.app-token.outputs.token }} diff --git a/Dockerfile b/Dockerfile index 3e7e1d1..81a6e1d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -42,7 +42,8 @@ CMD ["gunicorn", "-c", "/usr/local/etc/gunicorn/satosa.py"] FROM common AS development # Install curl (for healthchecks) -RUN apt-get update && apt-get install -qy curl +RUN export DEBIAN_FRONTEND=noninteractive && \ + apt-get update && apt-get install -qy curl # Playwright browsers ENV PLAYWRIGHT_BROWSERS_PATH=/pw-browsers