diff --git a/.github/actions/deploy-tinybird/action.yml b/.github/actions/deploy-tinybird/action.yml index c464792cc86..2a6777546df 100644 --- a/.github/actions/deploy-tinybird/action.yml +++ b/.github/actions/deploy-tinybird/action.yml @@ -36,7 +36,7 @@ runs: working-directory: ghost/core/core/server/data/tinybird - name: Send slack notification - uses: slackapi/slack-github-action@v2.1.1 + uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1 if: always() with: webhook: ${{ inputs.slack-webhook }} diff --git a/.github/actions/load-docker-image/action.yml b/.github/actions/load-docker-image/action.yml index 7f9a0a269e2..9ae742ae071 100644 --- a/.github/actions/load-docker-image/action.yml +++ b/.github/actions/load-docker-image/action.yml @@ -17,7 +17,7 @@ runs: steps: - name: Download image artifact (artifact) if: inputs.use-artifact == 'true' - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: ${{ inputs.artifact-name }} @@ -34,7 +34,7 @@ runs: - name: Log in to GitHub Container Registry if: inputs.use-artifact == 'false' - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ghcr.io username: ${{ github.actor }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1a866d8fdac..e32fb5222cd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -271,7 +271,7 @@ jobs: - run: yarn nx affected -t lint --base=${{ needs.job_setup.outputs.BASE_COMMIT }} - - uses: tryghost/actions/actions/slack-build@main + - uses: tryghost/actions/actions/slack-build@0cbdcbeb9030f46b109d5e6e44c14933026d8ca5 # main if: failure() && github.event_name == 'push' && github.ref == 'refs/heads/main' with: status: ${{ job.status }} @@ -332,12 +332,12 @@ jobs: - name: Merge Admin test coverage run: yarn ember coverage-merge working-directory: ghost/admin - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: admin-coverage path: ghost/*/coverage/cobertura-coverage.xml - - uses: tryghost/actions/actions/slack-build@main + - uses: tryghost/actions/actions/slack-build@0cbdcbeb9030f46b109d5e6e44c14933026d8ca5 # main if: failure() && github.event_name == 'push' && github.ref == 'refs/heads/main' with: status: ${{ job.status }} @@ -368,7 +368,7 @@ jobs: DEPENDENCY_CACHE_KEY: ${{ needs.job_setup.outputs.dependency_cache_key }} - name: Set timezone (non-UTC) - uses: szenius/set-timezone@v2.0 + uses: szenius/set-timezone@1f9716b0f7120e344f0c62bb7b1ee98819aefd42 # v2.0 with: timezoneLinux: "America/New_York" @@ -391,13 +391,13 @@ jobs: NX_SKIP_LOG_GROUPING: true logging__level: fatal - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 if: matrix.node == env.NODE_VERSION with: name: unit-coverage path: ghost/*/coverage/cobertura-coverage.xml - - uses: tryghost/actions/actions/slack-build@main + - uses: tryghost/actions/actions/slack-build@0cbdcbeb9030f46b109d5e6e44c14933026d8ca5 # main if: failure() && github.event_name == 'push' && github.ref == 'refs/heads/main' with: status: ${{ job.status }} @@ -454,7 +454,7 @@ jobs: run: yarn nx run-many -t build --exclude=ghost-admin - name: Set timezone (non-UTC) - uses: szenius/set-timezone@v2.0 + uses: szenius/set-timezone@1f9716b0f7120e344f0c62bb7b1ee98819aefd42 # v2.0 with: timezoneLinux: "America/New_York" @@ -477,7 +477,7 @@ jobs: working-directory: ghost/core run: yarn test:ci:integration - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 if: matrix.node == env.NODE_VERSION && contains(matrix.env.DB, 'mysql') with: name: e2e-coverage @@ -485,7 +485,7 @@ jobs: ghost/*/coverage-e2e/cobertura-coverage.xml ghost/*/coverage-integration/cobertura-coverage.xml - - uses: tryghost/actions/actions/slack-build@main + - uses: tryghost/actions/actions/slack-build@0cbdcbeb9030f46b109d5e6e44c14933026d8ca5 # main if: failure() && github.event_name == 'push' && github.ref == 'refs/heads/main' with: status: ${{ job.status }} @@ -558,7 +558,7 @@ jobs: working-directory: ghost/core run: yarn test:ci:legacy - - uses: tryghost/actions/actions/slack-build@main + - uses: tryghost/actions/actions/slack-build@0cbdcbeb9030f46b109d5e6e44c14933026d8ca5 # main if: failure() && github.event_name == 'push' && github.ref == 'refs/heads/main' with: status: ${{ job.status }} @@ -592,13 +592,13 @@ jobs: - name: Upload test results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: admin-x-settings-playwright-report path: apps/admin-x-settings/playwright-report retention-days: 30 - - uses: tryghost/actions/actions/slack-build@main + - uses: tryghost/actions/actions/slack-build@0cbdcbeb9030f46b109d5e6e44c14933026d8ca5 # main if: failure() && github.event_name == 'push' && github.ref == 'refs/heads/main' with: status: ${{ job.status }} @@ -632,13 +632,13 @@ jobs: - name: Upload test results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: activitypub-playwright-report path: apps/activitypub/playwright-report retention-days: 30 - - uses: tryghost/actions/actions/slack-build@main + - uses: tryghost/actions/actions/slack-build@0cbdcbeb9030f46b109d5e6e44c14933026d8ca5 # main if: failure() && github.event_name == 'push' && github.ref == 'refs/heads/main' with: status: ${{ job.status }} @@ -672,13 +672,13 @@ jobs: - name: Upload test results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: comments-ui-playwright-report path: apps/comments-ui/playwright-report retention-days: 30 - - uses: tryghost/actions/actions/slack-build@main + - uses: tryghost/actions/actions/slack-build@0cbdcbeb9030f46b109d5e6e44c14933026d8ca5 # main if: failure() && github.event_name == 'push' && github.ref == 'refs/heads/main' with: status: ${{ job.status }} @@ -712,13 +712,13 @@ jobs: - name: Upload test results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: signup-form-playwright-report path: apps/signup-form/playwright-report retention-days: 30 - - uses: tryghost/actions/actions/slack-build@main + - uses: tryghost/actions/actions/slack-build@0cbdcbeb9030f46b109d5e6e44c14933026d8ca5 # main if: failure() && github.event_name == 'push' && github.ref == 'refs/heads/main' with: status: ${{ job.status }} @@ -735,7 +735,7 @@ jobs: working-directory: ghost/core/core/server/data/tinybird services: tinybird: - image: tinybirdco/tinybird-local:latest + image: tinybirdco/tinybird-local:latest@sha256:a652699bdd66f3972c09f028d5b044ba7a13bd479d13f9047f2c795b60fe95ab ports: - 7181:7181 steps: @@ -817,7 +817,7 @@ jobs: - name: Save Ghost CLI Debug Logs if: failure() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: ghost-cli-debug-logs path: /home/runner/.ghost/logs/ @@ -838,7 +838,7 @@ jobs: run: | [ -f ~/.ghost/logs/*.log ] && cat ~/.ghost/logs/*.log - - uses: tryghost/actions/actions/slack-build@main + - uses: tryghost/actions/actions/slack-build@0cbdcbeb9030f46b109d5e6e44c14933026d8ca5 # main if: failure() && github.event_name == 'push' && github.ref == 'refs/heads/main' with: status: ${{ job.status }} @@ -899,7 +899,7 @@ jobs: - name: Upload npm tarball if: startsWith(github.ref, 'refs/tags/v') - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: ghost-npm-tarball path: ghost/core/ghost-*.tgz @@ -952,7 +952,7 @@ jobs: - name: Upload admin artifact for CD id: upload-admin - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: admin-build-cd path: apps/admin/dist @@ -960,11 +960,11 @@ jobs: if-no-files-found: error - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Log in to GitHub Container Registry if: steps.strategy.outputs.should-push == 'true' - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ghcr.io username: ${{ github.actor }} @@ -972,7 +972,7 @@ jobs: - name: Docker meta (core) id: meta-core - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 with: images: ${{ steps.strategy.outputs.image-core-name }} tags: | @@ -990,7 +990,7 @@ jobs: - name: Docker meta (full) id: meta-full - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 with: images: ${{ steps.strategy.outputs.image-full-name }} tags: | @@ -1007,7 +1007,7 @@ jobs: org.opencontainers.image.vendor=TryGhost - name: Build & push core image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: context: /tmp/ghost-production file: Dockerfile.production @@ -1023,7 +1023,7 @@ jobs: cache-to: ${{ steps.strategy.outputs.should-push == 'true' && format('type=registry,ref={0}:cache-{1},mode=max', steps.strategy.outputs.image-core-name, github.event_name == 'pull_request' && format('pr-{0}', github.event.pull_request.number) || 'main') || '' }} - name: Build & push full image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: context: /tmp/ghost-production file: Dockerfile.production @@ -1047,7 +1047,7 @@ jobs: ls -lh docker-image-production.tar.gz - name: Upload image artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: docker-image-production path: docker-image-production.tar.gz @@ -1141,7 +1141,7 @@ jobs: ls -lh e2e-public-apps.tar.gz - name: Upload public app artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: e2e-public-apps path: e2e-public-apps.tar.gz @@ -1160,7 +1160,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Download public app artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: e2e-public-apps @@ -1168,7 +1168,7 @@ jobs: run: tar -xzf e2e-public-apps.tar.gz - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 with: # Fork/cross-repo PRs use artifact transfer (no GHCR push). The default # docker-container driver runs in an isolated BuildKit container that @@ -1198,7 +1198,7 @@ jobs: - name: Log in to GitHub Container Registry if: steps.strategy.outputs.should-push == 'true' - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ghcr.io username: ${{ github.actor }} @@ -1206,7 +1206,7 @@ jobs: - name: Docker meta (e2e) id: meta-e2e - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 with: images: ${{ needs.job_build_artifacts.outputs.image-e2e-name }} tags: | @@ -1220,7 +1220,7 @@ jobs: org.opencontainers.image.vendor=TryGhost - name: Build & push E2E image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: context: . file: e2e/Dockerfile.e2e @@ -1244,7 +1244,7 @@ jobs: - name: Upload E2E image artifact if: steps.strategy.outputs.use-artifact == 'true' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: docker-image-e2e path: docker-image-e2e.tar.gz @@ -1269,7 +1269,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Pull or build Tinybird CLI Image run: | @@ -1329,7 +1329,7 @@ jobs: - name: Upload blob report to GitHub Actions Artifacts if: failure() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: blob-report-${{ matrix.shardIndex }} path: e2e/blob-report @@ -1337,13 +1337,13 @@ jobs: - name: Upload test results artifacts if: failure() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: test-results-${{ matrix.shardIndex }} path: e2e/test-results retention-days: 7 - - uses: tryghost/actions/actions/slack-build@main + - uses: tryghost/actions/actions/slack-build@0cbdcbeb9030f46b109d5e6e44c14933026d8ca5 # main if: failure() && github.event_name == 'push' && github.ref == 'refs/heads/main' with: status: ${{ job.status }} @@ -1371,7 +1371,7 @@ jobs: DEPENDENCY_CACHE_KEY: ${{ needs.job_setup.outputs.dependency_cache_key }} - name: Download blob reports from GitHub Actions Artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 continue-on-error: true with: path: e2e/all-blob-reports @@ -1389,7 +1389,7 @@ jobs: - name: Download test results from GitHub Actions Artifacts if: steps.check.outputs.has_reports == 'true' - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: path: e2e/all-test-results pattern: test-results-* @@ -1402,7 +1402,7 @@ jobs: - name: Upload HTML report if: steps.check.outputs.has_reports == 'true' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: playwright-report path: e2e/playwright-report @@ -1410,7 +1410,7 @@ jobs: - name: Upload merged test results if: steps.check.outputs.has_reports == 'true' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: test-results path: e2e/all-test-results @@ -1447,7 +1447,7 @@ jobs: - name: Restore Admin coverage if: contains(needs.job_admin-tests.result, 'success') - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: admin-coverage @@ -1457,13 +1457,13 @@ jobs: rsync -av --remove-source-files admin/* ghost/admin - name: Upload Admin test coverage - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5 with: flags: admin-tests - name: Restore E2E coverage if: contains(needs.job_acceptance-tests.result, 'success') - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: e2e-coverage @@ -1474,7 +1474,7 @@ jobs: - name: Upload E2E test coverage if: contains(needs.job_acceptance-tests.result, 'success') - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5 with: flags: e2e-tests @@ -1628,7 +1628,7 @@ jobs: - name: Purge jsDelivr cache if: steps.version_check.outputs.version_changed == 'true' - uses: gacts/purge-jsdelivr-cache@v1 + uses: gacts/purge-jsdelivr-cache@8d92aea944f1a3e8ad70505379e1a8ac72d56b73 # v1 with: url: ${{ steps.cdn_paths.outputs.cdn_paths }} @@ -1707,7 +1707,7 @@ jobs: - name: Dispatch to Ghost-Moya cd.yml if: steps.params.outputs.skip != 'true' - uses: peter-evans/repository-dispatch@v3 + uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3 with: token: ${{ secrets.CANARY_DOCKER_BUILD }} repository: TryGhost/Ghost-Moya @@ -1738,7 +1738,7 @@ jobs: id-token: write steps: - name: Download npm tarball - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: ghost-npm-tarball @@ -1760,7 +1760,7 @@ jobs: - name: Publish to npm run: npm publish ghost-*.tgz --access public - - uses: tryghost/actions/actions/slack-build@main + - uses: tryghost/actions/actions/slack-build@0cbdcbeb9030f46b109d5e6e44c14933026d8ca5 # main if: failure() with: status: ${{ job.status }} diff --git a/.github/workflows/create-release-branch.yml b/.github/workflows/create-release-branch.yml index b4f3446314c..2fce9e32193 100644 --- a/.github/workflows/create-release-branch.yml +++ b/.github/workflows/create-release-branch.yml @@ -39,7 +39,7 @@ jobs: run: git checkout "$(git describe --tags --abbrev=0 --match=v*)" if: inputs.base-ref == 'latest' - - uses: asdf-vm/actions/install@v4 + - uses: asdf-vm/actions/install@b7bcd026f18772e44fe1026d729e1611cc435d47 # v4 with: tool_versions: | semver 3.3.0 diff --git a/.github/workflows/deploy-to-staging.yml b/.github/workflows/deploy-to-staging.yml index 6e0c294a8f9..d0a5b861f51 100644 --- a/.github/workflows/deploy-to-staging.yml +++ b/.github/workflows/deploy-to-staging.yml @@ -113,7 +113,7 @@ jobs: - name: Dispatch to Ghost-Moya if: steps.recheck.outputs.skip != 'true' - uses: peter-evans/repository-dispatch@v3 + uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3 with: token: ${{ secrets.CANARY_DOCKER_BUILD }} repository: TryGhost/Ghost-Moya diff --git a/.github/workflows/label-actions.yml b/.github/workflows/label-actions.yml index 863ac9b41ba..c98123bcdf2 100644 --- a/.github/workflows/label-actions.yml +++ b/.github/workflows/label-actions.yml @@ -18,4 +18,4 @@ jobs: runs-on: ubuntu-latest if: github.repository_owner == 'TryGhost' steps: - - uses: tryghost/actions/actions/label-actions@main + - uses: tryghost/actions/actions/label-actions@0cbdcbeb9030f46b109d5e6e44c14933026d8ca5 # main diff --git a/.github/workflows/pr-preview.yml b/.github/workflows/pr-preview.yml index ae00a8969af..2bde71e8135 100644 --- a/.github/workflows/pr-preview.yml +++ b/.github/workflows/pr-preview.yml @@ -97,7 +97,7 @@ jobs: - name: Dispatch deploy to Ghost-Moya if: steps.recheck.outputs.skip != 'true' - uses: peter-evans/repository-dispatch@v3 + uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3 with: token: ${{ secrets.CANARY_DOCKER_BUILD }} repository: TryGhost/Ghost-Moya @@ -120,7 +120,7 @@ jobs: contents: read steps: - name: Dispatch destroy to Ghost-Moya - uses: peter-evans/repository-dispatch@v3 + uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3 with: token: ${{ secrets.CANARY_DOCKER_BUILD }} repository: TryGhost/Ghost-Moya diff --git a/.github/workflows/publish-tb-cli.yml b/.github/workflows/publish-tb-cli.yml index e81f923db08..2d953046d0d 100644 --- a/.github/workflows/publish-tb-cli.yml +++ b/.github/workflows/publish-tb-cli.yml @@ -24,17 +24,17 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Login to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: context: . file: docker/tb-cli/Dockerfile diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 763e2438432..c9ac6f439c0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -103,7 +103,7 @@ jobs: - name: Notify on failure if: failure() - uses: tryghost/actions/actions/slack-build@main + uses: tryghost/actions/actions/slack-build@0cbdcbeb9030f46b109d5e6e44c14933026d8ca5 # main with: status: ${{ job.status }} env: diff --git a/Dockerfile.production b/Dockerfile.production index b889bbbb502..b44e5fc29b0 100644 --- a/Dockerfile.production +++ b/Dockerfile.production @@ -1,4 +1,4 @@ -# syntax=docker/dockerfile:1-labs +# syntax=docker/dockerfile:1-labs@sha256:7eca9451d94f9b8ad22e44988b92d595d3e4d65163794237949a8c3413fbed5d # Production Dockerfile for Ghost # Two targets: diff --git a/apps/admin-x-design-system/package.json b/apps/admin-x-design-system/package.json index 59199fb7ab8..52571c473f4 100644 --- a/apps/admin-x-design-system/package.json +++ b/apps/admin-x-design-system/package.json @@ -36,7 +36,7 @@ "@storybook/react": "8.6.14", "@storybook/react-vite": "8.6.14", "@storybook/testing-library": "0.2.2", - "@tailwindcss/postcss": "^4", + "@tailwindcss/postcss": "4.2.1", "@testing-library/react": "14.3.1", "@testing-library/react-hooks": "8.0.1", "@types/lodash-es": "4.17.12", @@ -56,7 +56,7 @@ "rollup-plugin-node-builtins": "2.1.2", "sinon": "18.0.1", "storybook": "8.6.14", - "tailwindcss": "^4", + "tailwindcss": "4.2.1", "typescript": "5.8.3", "validator": "13.12.0", "vite": "5.4.21", diff --git a/compose.dev.analytics.yaml b/compose.dev.analytics.yaml index 3a9b7308803..59cde8950e2 100644 --- a/compose.dev.analytics.yaml +++ b/compose.dev.analytics.yaml @@ -29,7 +29,7 @@ services: condition: service_completed_successfully tinybird-local: - image: tinybirdco/tinybird-local:latest + image: tinybirdco/tinybird-local:latest@sha256:a652699bdd66f3972c09f028d5b044ba7a13bd479d13f9047f2c795b60fe95ab container_name: ghost-dev-tinybird platform: linux/amd64 stop_grace_period: 2s diff --git a/compose.dev.storage.yaml b/compose.dev.storage.yaml index ec977aa42e8..68fca383612 100644 --- a/compose.dev.storage.yaml +++ b/compose.dev.storage.yaml @@ -6,7 +6,7 @@ services: minio: - image: minio/minio:RELEASE.2024-12-13T22-19-12Z + image: minio/minio:RELEASE.2024-12-13T22-19-12Z@sha256:149fdd73108553247ceee85fc65466f51034bd6e145d6e0c0e415167f5f1274f container_name: ghost-dev-minio command: server /data --console-address ':9001' ports: @@ -23,7 +23,7 @@ services: retries: 120 minio-setup: - image: minio/mc + image: minio/mc@sha256:a7fe349ef4bd8521fb8497f55c6042871b2ae640607cf99d9bede5e9bdf11727 container_name: ghost-dev-minio-setup entrypoint: ["/bin/sh", "/setup.sh"] environment: diff --git a/compose.dev.yaml b/compose.dev.yaml index 63539a7743b..9671094be10 100644 --- a/compose.dev.yaml +++ b/compose.dev.yaml @@ -2,7 +2,7 @@ name: ghost-dev services: mysql: - image: mysql:8.4.5 + image: mysql:8.4.5@sha256:679e7e924f38a3cbb62a3d7df32924b83f7321a602d3f9f967c01b3df18495d6 container_name: ghost-dev-mysql command: --innodb-buffer-pool-size=1G --innodb-log-buffer-size=500M --innodb-change-buffer-max-size=50 --innodb-flush-log-at-trx_commit=0 --innodb-flush-method=O_DIRECT ports: @@ -22,7 +22,7 @@ services: start_period: 10s redis: - image: redis:7.0 + image: redis:7.0@sha256:352c1fdadc91926edda08f45aeb3f27f37194c2f14101229c0523a11195c96e3 container_name: ghost-dev-redis ports: - "6379:6379" @@ -39,7 +39,7 @@ services: retries: 120 mailpit: - image: axllent/mailpit + image: axllent/mailpit@sha256:0b5c5f7ffd3c93474baa7fd3869c1462e5a3d03256ed0933dfc0e7d81d794036 container_name: ghost-dev-mailpit ports: - "1025:1025" # SMTP server @@ -121,7 +121,7 @@ services: condition: service_healthy stripe: - image: stripe/stripe-cli:latest + image: stripe/stripe-cli:latest@sha256:a7a01c0e547c2835c7e2bc4f2ff2c1c9c4c947b305d39b33c345552d8e6abb5e container_name: ghost-dev-stripe entrypoint: ["/entrypoint.sh"] profiles: ["stripe"] diff --git a/docker/dev-gateway/Dockerfile b/docker/dev-gateway/Dockerfile index b1b531cbc72..4e40914fab3 100644 --- a/docker/dev-gateway/Dockerfile +++ b/docker/dev-gateway/Dockerfile @@ -1,4 +1,4 @@ -FROM caddy:2-alpine +FROM caddy:2-alpine@sha256:fce4f15aad23222c0ac78a1220adf63bae7b94355d5ea28eee53910624acedfa RUN caddy add-package github.com/caddyserver/transform-encoder diff --git a/docker/tb-cli/Dockerfile b/docker/tb-cli/Dockerfile index 22540c49ed4..c90a469e04c 100644 --- a/docker/tb-cli/Dockerfile +++ b/docker/tb-cli/Dockerfile @@ -1,7 +1,7 @@ FROM python:3.13-slim@sha256:27f90d79cc85e9b7b2560063ef44fa0e9eaae7a7c3f5a9f74563065c5477cc24 # Install uv from Astral.sh -COPY --from=ghcr.io/astral-sh/uv:0.8.13 /uv /uvx /bin/ +COPY --from=ghcr.io/astral-sh/uv:0.8.13@sha256:4de5495181a281bc744845b9579acf7b221d6791f99bcc211b9ec13f417c2853 /uv /uvx /bin/ # Install dependencies RUN apt-get update && apt-get install -y --no-install-recommends \ diff --git a/yarn.lock b/yarn.lock index a1625b96cde..e36c73c8224 100644 --- a/yarn.lock +++ b/yarn.lock @@ -9138,7 +9138,7 @@ "@tailwindcss/oxide-win32-arm64-msvc" "4.2.1" "@tailwindcss/oxide-win32-x64-msvc" "4.2.1" -"@tailwindcss/postcss@4.2.1", "@tailwindcss/postcss@^4": +"@tailwindcss/postcss@4.2.1": version "4.2.1" resolved "https://registry.yarnpkg.com/@tailwindcss/postcss/-/postcss-4.2.1.tgz#efce3b23608b23324ed4848ff1aae657adfe0c5f" integrity sha512-OEwGIBnXnj7zJeonOh6ZG9woofIjGrd2BORfvE5p9USYKDCZoQmfqLcfNiRWoJlRWLdNPn2IgVZuWAOM4iTYMw== @@ -33768,7 +33768,7 @@ tailwindcss@3.4.18: resolve "^1.22.8" sucrase "^3.35.0" -tailwindcss@4.2.1, tailwindcss@^4: +tailwindcss@4.2.1: version "4.2.1" resolved "https://registry.yarnpkg.com/tailwindcss/-/tailwindcss-4.2.1.tgz#018c4720b58baf98a6bf56b0a12aa797c6cfef1d" integrity sha512-/tBrSQ36vCleJkAOsy9kbNTgaxvGbyOamC30PRePTQe/o1MFwEKHQk4Cn7BNGaPtjp+PuUrByJehM1hgxfq4sw==