diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 816970cd..582cd3e4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,7 +42,7 @@ jobs: python-version: ["3.12", "3.13", "3.14"] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up uv # Pinned to a full commit SHA (third-party action); comment tracks the tag. @@ -68,7 +68,7 @@ jobs: runs-on: ubuntu-latest if: github.event_name == 'pull_request' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 diff --git a/Dockerfile b/Dockerfile index 592e2eee..e185f882 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.12-slim-bookworm AS builder +FROM python:3.12-slim-bookworm@sha256:8a7e7cc04fd3e2bd787f7f24e22d5d119aa590d429b50c95dfe12b3abe52f48b AS builder WORKDIR /app COPY pyproject.toml README.md ./ @@ -6,7 +6,7 @@ COPY src/ src/ RUN python -m venv .venv RUN .venv/bin/pip install --no-cache-dir . -FROM python:3.12-slim-bookworm +FROM python:3.12-slim-bookworm@sha256:8a7e7cc04fd3e2bd787f7f24e22d5d119aa590d429b50c95dfe12b3abe52f48b RUN apt-get update \ && apt-get install --no-install-recommends -y git ca-certificates \