ci: switch actions to version tags for renovate digests

2026-03-28 17:42:55 +01:00 · 2026-01-09 08:15:22 +01:00
5 changed files with 37 additions and 29 deletions
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -62,7 +62,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@v6.0.1

      # For nightly builds, get the latest release version
      - name: Get latest release version
@@ -91,15 +91,15 @@ jobs:

      - name: Set up QEMU
        if: "!(github.event_name == 'schedule' && steps.get-version.outputs.skip == 'true')"
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+        uses: docker/setup-qemu-action@v3.7.0

      - name: Set up Docker Buildx
        if: "!(github.event_name == 'schedule' && steps.get-version.outputs.skip == 'true')"
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@v3.12.0

      - name: Log in to Container Registry
        if: "!(github.event_name == 'schedule' && steps.get-version.outputs.skip == 'true')"
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@v3.6.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
@@ -109,7 +109,7 @@ jobs:
      - name: Extract metadata (release)
        id: meta-release
        if: github.event_name == 'release'
-        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
+        uses: docker/metadata-action@v5.10.0
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
@@ -123,7 +123,7 @@ jobs:
      - name: Extract metadata (nightly)
        id: meta-nightly
        if: github.event_name == 'schedule' && steps.get-version.outputs.skip != 'true'
-        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
+        uses: docker/metadata-action@v5.10.0
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
@@ -138,7 +138,7 @@ jobs:
      - name: Extract metadata (manual)
        id: meta-manual
        if: github.event_name == 'workflow_dispatch'
-        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
+        uses: docker/metadata-action@v5.10.0
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
@@ -148,7 +148,7 @@ jobs:
      - name: Build and push (release)
        id: build-release
        if: github.event_name == 'release'
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: docker/build-push-action@v6.18.0
        with:
          context: .
          platforms: linux/amd64,linux/arm64
@@ -164,7 +164,7 @@ jobs:
      - name: Build and push (nightly)
        id: build-nightly
        if: github.event_name == 'schedule' && steps.get-version.outputs.skip != 'true'
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: docker/build-push-action@v6.18.0
        with:
          context: .
          platforms: linux/amd64,linux/arm64
@@ -180,7 +180,7 @@ jobs:
      - name: Build and push (manual)
        id: build-manual
        if: github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: docker/build-push-action@v6.18.0
        with:
          context: .
          platforms: linux/amd64,linux/arm64
@@ -209,7 +209,7 @@ jobs:
      # Vulnerability scanning
      - name: Run Trivy vulnerability scanner
        if: "!(github.event_name == 'schedule' && steps.get-version.outputs.skip == 'true')"
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
+        uses: aquasecurity/trivy-action@0.33.1
        with:
          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.image-tag.outputs.tag }}
          format: "sarif"
@@ -219,7 +219,7 @@ jobs:

      - name: Upload Trivy scan results
        if: "!(github.event_name == 'schedule' && steps.get-version.outputs.skip == 'true')"
-        uses: github/codeql-action/upload-sarif@ee117c905ab18f32fa0f66c2fe40ecc8013f3e04 # v3.28.4
+        uses: github/codeql-action/upload-sarif@v3.28.4
        with:
          sarif_file: "trivy-results.sarif"
        continue-on-error: true
@@ -240,7 +240,7 @@ jobs:
      # Attestation (releases only)
      - name: Generate attestation
        if: github.event_name == 'release'
-        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
+        uses: actions/attest-build-provenance@v3.1.0
        with:
          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          subject-digest: ${{ steps.build-release.outputs.digest }}
@@ -253,14 +253,14 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@v6.0.1

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@v3.12.0

      - name: Build image (PR)
        id: build-pr
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: docker/build-push-action@v6.18.0
        with:
          context: .
          platforms: linux/amd64
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -26,7 +26,7 @@ jobs:
    timeout-minutes: 10
    steps:
      - name: Release Please
-        uses: googleapis/release-please-action@c3fc4de07084f75a2b61a5b933069bda6edf3d5c # v4
+        uses: googleapis/release-please-action@v4
        with:
          token: ${{ secrets.RELEASE_PLEASE_TOKEN }}
          config-file: release-please-config.json
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -20,14 +20,14 @@ jobs:
        python-version: ["3.11", "3.12"]

    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/checkout@v4

-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+      - uses: actions/setup-python@v5
        with:
          python-version: ${{ matrix.python-version }}

      - name: Set up uv
-        uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0
+        uses: astral-sh/setup-uv@v7.2.0
        with:
          enable-cache: true
          python-version: ${{ matrix.python-version }}
@@ -68,7 +68,7 @@ jobs:
          } >> "$GITHUB_STEP_SUMMARY"

      - name: Upload coverage HTML report
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        uses: actions/upload-artifact@v4
        if: always() && matrix.python-version == '3.12'
        with:
          name: coverage-report-html-${{ matrix.python-version }}
@@ -77,7 +77,7 @@ jobs:
          retention-days: 7

      - name: Upload coverage XML report
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        uses: actions/upload-artifact@v4
        if: always() && matrix.python-version == '3.12'
        with:
          name: coverage-report-xml-${{ matrix.python-version }}
@@ -86,7 +86,7 @@ jobs:
          retention-days: 7

      - name: Upload test results
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: test-results-${{ matrix.python-version }}
@@ -97,14 +97,14 @@ jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/checkout@v4

-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+      - uses: actions/setup-python@v5
        with:
          python-version: "3.12"

      - name: Set up uv
-        uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0
+        uses: astral-sh/setup-uv@v7.2.0
        with:
          enable-cache: true
          python-version: "3.12"
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -370,7 +370,7 @@ Jobs configured in `docker/ofelia.ini`:

 **Nightly rebuilds** ensure version tags always include the latest OS security patches. This is a common pattern used by official Docker images (nginx, postgres, node). Users needing reproducibility should pin by SHA digest or use dated nightly tags.

-All GitHub Actions are pinned by full SHA for security. Renovate is configured in `renovate.json` to update dependencies and maintain lockfiles.
+GitHub Actions use version tags in workflows, and Renovate is configured in `renovate.json` to pin action digests and maintain lockfiles.

 The test and lint workflow (`.github/workflows/test.yml`) installs dependencies with uv (`uv sync --locked --extra dev`) and runs commands via `uv run`, using `uv.lock` as the source of truth.

--- a/renovate.json
+++ b/renovate.json
@@ -1,10 +1,18 @@
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
-    "config:recommended"
+    "config:best-practices"
  ],
  "lockFileMaintenance": {
    "enabled": true
  },
-  "dependencyDashboard": true
+  "dependencyDashboard": true,
+  "packageRules": [
+    {
+      "matchManagers": [
+        "github-actions"
+      ],
+      "pinDigests": true
+    }
+  ]
 }