chore: improve ci security (#9384)

* pin docker files * pin github actions * enforce hashes that are already present * run style checks on cicd changes
2025-04-27 19:16:44 +00:00 · 2025-03-26 03:04:45 +01:00 · 2025-03-26 03:04:45 +01:00 · 9bc0d599bc
commit 9bc0d599bc
parent 2bd26c0f49
6 changed files with 11 additions and 6 deletions
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@ -3,7 +3,7 @@
 # In contrast with the "production" image (which is based on an Alpine image)
 # we use a Debian-based image for the devcontainer

-FROM mcr.microsoft.com/devcontainers/python:3.11-bookworm
+FROM mcr.microsoft.com/devcontainers/python:3.11-bookworm@sha256:5140e54af7a0399a4932dd4c4653d085fcf451b093d7424867df1828ffbb9b81

 # InvenTree paths
 ENV INVENTREE_HOME="/home/inventree"
--- a/.devcontainer/postCreateCommand.sh
+++ b/.devcontainer/postCreateCommand.sh
@ -27,7 +27,7 @@ python3 -m pip install --upgrade pip
 pip3 install --ignore-installed --upgrade invoke Pillow

 # install base level packages
-pip3 install -Ur contrib/container/requirements.txt
+pip3 install -Ur --require-hashes contrib/container/requirements.txt

 # Run initial InvenTree server setup
 invoke update -s
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -14,6 +14,11 @@ updates:
    schedule:
      interval: weekly

+  - package-ecosystem: docker
+    directory: /.devcontainer
+    schedule:
+      interval: weekly
+
  - package-ecosystem: pip
    directories:
    - /docs
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@ -170,11 +170,11 @@ jobs:
          images: |
            inventree/inventree
            ghcr.io/${{ github.repository }}
-      - uses: depot/setup-action@v1
+      - uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # pin@v1
      - name: Push Docker Images
        id: push-docker
        if: github.event_name != 'pull_request'
-        uses: depot/build-push-action@v1
+        uses: depot/build-push-action@636daae76684e38c301daa0c5eca1c095b24e780 # pin@v1
        with:
          project: jczzbjkk68
          context: .
--- a/.github/workflows/qc_checks.yaml
+++ b/.github/workflows/qc_checks.yaml
@ -79,7 +79,7 @@ jobs:
    name: Style [pre-commit]
    runs-on: ubuntu-24.04
    needs: paths-filter
-    if: needs.paths-filter.outputs.server == 'true' || needs.paths-filter.outputs.frontend == 'true' || needs.paths-filter.outputs.requirements == 'true' || needs.paths-filter.outputs.force == 'true'
+    if: needs.paths-filter.outputs.cicd == 'true' || needs.paths-filter.outputs.server == 'true' || needs.paths-filter.outputs.frontend == 'true' || needs.paths-filter.outputs.requirements == 'true' || needs.paths-filter.outputs.force == 'true'

    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin@v4.2.2
--- a/contrib/container/Dockerfile
+++ b/contrib/container/Dockerfile
@ -9,7 +9,7 @@
 # - Runs InvenTree web server under django development server
 # - Monitors source files for any changes, and live-reloads server

-FROM python:3.11-alpine3.20 AS inventree_base
+FROM python:3.11-alpine3.20@sha256:520924f35357a374aa1beaa81b867f449f9f12a53f00b69ad03c3d697fdf4aad AS inventree_base

 # Build arguments for this image
 ARG commit_tag=""