diff --git a/.github/workflows/build-custom-image.yaml b/.github/workflows/build-custom-image.yaml index e403f5d..9a3349b 100644 --- a/.github/workflows/build-custom-image.yaml +++ b/.github/workflows/build-custom-image.yaml @@ -47,7 +47,7 @@ jobs: - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 with: driver-opts: | network=host @@ -78,21 +78,21 @@ jobs: type=raw,value=v${{ steps.versions.outputs.GHOST_VERSION }} - name: Login to DockerHub - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: docker.io username: ${{ secrets.DOCKER_USER }} password: ${{ secrets.DOCKER_PASS }} - name: Login to GitHub Container Registry - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ secrets.GHCR_USER }} password: ${{ secrets.GHCR_PASS }} - name: Login to Quay Container Registry - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 continue-on-error: true with: registry: quay.io @@ -101,7 +101,7 @@ jobs: - name: Build and push - uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1 + uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0 id: build-and-push-workflow-dispatch with: context: . diff --git a/.github/workflows/build-pr-tests.yaml b/.github/workflows/build-pr-tests.yaml index ec9fec2..f762443 100644 --- a/.github/workflows/build-pr-tests.yaml +++ b/.github/workflows/build-pr-tests.yaml @@ -40,7 +40,7 @@ jobs: - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 with: driver-opts: | network=host @@ -57,7 +57,7 @@ jobs: run: echo ${{ steps.versions.outputs.GHOST_VERSION }} - name: Build - uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1 + uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0 id: build-pr with: context: . diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index bad9709..c72c768 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -14,8 +14,14 @@ name: "CodeQL" on: push: branches: [ "main" ] + paths: + - "./Dockerfile" + - "**.js" pull_request: branches: [ "main" ] + paths: + - "./Dockerfile" + - "**.js" schedule: - cron: '42 16 * * 2' diff --git a/.github/workflows/jekyll-gh-pages.yml b/.github/workflows/jekyll-gh-pages.yml new file mode 100644 index 0000000..44b55fd --- /dev/null +++ b/.github/workflows/jekyll-gh-pages.yml @@ -0,0 +1,64 @@ +# Sample workflow for building and deploying a Jekyll site to GitHub Pages +name: Deploy Jekyll with GitHub Pages dependencies preinstalled + +on: + # Runs on pushes targeting the default branch + push: + branches: ["main"] + paths: + - "**.md" + - "_config.yml" + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. +concurrency: + group: "pages" + cancel-in-progress: false + +jobs: + # Build job + build: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 + with: + egress-policy: audit + + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Setup Pages + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0 + - name: Build with Jekyll + uses: actions/jekyll-build-pages@b178f9334b208360999a0a57b523613563698c66 # v1.0.12 + with: + source: ./ + destination: ./_site + - name: Upload artifact + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1 + + # Deployment job + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + needs: build + steps: + - name: Harden Runner + uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 + with: + egress-policy: audit + + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5 diff --git a/.github/workflows/multi-build.yaml b/.github/workflows/multi-build.yaml index 1a4c87f..d8370c0 100644 --- a/.github/workflows/multi-build.yaml +++ b/.github/workflows/multi-build.yaml @@ -118,7 +118,7 @@ jobs: - name: Set up QEMU - uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 if: ${{ matrix.platform == 'linux/arm64' || env.PLATFORM_PAIR == 'linux-arm64' }} continue-on-error: false with: @@ -126,14 +126,14 @@ jobs: - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 with: driver-opts: | network=host - name: Login to GitHub Container Registry - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ secrets.GHCR_USER }} @@ -141,7 +141,7 @@ jobs: - name: Build and push by digest id: build - uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1 + uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0 env: DOCKER_BUILDKIT: 1 with: @@ -204,7 +204,7 @@ jobs: merge-multiple: true - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 with: driver-opts: | network=host @@ -243,7 +243,7 @@ jobs: - name: Login to GitHub Container Registry - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -276,7 +276,7 @@ jobs: - name: Login to Docker Hub - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 continue-on-error: true with: username: ${{ secrets.DOCKER_USER }} diff --git a/.github/workflows/registry-cleanup.yml b/.github/workflows/registry-cleanup.yml index b1b1e23..b20a8a3 100644 --- a/.github/workflows/registry-cleanup.yml +++ b/.github/workflows/registry-cleanup.yml @@ -25,7 +25,7 @@ jobs: egress-policy: audit - name: Delete 'ghost-on-kubernetes' containers older than a week - uses: sredevopsorg/container-retention-policy@14884871c5f4eb86c3b91ef4d0faf63f050b502b # main + uses: sredevopsorg/container-retention-policy@69f296cfd660720faf2f6f4b8e14ed0adda8412e # main with: image-names: ghost-on-kubernetes cut-off: A week ago UTC diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index a56e9cc..c72bac0 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -43,7 +43,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3 + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 with: results_file: results.sarif results_format: sarif @@ -73,6 +73,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 + uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 with: sarif_file: results.sarif diff --git a/Dockerfile b/Dockerfile index 7b9e8e2..5dba3a6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ # The image is built with official Node 20 on Debian Bookworm (LTS Iron) image and uses the Distroless base image for security and minimalism. # Stage 1: Build Environment -FROM node:iron-bookworm@sha256:786005cf39792f7046bcd66491056c26d2dbcc669c072d1a1e4ef4fcdddd26eb AS build-env +FROM node:iron-bookworm@sha256:1ae9ba874435551280e95c8a8e74adf8a48d72b564bf9dfe4718231f2144c88f AS build-env USER root # Create a new user and group named "nonroot" with the UID 65532 and GID 65532, not a member of the root, sudo, and sys groups, and set the home directory to /home/nonroot. # This user is used to run the Ghost application in the container for security reasons. @@ -50,7 +50,7 @@ RUN find "$GHOST_INSTALL"/* -type d -exec chmod 755 {} || echo "Failed find dirs find "$GHOST_INSTALL"/* -type f -exec chmod 664 {} || echo "Failed find files and chmod 664" && true # Stage 2: Final Image -FROM gcr.io/distroless/nodejs20-debian12:latest@sha256:08d0b6846a21812d07a537eff956acc1bc38a7440a838ce6730515f8d3cd5d9e AS runtime +FROM gcr.io/distroless/nodejs20-debian12:latest@sha256:a70f4f8e3ecaf94e04b4c8073d9a5c0b596339ac9c6016a03b676747bfb8a301 AS runtime # Set the installation directory and content directory for Ghost ENV GHOST_INSTALL_SRC=/home/nonroot/app/ghost