Merge pull request #218 from darac/renovate/pin-dependencies

chore(deps): pin dependencies

Author: darac

.github/workflows/codeql-analysis.yml

@@ -41,10 +41,10 @@ jobs:
 
         steps:
             - name: Checkout repository
-              uses: actions/checkout@v4
+              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
             # Initializes the CodeQL tools for scanning.
             - name: Initialize CodeQL
-              uses: github/codeql-action/init@v3
+              uses: github/codeql-action/init@fca7ace96b7d713c7035871441bd52efbe39e27e # v3
               with:
                   languages: ${{ matrix.language }}
                   # If you wish to specify custom queries, you can do so here or in a config file.
@@ -55,7 +55,7 @@ jobs:
             # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
             # If this step fails, then you should remove it and run the build manually (see below)
             - name: Autobuild
-              uses: github/codeql-action/autobuild@v3
+              uses: github/codeql-action/autobuild@fca7ace96b7d713c7035871441bd52efbe39e27e # v3
 
             # ℹ️ Command-line programs to run using the OS shell.
             # 📚 https://git.io/JvXDl
@@ -69,4 +69,4 @@ jobs:
             #   make release
 
             - name: Perform CodeQL Analysis
-              uses: github/codeql-action/analyze@v3
+              uses: github/codeql-action/analyze@fca7ace96b7d713c7035871441bd52efbe39e27e # v3

.github/workflows/readme-stars.yml

@@ -14,19 +14,19 @@ jobs:
         if: ${{ github.event.workflow_run.conclusion == 'success' }}
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/checkout@v4
-            - uses: k2bd/advent-readme-stars@v1
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+            - uses: k2bd/advent-readme-stars@27bfdb5e0e611d0f006356cfe37dbfb505b0ee49 # v1
               with:
                   leaderboardId: 197414
                   sessionCookie: ${{ secrets.AOC_SESSION }}
                   userId: 1594870
             - name: AoC-badges
-              uses: J0B10/[email protected]
+              uses: J0B10/aoc-badges-action@75cd611df531bd9aa0675cae13be418d73cbdf76 # v3.0.0
               with:
                   leaderboard: https://adventofcode.com/2024/leaderboard/private/view/197414.json
                   session: ${{ secrets.AOC_SESSION }}
                   userid: 1594870
-            - uses: stefanzweifel/git-auto-commit-action@v5
+            - uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5
               with:
                   commit_message: Update README stars
                   file_pattern: README.md

.github/workflows/release-drafter.yml

@@ -36,7 +36,7 @@ jobs:
       #    echo "GHE_HOST=${GITHUB_SERVER_URL##https:\/\/}" >> $GITHUB_ENV
 
       # Drafts your next Release notes as Pull Requests are merged into "master"
-      - uses: release-drafter/release-drafter@v6
+      - uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6
         # (Optional) specify config name to use, relative to .github/. Default: release-drafter.yml
         # with:
         #   config-name: my-config.yml

.github/workflows/test.yml

@@ -31,12 +31,12 @@ jobs:
                     - macos-latest
                     # - windows-latest
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
               with:
                   fetch-depth: 0
 
             - name: Setup UV
-              uses: astral-sh/setup-uv@v6
+              uses: astral-sh/setup-uv@f0ec1fc3b38f5e7cd731bb6ce540c5af426746bb # v6
               with:
                   activate-environment: true
 
@@ -76,7 +76,7 @@ jobs:
 
             - name: Upload JUnit results
               if: success() || failure()
-              uses: actions/upload-artifact@v4
+              uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
               with:
                   name: junit-${{ matrix.os }}-${{ matrix.env }}
                   path: |
@@ -86,7 +86,7 @@ jobs:
                   retention-days: 1
 
             - name: Publish Test Report
-              uses: dorny/test-reporter@v2
+              uses: dorny/test-reporter@890a17cecf52a379fc869ab770a71657660be727 # v2
               if: success() || failure()
               with:
                   name: Tox Tests (${{ matrix.env }})
@@ -115,26 +115,26 @@ jobs:
         concurrency: release
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
               with:
                   fetch-depth: 0
 
             - name: Obtain Project Version
-              uses: SebRollen/[email protected]
+              uses: SebRollen/toml-action@b1b3628f55fc3a28208d4203ada8b737e9687876 # v1.2.0
               id: proj-version
               with:
                   file: pyproject.toml
                   field: project.version
 
             - name: Cache SonarQube packages
-              uses: actions/cache@v4
+              uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
               with:
                   path: ~/.sonar/cache
                   key: ${{ runner.os }}-sonar
                   restore-keys: ${{ runner.os }}-sonar
 
             - name: Download JUnit reports
-              uses: actions/download-artifact@v4
+              uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
               with:
                   path: .
                   merge-multiple: true
@@ -168,7 +168,7 @@ jobs:
             # the branch was updated. To keep PSR working with the configured release branches,
             # we force a checkout of the desired release branch but at the workflow sha HEAD.
             - name: Setup | Checkout Repository at workflow sha
-              uses: actions/checkout@v4
+              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
               with:
                   fetch-depth: 0
                   ref: ${{ github.sha }}
@@ -178,7 +178,7 @@ jobs:
                   git checkout -B ${{ github.ref_name }} ${{ github.sha }}
 
             - name: Setup | Install UV
-              uses: astral-sh/setup-uv@v6
+              uses: astral-sh/setup-uv@f0ec1fc3b38f5e7cd731bb6ce540c5af426746bb # v6
               with:
                   version: latest
                   enable-cache: true
@@ -189,14 +189,14 @@ jobs:
             - name: Action | Semantic Version Release
               id: release
               # Adjust tag with desired version if applicable.
-              uses: python-semantic-release/[email protected]
+              uses: python-semantic-release/python-semantic-release@1a324000f2251a9e722e77b128bf72712653813f # v10.0.2
               with:
                   github_token: ${{ secrets.GITHUB_TOKEN }}
                   git_committer_name: "github-actions"
                   git_committer_email: "[email protected]"
 
             - name: Publish | Upload to GitHub Release Assets
-              uses: python-semantic-release/[email protected]
+              uses: python-semantic-release/publish-action@e5e3010f6a207cd5d6f5d3dccedbea355484ca02 # v10.0.2
               if: steps.release.outputs.released == 'true'
               with:
                   github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -218,7 +218,7 @@ jobs:
             id-token: write
 
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
             - name: Log in to the container registry
               uses: docker/login-action@6d4b68b490aef8836e8fb5e50ee7b3bdfa5894f0
@@ -235,15 +235,15 @@ jobs:
 
             - name: Build and push Docker image
               id: push
-              uses: docker/build-push-action@v6
+              uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
               with:
                   context: .
                   push: ${{ github.event_name != 'pull_request' }}
                   tags: ${{ steps.meta.outputs.tags }}
                   labels: ${{ steps.meta.outputs.labels }}
 
             - name: Generate artifact attestation
-              uses: actions/attest-build-provenance@v2
+              uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2
               with:
                   subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
                   subject-digest: ${{ steps.push.outputs.digest }}

Dockerfile

@@ -1,7 +1,7 @@
-# syntax=docker/dockerfile:1.16
+# syntax=docker/dockerfile:1.16@sha256:e2dd261f92e4b763d789984f6eab84be66ab4f5f08052316d8eb8f173593acf7
 # Keep this syntax directive! It's used to enable Docker BuildKit
 
-FROM ubuntu:noble AS build
+FROM ubuntu:noble@sha256:b59d21599a2b151e23eea5f6602f4af4d7d31c4e236d22bf0b62b86d2e386b8f AS build
 
 SHELL ["sh", "-exc"]
 
@@ -27,7 +27,7 @@ apt-get install -qyy \
 apt-get clean
 EOT
 
-COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv
+COPY --from=ghcr.io/astral-sh/uv:latest@sha256:4faec156e35a5f345d57804d8858c6ba1cf6352ce5f4bffc11b7fdebdef46a38 /uv /usr/local/bin/uv
 
 # - Silence uv complaining about not being able to use hard links,
 # - tell uv to byte-compile packages for faster application startups,
@@ -75,7 +75,7 @@ RUN --mount=type=cache,target=/root/.cache \
 
 ##########################################################################
 
-FROM ubuntu:noble
+FROM ubuntu:noble@sha256:b59d21599a2b151e23eea5f6602f4af4d7d31c4e236d22bf0b62b86d2e386b8f
 SHELL ["sh", "-exc"]
 
 # Optional: add the application virtualenv to search path.