diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 0a04cb1..517878b 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -26,7 +26,10 @@ jobs: with: results_file: results.sarif results_format: sarif - publish_results: true + # publish_results requires sigstore verification of this exact action + # commit. Disabled because SHA-pinned references trip imposter-commit + # checks on the public webapp. Local SARIF upload still works. + publish_results: false - name: Upload Scorecard results uses: github/codeql-action/upload-sarif@dc73d59c2d7bd4f8194098a91219eeee6d8a1719 # v4.32.7 diff --git a/apps/api/Dockerfile b/apps/api/Dockerfile index 9c48b97..cd2e241 100644 --- a/apps/api/Dockerfile +++ b/apps/api/Dockerfile @@ -5,7 +5,7 @@ # --------------------------------------------------------------------------- # Base stage: shared dependencies # --------------------------------------------------------------------------- -FROM python:3.12-slim AS base +FROM python:3.12-slim@sha256:866411c135b507754efdf2fda51484be4d3d7d5173ed53cd083106132e710904 AS base WORKDIR /app diff --git a/apps/web/Dockerfile b/apps/web/Dockerfile index 5f33def..7812e2d 100644 --- a/apps/web/Dockerfile +++ b/apps/web/Dockerfile @@ -5,7 +5,7 @@ # --------------------------------------------------------------------------- # Base stage: install dependencies # --------------------------------------------------------------------------- -FROM node:20-alpine AS base +FROM node:20-alpine@sha256:afdf98210b07b586eb71fa22ba2e432e058e4cd1304d31ed60888755b8c865fb AS base WORKDIR /app @@ -34,7 +34,7 @@ RUN npm run build # --------------------------------------------------------------------------- # Production stage: serve static files with nginx # --------------------------------------------------------------------------- -FROM nginx:1.25-alpine AS production +FROM nginx:1.25-alpine@sha256:721fa00bc549df26b3e67cc558ff176112d4ba69847537766f3c28e171d180e7 AS production RUN apk add --no-cache curl