Pin dependencies

.github/workflows/00_add_patch_label.yml

@@ -19,7 +19,7 @@ jobs:
     steps:
       - name: Check user labels
         id: check_user_labels
-        uses: actions/[email protected]
+        uses: actions/github-script@d556feaca394842dc55e4734bf3bb9f685482fa0 # v6.3.3
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
@@ -48,7 +48,7 @@ jobs:
 
       - name: Add comment
         if: ${{ steps.check_user_labels.outputs.result == 'true' }}
-        uses: actions/[email protected]
+        uses: actions/github-script@d556feaca394842dc55e4734bf3bb9f685482fa0 # v6.3.3
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |

.github/workflows/01_anchore.yml

@@ -37,20 +37,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout the code
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
 
       - name: Build the Docker image
         run: docker build . --file ${{ env.DOCKERFILE }} --force-rm --tag localbuild/testimage:latest --build-arg APP_NAME=pagopafdr --build-arg QUARKUS_PROFILE=prod
 
       - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
-        uses: anchore/scan-action@v3
+        uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3
         with:
           image: "localbuild/testimage:latest"
           acs-report-enable: true
           fail-build: false
           severity-cutoff: "high"
       - name: Upload Anchore Scan Report
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@366883a76d75dcee5428da5c3ae7abf9386e35ac # v2
         if: always()
         with:
           sarif_file: results.sarif

.github/workflows/01_assignee.yml

@@ -21,6 +21,6 @@ jobs:
     steps:
       - name: Assign Me
         # You may pin to the exact commit or the version.
-        uses: kentaro-m/[email protected]
+        uses: kentaro-m/auto-assign-action@746a3a558fdd0e061f612ec9f8ff1b8a19c1a115 # v1.2.1
         with:
           configuration-path: '.github/auto_assign.yml'

.github/workflows/02_check_pr.yml

@@ -24,7 +24,7 @@ jobs:
     steps:
       - name: Verify PR Labels
         if: ${{ !contains(github.event.pull_request.labels.*.name, 'patch') && !contains(github.event.pull_request.labels.*.name, 'ignore-for-release') }}
-        uses: actions/[email protected]
+        uses: actions/github-script@d556feaca394842dc55e4734bf3bb9f685482fa0 # v6.3.3
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
@@ -57,15 +57,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Formatting
         id: format
         continue-on-error: true
         uses: axel-op/googlejavaformat-action@v3
         with:
           args: "--set-exit-if-changed"
 
-      - uses: actions/[email protected]
+      - uses: actions/github-script@d556feaca394842dc55e4734bf3bb9f685482fa0 # v6.3.3
         if: steps.format.outcome != 'success'
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/04_release_and_deploy.yml

@@ -78,7 +78,7 @@ jobs:
     steps:
       - name: Make Release
         id: release
-        uses: pagopa/github-actions-template/[email protected]
+        uses: pagopa/github-actions-template/maven-release@d91a1fd0b913c9830589be5d86cdb71c90813fae # v1.5.4
         with:
           semver: ${{ needs.setup.outputs.semver }}
           github_token: ${{ secrets.BOT_TOKEN_GITHUB }}
@@ -93,7 +93,7 @@ jobs:
     steps:
       - name: Build and Push
         id: semver
-        uses: pagopa/github-actions-template/[email protected]
+        uses: pagopa/github-actions-template/ghcr-build-push@d91a1fd0b913c9830589be5d86cdb71c90813fae # v1.5.4
         with:
           branch: ${{ github.ref_name}}
           github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -120,7 +120,7 @@ jobs:
     steps:
       - name: Report Status
         if: always()
-        uses: ravsamhq/notify-slack-action@v2
+        uses: ravsamhq/notify-slack-action@be814b201e233b2dc673608aa46e5447c8ab13f2 # v2
         with:
           status: ${{ needs.deploy_aks.result }}
           token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/05_update_code.yml

@@ -17,7 +17,7 @@ jobs:
     if: ${{ contains(github.event.comment.body, 'update_code') }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
           token: ${{ secrets.API_TOKEN_GITHUB }}
 
@@ -26,7 +26,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Set up JDK 11
-        uses: actions/setup-java@v1
+        uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1
         with:
           java-version: 11
 
@@ -43,7 +43,7 @@ jobs:
     if: ${{ always() && contains(needs.*.result, 'failure') }}
     steps:
       - name: Notify if Failure
-        uses: actions/[email protected]
+        uses: actions/github-script@d556feaca394842dc55e4734bf3bb9f685482fa0 # v6.3.3
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |

.github/workflows/06_integration_test.yml

@@ -70,7 +70,7 @@ jobs:
           subscription-id: ${{ secrets.SUBSCRIPTION_ID }}
 
       - name: Download old reports
-        uses: azure/CLI@v1
+        uses: azure/CLI@4db43908b9df2e7ac93c8275a8f9a448c59338dd # v1
         env:
           STORAGE_NAME: ${{ vars.INTEGRATION_TEST_STORAGE_ACCOUNT_NAME }}
           STORAGE_FOLDER: ${{ vars.INTEGRATION_TEST_REPORTS_FOLDER }}
@@ -97,7 +97,7 @@ jobs:
           -v  ./reports:/app/reports fdr3_test
 
       - name: Upload reports
-        uses: azure/CLI@v1
+        uses: azure/CLI@4db43908b9df2e7ac93c8275a8f9a448c59338dd # v1
         env:
           STORAGE_NAME: ${{ vars.INTEGRATION_TEST_STORAGE_ACCOUNT_NAME }}
           STORAGE_FOLDER: ${{ vars.INTEGRATION_TEST_REPORTS_FOLDER }}
@@ -113,7 +113,7 @@ jobs:
 
       - name: Upload junit
         if: ${{ inputs.junit == true }}
-        uses: azure/CLI@v1
+        uses: azure/CLI@4db43908b9df2e7ac93c8275a8f9a448c59338dd # v1
         env:
           STORAGE_NAME: ${{ vars.INTEGRATION_TEST_STORAGE_ACCOUNT_NAME }}
           STORAGE_FOLDER: ${{ vars.INTEGRATION_TEST_REPORTS_FOLDER }}
@@ -135,7 +135,7 @@ jobs:
     steps:
       - name: Report Status
         if: ${{ inputs.notify }}
-        uses: ravsamhq/notify-slack-action@v2
+        uses: ravsamhq/notify-slack-action@be814b201e233b2dc673608aa46e5447c8ab13f2 # v2
         with:
           status: ${{ needs.integration_test.result }}
           token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/08_create_dashboard.yml

@@ -39,7 +39,7 @@ jobs:
 
       # from https://github.com/pagopa/opex-dashboard-azure-action/
       # Internal APIs
-      - uses: pagopa/[email protected]
+      - uses: pagopa/opex-dashboard-azure-action@ece3bc2b133be74cabb50aec14cdb9b8051b886f # v1.1.2
         with:
           environment: ${{ matrix.environment }}
           api-name:
@@ -52,7 +52,7 @@ jobs:
 
       # from https://github.com/pagopa/opex-dashboard-azure-action/
       # Organizations APIs
-      - uses: pagopa/[email protected]
+      - uses: pagopa/opex-dashboard-azure-action@ece3bc2b133be74cabb50aec14cdb9b8051b886f # v1.1.2
         with:
           environment: ${{ matrix.environment }}
           api-name:
@@ -65,7 +65,7 @@ jobs:
 
       # from https://github.com/pagopa/opex-dashboard-azure-action/
       # PSPs APIs
-      - uses: pagopa/[email protected]
+      - uses: pagopa/opex-dashboard-azure-action@ece3bc2b133be74cabb50aec14cdb9b8051b886f # v1.1.2
         with:
           environment: ${{ matrix.environment }}
           api-name:

Dockerfile

@@ -1,5 +1,5 @@
 ## Stage 1 : build with maven builder image with native capabilities
-FROM quay.io/quarkus/ubi-quarkus-graalvmce-builder-image:22.3-java17 AS build
+FROM quay.io/quarkus/ubi-quarkus-graalvmce-builder-image:22.3-java17@sha256:94750d983c8ee4cc09d7eb502c8010b9e6238824e5b9370e4dac983c7770f73d AS build
 COPY --chown=quarkus:quarkus mvnw /code/mvnw
 COPY --chown=quarkus:quarkus .mvn /code/.mvn
 COPY --chown=quarkus:quarkus pom.xml /code/
@@ -12,7 +12,7 @@ ARG APP_NAME
 
 RUN ./mvnw package -DskipTests=true -Dquarkus.application.name=$APP_NAME -Dquarkus.profile=$QUARKUS_PROFILE
 
-FROM registry.access.redhat.com/ubi8/openjdk-17:1.14
+FROM registry.access.redhat.com/ubi8/openjdk-17:1.14@sha256:79585ca02551ecff9d368905d7ce387232b9fd328256e7a715ae3c4ec7b086d3
 
 ENV LANGUAGE='en_US:en'
 

docker-infra/docker-compose.yml

@@ -2,7 +2,7 @@ version: '3.8'
 
 services:
   elasticsearch:
-    image: docker.elastic.co/elasticsearch/elasticsearch:8.6.2
+    image: docker.elastic.co/elasticsearch/elasticsearch:8.6.2@sha256:1c53c89d04f207beb99d56cc4a1cc23516bd9c386858843d5082a98257c04d1c
     ports:
       - "9200:9200"
       - "9300:9300"
@@ -15,7 +15,7 @@ services:
       - infra
 
   kibana:
-    image: docker.elastic.co/kibana/kibana:8.6.2
+    image: docker.elastic.co/kibana/kibana:8.6.2@sha256:7157c399f97acddf3297501d5af66097d57be67d27d62f810bcbdd11785a39b8
     ports:
       - "5601:5601"
     networks:
@@ -25,7 +25,7 @@ services:
 
   alertmanager:
     hostname: alertmanager
-    image: prom/alertmanager
+    image: prom/alertmanager@sha256:e13b6ed5cb929eeaee733479dce55e10eb3bc2e9c4586c705a4e8da41e5eacf5
     volumes:
       - ${PWD}/alertmanager/alertmanager.conf:/etc/alertmanager/alertmanager.conf
     command:
@@ -37,7 +37,7 @@ services:
 
   prometheus:
     hostname: prometheus
-    image: prom/prometheus
+    image: prom/prometheus@sha256:cafe963e591c872d38f3ea41ff8eb22cee97917b7c97b5c0ccd43a419f11f613
     volumes:
       - ${PWD}/prometheus/prometheus.yml:/etc/prometheus/prometheus.yml
       - ${PWD}/prometheus/alert_rules.yml:/etc/prometheus/alert_rules.yml
@@ -53,7 +53,7 @@ services:
 
   grafana:
     hostname: grafana
-    image: grafana/grafana
+    image: grafana/grafana@sha256:886b56d5534e54f69a8cfcb4b8928da8fc753178a7a3d20c3f9b04b660169805
     volumes:
       - ${PWD}/grafana/grafana_datasources.yml:/etc/grafana/provisioning/datasources/all.yaml
       - ${PWD}/grafana/grafana_config.ini:/etc/grafana/config.ini
@@ -64,7 +64,7 @@ services:
       - infra
 
   jaeger-all-in-one:
-    image: jaegertracing/all-in-one:latest
+    image: jaegertracing/all-in-one:latest@sha256:4fd2d70fa347d6a47e79fcb06b1c177e6079f92cba88b083153d56263082135e
     ports:
       - "16686:16686"
       - "14268:14268"
@@ -73,7 +73,7 @@ services:
       - infra
 
   otel-collector:
-    image: otel/opentelemetry-collector:latest
+    image: otel/opentelemetry-collector:latest@sha256:aef3e6d742fb69b94e9c0813a028449d28438bb6f9c93cb5d0b8d0704b78ae65
     command: [ "--config=/etc/otel-collector-config.yaml" ]
     volumes:
       - ${PWD}/otel-collector/otel-collector-config.yaml:/etc/otel-collector-config.yaml:Z
@@ -86,7 +86,7 @@ services:
       - infra
 
   mongo:
-    image: mongo
+    image: mongo@sha256:d672a079266a48faee269e6b5c6b1c7b9d9de3ddd8a1d5097a0881e15576bbb4
     restart: always
     environment:
       MONGO_INITDB_ROOT_USERNAME: root
@@ -97,7 +97,7 @@ services:
       - infra
 
   mongo-express:
-    image: mongo-express
+    image: mongo-express@sha256:1b23d7976f0210dbec74045c209e52fbb26d29b2e873d6c6fa3d3f0ae32c2a64
     restart: always
     ports:
       - 8085:8081
@@ -109,7 +109,7 @@ services:
       - infra
 
   azurite:
-    image: "mcr.microsoft.com/azure-storage/azurite"
+    image: "mcr.microsoft.com/azure-storage/azurite@sha256:d449d953a1c5bd1e26c800744a65c451e88f3387b696e02e3e2e79a995c3105b"
     restart: always
     ports:
       - 10000:10000

integration-test/Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.11 as build
+FROM python:3.11@sha256:a23661e4d5dacf56028a800d3af100397a99b120d0f0de5892db61437fd9eb6c as build
 #-slim as build
 
 ARG SHELL="/bin/sh"

performance-test/docker-compose.yaml

@@ -1,7 +1,7 @@
 version: '3.3'
 services:
   k6:
-    image: grafana/k6
+    image: grafana/k6@sha256:9e37f3209c16af8c17a79cf3a5f7d4402673726de4c7e25572d189acf06405c5
     container_name: k6
     volumes:
       - '${PWD}/src:/scripts'
@@ -15,7 +15,7 @@ services:
       - nginx
 
   nginx:
-    image: nginx
+    image: nginx@sha256:447a8665cc1dab95b1ca778e162215839ccbb9189104c79d7ec3a81e14577add
     container_name: nginx
     volumes:
       - '${PWD}/nginx/nginx.conf:/etc/nginx/nginx.conf'

src/main/docker/Dockerfile.jvm

@@ -75,7 +75,7 @@
 #   accessed directly. (example: "foo.example.com,bar.example.com")
 #
 ###
-FROM registry.access.redhat.com/ubi8/openjdk-17:1.14
+FROM registry.access.redhat.com/ubi8/openjdk-17:1.14@sha256:79585ca02551ecff9d368905d7ce387232b9fd328256e7a715ae3c4ec7b086d3
 
 ENV LANGUAGE='en_US:en'
 

src/main/docker/Dockerfile.legacy-jar

@@ -75,7 +75,7 @@
 #   accessed directly. (example: "foo.example.com,bar.example.com")
 #
 ###
-FROM registry.access.redhat.com/ubi8/openjdk-17:1.14
+FROM registry.access.redhat.com/ubi8/openjdk-17:1.14@sha256:79585ca02551ecff9d368905d7ce387232b9fd328256e7a715ae3c4ec7b086d3
 
 ENV LANGUAGE='en_US:en'
 

src/main/docker/Dockerfile.multistage

@@ -1,5 +1,5 @@
 ## Stage 1 : build with maven builder image with native capabilities
-FROM quay.io/quarkus/ubi-quarkus-graalvmce-builder-image:22.3-java17 AS build
+FROM quay.io/quarkus/ubi-quarkus-graalvmce-builder-image:22.3-java17@sha256:94750d983c8ee4cc09d7eb502c8010b9e6238824e5b9370e4dac983c7770f73d AS build
 COPY --chown=quarkus:quarkus mvnw /code/mvnw
 COPY --chown=quarkus:quarkus .mvn /code/.mvn
 COPY --chown=quarkus:quarkus pom.xml /code/
@@ -14,7 +14,7 @@ ARG APP_NAME
 RUN ./mvnw package -DskipTests=true -Pnative -Dquarkus.application.name=$APP_NAME -Dquarkus.profile=$QUARKUS_PROFILE
 
 ## Stage 2 : create the docker final image
-FROM quay.io/quarkus/quarkus-micro-image:2.0
+FROM quay.io/quarkus/quarkus-micro-image:2.0@sha256:d599a3082e48acb01c61d7c41874fdcdec89bd3d058be35d0900dff8193e30b0
 WORKDIR /work/
 COPY --from=build /code/target/*-runner /work/application
 

src/main/docker/Dockerfile.multistage.jvm

@@ -1,5 +1,5 @@
 ## Stage 1 : build with maven builder image with native capabilities
-FROM quay.io/quarkus/ubi-quarkus-graalvmce-builder-image:22.3-java17 AS build
+FROM quay.io/quarkus/ubi-quarkus-graalvmce-builder-image:22.3-java17@sha256:94750d983c8ee4cc09d7eb502c8010b9e6238824e5b9370e4dac983c7770f73d AS build
 COPY --chown=quarkus:quarkus mvnw /code/mvnw
 COPY --chown=quarkus:quarkus .mvn /code/.mvn
 COPY --chown=quarkus:quarkus pom.xml /code/
@@ -12,7 +12,7 @@ ARG APP_NAME
 
 RUN ./mvnw package -DskipTests=true -Dquarkus.application.name=$APP_NAME -Dquarkus.profile=$QUARKUS_PROFILE
 
-FROM registry.access.redhat.com/ubi8/openjdk-17:1.14
+FROM registry.access.redhat.com/ubi8/openjdk-17:1.14@sha256:79585ca02551ecff9d368905d7ce387232b9fd328256e7a715ae3c4ec7b086d3
 
 ENV LANGUAGE='en_US:en'
 

src/main/docker/Dockerfile.native

@@ -14,7 +14,7 @@
 # docker run -i --rm -p 8080:8080 quarkus/code-with-quarkus
 #
 ###
-FROM registry.access.redhat.com/ubi8/ubi-minimal:8.6
+FROM registry.access.redhat.com/ubi8/ubi-minimal:8.6@sha256:33931dce809712888d1a8061bfa676963f517daca993984afed3251bc1fb5987
 WORKDIR /work/
 RUN chown 1001 /work \
     && chmod "g+rwX" /work \

src/main/docker/Dockerfile.native-micro

@@ -17,7 +17,7 @@
 # docker run -i --rm -p 8080:8080 quarkus/code-with-quarkus
 #
 ###
-FROM quay.io/quarkus/quarkus-micro-image:2.0
+FROM quay.io/quarkus/quarkus-micro-image:2.0@sha256:d599a3082e48acb01c61d7c41874fdcdec89bd3d058be35d0900dff8193e30b0
 WORKDIR /work/
 RUN chown 1001 /work \
     && chmod "g+rwX" /work \