From c08be69618dcac9386817bced03d2d79883e50b6 Mon Sep 17 00:00:00 2001 From: David Luzar <5153846+dwelle@users.noreply.github.com> Date: Mon, 25 May 2026 14:39:21 +0200 Subject: [PATCH] ci(docker): fix docker dep bundling and pin remaining actions (#11398) * docker: use slim alpine image to remove bundling deps in Docker image * pin remaining yml actions * use lockfile * remove pulling --- .github/workflows/autorelease-excalidraw.yml | 4 ++-- .github/workflows/build-docker.yml | 2 +- .github/workflows/lint.yml | 4 ++-- .github/workflows/locales-coverage.yml | 4 ++-- .github/workflows/publish-docker.yml | 2 +- .github/workflows/sentry-production.yml | 4 ++-- .github/workflows/size-limit.yml | 4 ++-- .github/workflows/test-coverage-pr.yml | 4 ++-- .github/workflows/test.yml | 4 ++-- Dockerfile | 6 +++--- 10 files changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/workflows/autorelease-excalidraw.yml b/.github/workflows/autorelease-excalidraw.yml index c365647ee8..289189fd83 100644 --- a/.github/workflows/autorelease-excalidraw.yml +++ b/.github/workflows/autorelease-excalidraw.yml @@ -9,11 +9,11 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 2 - name: Setup Node.js - uses: actions/setup-node@v2 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 20.x - name: Set up publish access diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index f5f9b45bbe..3e2dc3d3c5 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -9,5 +9,5 @@ jobs: build-docker: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - run: docker build -t excalidraw . diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index cc73980d10..22ded0d079 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -7,10 +7,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Node.js - uses: actions/setup-node@v2 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 20.x diff --git a/.github/workflows/locales-coverage.yml b/.github/workflows/locales-coverage.yml index 67a942438b..9a5a93adac 100644 --- a/.github/workflows/locales-coverage.yml +++ b/.github/workflows/locales-coverage.yml @@ -10,12 +10,12 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: token: ${{ secrets.PUSH_TRANSLATIONS_COVERAGE_PAT }} - name: Setup Node.js - uses: actions/setup-node@v2 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 20.x diff --git a/.github/workflows/publish-docker.yml b/.github/workflows/publish-docker.yml index d0aedcb26b..3019e9b097 100644 --- a/.github/workflows/publish-docker.yml +++ b/.github/workflows/publish-docker.yml @@ -11,7 +11,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Login to DockerHub uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2 with: diff --git a/.github/workflows/sentry-production.yml b/.github/workflows/sentry-production.yml index 4434873fd3..c8270a0163 100644 --- a/.github/workflows/sentry-production.yml +++ b/.github/workflows/sentry-production.yml @@ -9,9 +9,9 @@ jobs: sentry: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Node.js - uses: actions/setup-node@v2 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 20.x - name: Install and build diff --git a/.github/workflows/size-limit.yml b/.github/workflows/size-limit.yml index 2a24507630..4c80695f1f 100644 --- a/.github/workflows/size-limit.yml +++ b/.github/workflows/size-limit.yml @@ -10,9 +10,9 @@ jobs: CI_JOB_NUMBER: 1 steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 20.x - name: Install in packages/excalidraw diff --git a/.github/workflows/test-coverage-pr.yml b/.github/workflows/test-coverage-pr.yml index 0cb6327564..ffd75a7c84 100644 --- a/.github/workflows/test-coverage-pr.yml +++ b/.github/workflows/test-coverage-pr.yml @@ -10,9 +10,9 @@ jobs: pull-requests: write steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: "Install Node" - uses: actions/setup-node@v2 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: "20.x" - name: "Install Deps" diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8bebd6c1ee..78f5e9a7d2 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -8,9 +8,9 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 20.x - name: Install and test diff --git a/Dockerfile b/Dockerfile index e15b425704..a941c99980 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM --platform=${BUILDPLATFORM} node:24 AS build +FROM --platform=${BUILDPLATFORM} node:24@sha256:8530f76a96d88820d288761f022e318970dda93d01536919fbc16076b7983e63 AS build WORKDIR /opt/node_app @@ -7,13 +7,13 @@ COPY . . # do not ignore optional dependencies: # Error: Cannot find module @rollup/rollup-linux-x64-gnu RUN --mount=type=cache,target=/root/.cache/yarn \ - npm_config_target_arch=${TARGETARCH} yarn --network-timeout 600000 + npm_config_target_arch=${TARGETARCH} yarn --frozen-lockfile --network-timeout 600000 ARG NODE_ENV=production RUN npm_config_target_arch=${TARGETARCH} yarn build:app:docker -FROM nginx:1.27-alpine +FROM nginx:stable-alpine-slim@sha256:2c605dbeab79a6b2a63340474fe58119d0ef95bdc4b1f41df0aa689659b3d13b COPY --from=build /opt/node_app/excalidraw-app/build /usr/share/nginx/html