inventree/InvenTree
2
0
Fork 0
mirror of https://github.com/inventree/InvenTree.git synced 2025-04-28 11:36:44 +00:00
Code

chore: improve ci security (#9384)

Browse Source 
* pin docker files

* pin github actions

* enforce hashes that are already present

* run style checks on cicd changes
This commit is contained in:
Matthias Mair 2025-03-26 03:04:45 +01:00 committed by GitHub
parent 2bd26c0f49
commit 9bc0d599bc
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 11 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.devcontainer/Dockerfile
View File

@ -3,7 +3,7 @@
# In contrast with the "production" image (which is based on an Alpine image) # In contrast with the "production" image (which is based on an Alpine image)
# we use a Debian-based image for the devcontainer # we use a Debian-based image for the devcontainer
FROM mcr.microsoft.com/devcontainers/python:3.11-bookworm FROM mcr.microsoft.com/devcontainers/python:3.11-bookworm@sha256:5140e54af7a0399a4932dd4c4653d085fcf451b093d7424867df1828ffbb9b81
# InvenTree paths # InvenTree paths
ENV INVENTREE_HOME="/home/inventree" ENV INVENTREE_HOME="/home/inventree"

2
.devcontainer/postCreateCommand.sh
View File

@ -27,7 +27,7 @@ python3 -m pip install --upgrade pip
pip3 install --ignore-installed --upgrade invoke Pillow pip3 install --ignore-installed --upgrade invoke Pillow
# install base level packages # install base level packages
pip3 install -Ur contrib/container/requirements.txt pip3 install -Ur --require-hashes contrib/container/requirements.txt
# Run initial InvenTree server setup # Run initial InvenTree server setup
invoke update -s invoke update -s

5
.github/dependabot.yml vendored
View File

@ -14,6 +14,11 @@ updates:
schedule: schedule:
interval: weekly interval: weekly
- package-ecosystem: docker
directory: /.devcontainer
schedule:
interval: weekly
- package-ecosystem: pip - package-ecosystem: pip
directories: directories:
- /docs - /docs

4
.github/workflows/docker.yaml vendored
View File

@ -170,11 +170,11 @@ jobs:
images: | images: |
inventree/inventree inventree/inventree
ghcr.io/${{ github.repository }} ghcr.io/${{ github.repository }}
- uses: depot/setup-action@v1 - uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # pin@v1
- name: Push Docker Images - name: Push Docker Images
id: push-docker id: push-docker
if: github.event_name != 'pull_request' if: github.event_name != 'pull_request'
uses: depot/build-push-action@v1 uses: depot/build-push-action@636daae76684e38c301daa0c5eca1c095b24e780 # pin@v1
with: with:
project: jczzbjkk68 project: jczzbjkk68
context: . context: .

2
.github/workflows/qc_checks.yaml vendored
View File

@ -79,7 +79,7 @@ jobs:
name: Style [pre-commit] name: Style [pre-commit]
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
needs: paths-filter needs: paths-filter
if: needs.paths-filter.outputs.server == 'true' || needs.paths-filter.outputs.frontend == 'true' || needs.paths-filter.outputs.requirements == 'true' || needs.paths-filter.outputs.force == 'true' if: needs.paths-filter.outputs.cicd == 'true' || needs.paths-filter.outputs.server == 'true' || needs.paths-filter.outputs.frontend == 'true' || needs.paths-filter.outputs.requirements == 'true' || needs.paths-filter.outputs.force == 'true'
steps: steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin@v4.2.2 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin@v4.2.2

2
contrib/container/Dockerfile
View File

@ -9,7 +9,7 @@
# - Runs InvenTree web server under django development server # - Runs InvenTree web server under django development server
# - Monitors source files for any changes, and live-reloads server # - Monitors source files for any changes, and live-reloads server
FROM python:3.11-alpine3.20 AS inventree_base FROM python:3.11-alpine3.20@sha256:520924f35357a374aa1beaa81b867f449f9f12a53f00b69ad03c3d697fdf4aad AS inventree_base
# Build arguments for this image # Build arguments for this image
ARG commit_tag="" ARG commit_tag=""