diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a3780785..c8ac2cd3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -80,9 +80,11 @@ jobs: allowed-endpoints: > api.github.com:443 api.zippopotam.us:443 + archive.ubuntu.com:80 azure.archive.ubuntu.com:80 esm.ubuntu.com:443 github.com:443 + mirrors.ubuntu.com:80 packages.microsoft.com:443 ports.ubuntu.com:80 proxy.golang.org:443 diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 6c7d40eb..2bb69980 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -148,8 +148,9 @@ jobs: fetch-depth: 0 persist-credentials: false - - uses: trufflesecurity/trufflehog@17456f8c7d042d8c82c9a8ca9e937231f9f42e26 # v3.95.2 + - uses: step-security/trufflehog-action@8560b0deaa854dfe432084eaefa1dffbc1647a6b # v3.95.5 with: + version: 3.95.5 extra_args: --only-verified codeql: diff --git a/deploy/docker-compose.caddy.yml b/deploy/docker-compose.caddy.yml index fb85bef8..2112c448 100644 --- a/deploy/docker-compose.caddy.yml +++ b/deploy/docker-compose.caddy.yml @@ -3,7 +3,7 @@ services: caddy: - image: caddy@sha256:25cdc846626b62d05f6b633b9b40c2c9f6ef89b515dc76133cefd920f7dbe562 # 2-alpine + image: caddy@sha256:af5fdcd76f2db5e4e974ee92f96ee8c0fc3edb55bd4ba5032547cbf3f65e486d # 2-alpine environment: DOMAIN: ${DOMAIN} ports: diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml index 190a9acc..dd8179b5 100644 --- a/deploy/docker-compose.yml +++ b/deploy/docker-compose.yml @@ -3,7 +3,7 @@ services: postgres: - image: postgres@sha256:78481659c47e862334611ccdaf7c369c986b3046da9857112f3b309114a65fb4 # 17-alpine + image: postgres@sha256:4aabea78cf39b90e834caf3af7d602a18565f6fe2508705c8d01aa63245c2e20 # 17-alpine environment: POSTGRES_USER: micasa POSTGRES_DB: micasa diff --git a/deploy/relay/Dockerfile b/deploy/relay/Dockerfile index eb3fe414..de13c0f3 100644 --- a/deploy/relay/Dockerfile +++ b/deploy/relay/Dockerfile @@ -2,7 +2,7 @@ # Licensed under the Apache License, Version 2.0 # golang 1.26-alpine -FROM golang@sha256:b54cbf583d390341599d7bcbc062425c081105cc5ef6d170ced98ef9d047c716 AS build +FROM golang@sha256:32c0e6e5c4f6707717051091b4d0b077464a679eaab563e11474efc5328e2aa5 AS build ARG BUILD_TAGS WORKDIR /src COPY go.mod go.sum ./ @@ -11,7 +11,7 @@ COPY . . RUN CGO_ENABLED=0 go build -trimpath ${BUILD_TAGS:+-tags "$BUILD_TAGS"} -o /relay ./cmd/relay # distroless static-debian12 -FROM gcr.io/distroless/static-debian12@sha256:20bc6c0bc4d625a22a8fde3e55f6515709b32055ef8fb9cfbddaa06d1760f838 +FROM gcr.io/distroless/static-debian12@sha256:9c346e4be81b5ca7ff31a0d89eaeade58b0f95cfd3baed1f36083ddb47ca3160 COPY --from=build /relay /relay EXPOSE 8080 ENTRYPOINT ["/relay"] diff --git a/nix/overlay.nix b/nix/overlay.nix index 62325b74..71e07008 100644 --- a/nix/overlay.nix +++ b/nix/overlay.nix @@ -8,24 +8,26 @@ _final: prev: let - # Scoped Go 1.26.3 override for micasa and its dev tools only. + # Scoped Go 1.26.4 override for micasa and its dev tools only. # NOT exported as go/go_1_26/buildGoModule — doing so rebuilds the # entire transitive closure from source (VHS → Chromium → PipeWire → # ffmpeg/gstreamer) because every Go derivation's input hash changes. # - # 1.26.3 fixes six stdlib vulnerabilities flagged by govulncheck: + # 1.26.4 fixes stdlib vulnerabilities flagged by govulncheck: # GO-2026-4918 (net/http HTTP/2 SETTINGS frame infinite loop) # GO-2026-4971 (net Dial/LookupPort panic on NUL input on Windows) # GO-2026-4977 (net/mail consumePhrase DoS) # GO-2026-4980 (html/template empty