From 9bc0d599bc4bf1085709e00d7b6498e5149bef15 Mon Sep 17 00:00:00 2001 From: Matthias Mair Date: Wed, 26 Mar 2025 03:04:45 +0100 Subject: [PATCH] chore: improve ci security (#9384) * pin docker files * pin github actions * enforce hashes that are already present * run style checks on cicd changes --- .devcontainer/Dockerfile | 2 +- .devcontainer/postCreateCommand.sh | 2 +- .github/dependabot.yml | 5 +++++ .github/workflows/docker.yaml | 4 ++-- .github/workflows/qc_checks.yaml | 2 +- contrib/container/Dockerfile | 2 +- 6 files changed, 11 insertions(+), 6 deletions(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index c305bae278..86ce91c5b5 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -3,7 +3,7 @@ # In contrast with the "production" image (which is based on an Alpine image) # we use a Debian-based image for the devcontainer -FROM mcr.microsoft.com/devcontainers/python:3.11-bookworm +FROM mcr.microsoft.com/devcontainers/python:3.11-bookworm@sha256:5140e54af7a0399a4932dd4c4653d085fcf451b093d7424867df1828ffbb9b81 # InvenTree paths ENV INVENTREE_HOME="/home/inventree" diff --git a/.devcontainer/postCreateCommand.sh b/.devcontainer/postCreateCommand.sh index 6d03ef4573..8a448f4eae 100755 --- a/.devcontainer/postCreateCommand.sh +++ b/.devcontainer/postCreateCommand.sh @@ -27,7 +27,7 @@ python3 -m pip install --upgrade pip pip3 install --ignore-installed --upgrade invoke Pillow # install base level packages -pip3 install -Ur contrib/container/requirements.txt +pip3 install -Ur --require-hashes contrib/container/requirements.txt # Run initial InvenTree server setup invoke update -s diff --git a/.github/dependabot.yml b/.github/dependabot.yml index fccb183da4..9c573edab8 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -14,6 +14,11 @@ updates: schedule: interval: weekly + - package-ecosystem: docker + directory: /.devcontainer + schedule: + interval: weekly + - package-ecosystem: pip directories: - /docs diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index 1ca0b1b55b..6627e01fcd 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -170,11 +170,11 @@ jobs: images: | inventree/inventree ghcr.io/${{ github.repository }} - - uses: depot/setup-action@v1 + - uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # pin@v1 - name: Push Docker Images id: push-docker if: github.event_name != 'pull_request' - uses: depot/build-push-action@v1 + uses: depot/build-push-action@636daae76684e38c301daa0c5eca1c095b24e780 # pin@v1 with: project: jczzbjkk68 context: . diff --git a/.github/workflows/qc_checks.yaml b/.github/workflows/qc_checks.yaml index 900c6eeb57..285471a7b5 100644 --- a/.github/workflows/qc_checks.yaml +++ b/.github/workflows/qc_checks.yaml @@ -79,7 +79,7 @@ jobs: name: Style [pre-commit] runs-on: ubuntu-24.04 needs: paths-filter - if: needs.paths-filter.outputs.server == 'true' || needs.paths-filter.outputs.frontend == 'true' || needs.paths-filter.outputs.requirements == 'true' || needs.paths-filter.outputs.force == 'true' + if: needs.paths-filter.outputs.cicd == 'true' || needs.paths-filter.outputs.server == 'true' || needs.paths-filter.outputs.frontend == 'true' || needs.paths-filter.outputs.requirements == 'true' || needs.paths-filter.outputs.force == 'true' steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin@v4.2.2 diff --git a/contrib/container/Dockerfile b/contrib/container/Dockerfile index 4d51bd903b..92a06abd65 100644 --- a/contrib/container/Dockerfile +++ b/contrib/container/Dockerfile @@ -9,7 +9,7 @@ # - Runs InvenTree web server under django development server # - Monitors source files for any changes, and live-reloads server -FROM python:3.11-alpine3.20 AS inventree_base +FROM python:3.11-alpine3.20@sha256:520924f35357a374aa1beaa81b867f449f9f12a53f00b69ad03c3d697fdf4aad AS inventree_base # Build arguments for this image ARG commit_tag=""