Pin dependencies

.github/workflows/build-toolkit-docker-image.yaml

@@ -19,20 +19,20 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2
 
       - name: Log in to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         with:
           context: toolkit/
           push: true
@@ -41,7 +41,7 @@ jobs:
             ghcr.io/${{ github.repository }}:toolkit-${{ github.sha }}
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         with:
           context: immich/
           push: true

backup/Dockerfile

@@ -1,4 +1,4 @@
-FROM debian:trixie-slim
+FROM debian:trixie-slim@sha256:77ba0164de17b88dd0bf6cdc8f65569e6e5fa6cd256562998b62553134a00ef0
 
 RUN apt-get update && \
     apt-get install -y wget ca-certificates tar just restic ansible unzip && \

docker/caddy/docker-compose.yaml

@@ -1,6 +1,6 @@
 services:
   caddy:
-    image: ghcr.io/caddybuilds/caddy-cloudflare:latest
+    image: ghcr.io/caddybuilds/caddy-cloudflare:latest@sha256:4a3d4afed443f026040cad84b48ef2eef6cc6eb5a80a3ecab66a03df469a46f8
     container_name: caddy
     restart: unless-stopped
     ports:

docker/immich/docker-compose.yaml

@@ -14,7 +14,7 @@ services:
       UMASK_SET: "002"
     healthcheck:
       disable: false
-    image: ghcr.io/immich-app/immich-machine-learning:v1.138.0
+    image: ghcr.io/immich-app/immich-machine-learning:v1.138.0@sha256:25fca00128f10444303c93829516927bd14804ccbe9b7450eb41c64c722c5ac4
     platform: linux/amd64
     privileged: false
     restart: unless-stopped
@@ -30,7 +30,7 @@ services:
           nocopy: false
 
   database:
-    image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0
+    image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0@sha256:c570d9e1c2494f65d2a0a379a7f6df66e8441964254a30aa62cc58e8ebf1dee0
     environment:
       NVIDIA_VISIBLE_DEVICES: void
       POSTGRES_DB: ${POSTGRES_DB}
@@ -52,7 +52,7 @@ services:
         type: bind
 
   pgvecto:
-    image: tensorchord/pgvecto-rs:pg15-v0.2.0
+    image: tensorchord/pgvecto-rs:pg15-v0.2.0@sha256:104a26ad4d0446c54a46d3a694c6193ef018c5ad4f9d9faf7765ab09cb9ffe06
     cap_drop:
       - ALL
     environment:
@@ -161,7 +161,7 @@ services:
       UMASK_SET: "002"
     healthcheck:
       disable: false
-    image: ghcr.io/immich-app/immich-server:v1.138.0
+    image: ghcr.io/immich-app/immich-server:v1.138.0@sha256:12cee930e2cc211a95acae12ad780c0b2eecaea0479a06e255c73a4deb0b3efb
     #platform: linux/amd64
     #ports:
     #  - mode: ingress
@@ -227,7 +227,7 @@ services:
       - "traefik.http.services.immich-dashboard.loadbalancer.server.port=30041"
 
   traefik:
-    image: traefik:v3.5.0
+    image: traefik:v3.5.0@sha256:4e7175cfe19be83c6b928cae49dde2f2788fb307189a4dc9550b67acf30c11a5
     container_name: traefik
     restart: unless-stopped
       #read_only: true

docker/kestra/docker-compose.yml

@@ -8,7 +8,7 @@ volumes:
 
 services:
   postgres:
-    image: postgres
+    image: postgres@sha256:5773fe724c49c42a7a9ca70202e11e1dff21fb7235b335a73f39297d200b73a2
     volumes:
       - postgres-data:/var/lib/postgresql/data
     environment:
@@ -22,7 +22,7 @@ services:
       retries: 10
 
   kestra:
-    image: kestra/kestra:latest
+    image: kestra/kestra:latest@sha256:72b4be36ddad30a840fe96b8d604fd3445f87c157fa7eccf679532c079f8972f
     pull_policy: always
     # Note that this setup with a root user is intended for development purpose.
     # Our base image runs without root, but the Docker Compose implementation needs root to access the Docker socket

docker/mafl/docker-compose.yaml

@@ -1,6 +1,6 @@
 services:
   mafl:
-    image: hywax/mafl
+    image: hywax/mafl@sha256:2c89020be334b341da41a6b95830b1b52b1b9f43c9f16d09c0ab4e9dad3ea4ad
     container_name: mafl
     restart: unless-stopped
     volumes:

docker/minio/docker-compose.yaml

@@ -1,6 +1,6 @@
 services:
   minio:
-    image: quay.io/minio/minio:RELEASE.2025-03-12T18-04-18Z
+    image: quay.io/minio/minio:RELEASE.2025-03-12T18-04-18Z@sha256:46b3009bf7041eefbd90bd0d2b38c6ddc24d20a35d609551a1802c558c1c958f
     command: server /data --console-address ":9002"
     restart: unless-stopped
     ports:

docker/pocket-id/docker-compose.yaml

@@ -1,6 +1,6 @@
 services:
   pocket-id:
-    image: ghcr.io/pocket-id/pocket-id
+    image: ghcr.io/pocket-id/pocket-id@sha256:84d20a801692b9635f481522df2672a7aae522726c30953dae52e17fc2696b27
     container_name: pocket-id
     restart: unless-stopped
     environment:

docker/portainer/docker-compose.yaml

@@ -1,6 +1,6 @@
 services:
   portainer:
-    image: portainer/portainer-ce:latest
+    image: portainer/portainer-ce:latest@sha256:4786931dc7c588ff1c242696fe1eb3f7f9c5dafb136b6c713aff7745dd5bd407
     container_name: portainer
     restart: unless-stopped
     ports:

docker/semaphore/docker-compose.yaml

@@ -1,6 +1,6 @@
 services:
   semaphore:
-    image: semaphoreui/semaphore:v2.13.1
+    image: semaphoreui/semaphore:v2.13.1@sha256:db69c024e924bd2ac158b1e5e3534d1d7b60dc22ea232b050ec7eee28af34471
     container_name: semaphore
     environment:
       TZ: Europe/Berlin

docker/upsnap/docker-compose.yaml

@@ -1,7 +1,7 @@
 services:
   upsnap:
     container_name: upsnap
-    image: ghcr.io/seriousm4x/upsnap:5
+    image: ghcr.io/seriousm4x/upsnap:5@sha256:36532b5b14ede1fff71fe4d4203454f701ea0fa932ddf8132acdc4fbbfb580d1
     network_mode: host
     restart: unless-stopped
     volumes:

immich/Dockerfile

@@ -1,4 +1,4 @@
-FROM debian:trixie-slim
+FROM debian:trixie-slim@sha256:77ba0164de17b88dd0bf6cdc8f65569e6e5fa6cd256562998b62553134a00ef0
 
 RUN apt-get update && \
     apt-get install -y \

k8s/linkding/base/deployment.yaml

@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
         - name: linkding
-          image: sissbruecker/linkding:latest
+          image: sissbruecker/linkding:latest@sha256:61b2eb9eed8e5772a473fb7f1f8923e046cb8cbbeb50e88150afd5ff287d4060
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 9090

k8s/lldap/base/deployment.yaml

@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
         - name: lldap
-          image: lldap/lldap:stable-alpine
+          image: lldap/lldap:stable-alpine@sha256:9e605a66c02514bfcffd1b67cafb1e98d50992216bb2871d7ae44622047dd09d
           imagePullPolicy: IfNotPresent
           ports:
             - name: http

k8s/lldap/overlays/production/kustomization.yaml

@@ -12,4 +12,4 @@ namespace: lldap
 
 images:
   - name: lldap/lldap:latest
-    newTag: stable
+    newTag: stable@sha256:9e605a66c02514bfcffd1b67cafb1e98d50992216bb2871d7ae44622047dd09d

k8s/mafl/base/deployment.yaml

@@ -22,7 +22,7 @@ spec:
     spec:
       containers:
         - name: mafl
-          image: hywax/mafl:latest
+          image: hywax/mafl:latest@sha256:2c89020be334b341da41a6b95830b1b52b1b9f43c9f16d09c0ab4e9dad3ea4ad
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 3000

k8s/opengist/base/deployment.yaml

@@ -18,7 +18,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: opengist
-          image: ghcr.io/thomiceli/opengist:latest
+          image: ghcr.io/thomiceli/opengist:latest@sha256:86e7eb1f9fb2aa7b5d620fe452406de331c6e4d1c47b4d23d46b4b01e1ebf69d
           imagePullPolicy: IfNotPresent
           env:
             - name: TZ

k8s/papra/base/deployment.yaml

@@ -18,7 +18,7 @@ spec:
       dnsPolicy: ClusterFirst
       containers:
         - name: papra
-          image: ghcr.io/papra-hq/papra:latest
+          image: ghcr.io/papra-hq/papra:latest@sha256:9b3ddb66c63caf9d2616a2cb47689d39af4efd4ed19bffdf1943a8a262719c35
           imagePullPolicy: IfNotPresent
           env:
             - name: TZ

k8s/papra/overlays/production/kustomization.yaml

@@ -10,4 +10,4 @@ resources:
 # https://github.com/thomiceli/opengist/releases
 images:
   - name: ghcr.io/papra-hq/papra
-    newTag: latest
+    newTag: latest@sha256:9b3ddb66c63caf9d2616a2cb47689d39af4efd4ed19bffdf1943a8a262719c35

k8s/subscription-manager/base/deployment.yaml

@@ -22,7 +22,7 @@ spec:
     spec:
       containers:
         - name: subscription-manager
-          image: dh1011/subscription-manager:latest
+          image: dh1011/subscription-manager:latest@sha256:3517b960983162504b304d0c70d849a7093744ce76e4c0a144e8164fdd0b5087
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 3000

k8s/vault/export-and-backup/all-in-one/cronjob-all-in-one.yaml

@@ -17,7 +17,7 @@ spec:
           restartPolicy: Never
           containers:
             - name: backup-vault-export
-              image: ghcr.io/tryrocket-cloud/home-ops:toolkit
+              image: ghcr.io/tryrocket-cloud/home-ops:toolkit@sha256:6ebf6602fa4ecb82be238f8dba70b2ea0c95843bdac9ab55c083debc89e29be2
               imagePullPolicy: Always
               env:
                 - name: RESTIC_CACHE_DIR

k8s/vault/export-and-backup/base/cronjob.yaml

@@ -15,7 +15,7 @@ spec:
           restartPolicy: Never
           initContainers:
             - name: export-hashicorp-vault
-              image: ghcr.io/jonasvinther/medusa:latest
+              image: ghcr.io/jonasvinther/medusa:latest@sha256:bc4696d3328bed5a0712318d643766e36c87d2ae836d14170d010df6abf0447d
               imagePullPolicy: IfNotPresent
               command: ["./medusa", "export", "$(VAULT_PATH)", "-o", "/export/vault-export.json"]
               env:

k8s/vault/export-and-backup/overlays/ionos.com/cronjob-patch.yaml

@@ -11,7 +11,7 @@ spec:
         spec:
           containers:
             - name: ionos-com-objectstorage-eu-central-3-s3-kopia-backup
-              image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup
+              image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:884d07598aeff3a91ea8f29e8f393c63ac04dedf6e4845582fa94cbb434bcb4c
               imagePullPolicy: Always
               env:
                 - name: EXPORT_JSON
@@ -60,7 +60,7 @@ spec:
                   mountPath: /export
                   readOnly: true
             - name: ionos-com-objectstorage-eu-central-3-s3-restic-backup
-              image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup
+              image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:884d07598aeff3a91ea8f29e8f393c63ac04dedf6e4845582fa94cbb434bcb4c
               imagePullPolicy: Always
               env:
                 - name: EXPORT_JSON

k8s/vault/export-and-backup/overlays/truenas.tryrocket.cloud/cronjob-patch.yaml

@@ -11,7 +11,7 @@ spec:
         spec:
           containers:
             - name: truenas-tryrocket-cloud-objectstorage-backup
-              image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup
+              image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:884d07598aeff3a91ea8f29e8f393c63ac04dedf6e4845582fa94cbb434bcb4c
               imagePullPolicy: Always
               env:
                 - name: VAULT_EXPORT_JSON

k8s/vault/export-and-backup/vault-export-and-backup-cronjob.yaml

@@ -17,7 +17,7 @@ spec:
           restartPolicy: Never
           initContainers:
             - name: export-hashicorp-vault
-              image: ghcr.io/jonasvinther/medusa:latest
+              image: ghcr.io/jonasvinther/medusa:latest@sha256:bc4696d3328bed5a0712318d643766e36c87d2ae836d14170d010df6abf0447d
               imagePullPolicy: IfNotPresent
               command: ["./medusa", "export", "$(VAULT_PATH)", "-o", "/export/vault-export.json"]
               env:
@@ -36,7 +36,7 @@ spec:
 
           containers:
             - name: ionos-com-objectstorage-eu-central-3-s3-kopia-backup
-              image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup
+              image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:884d07598aeff3a91ea8f29e8f393c63ac04dedf6e4845582fa94cbb434bcb4c
               imagePullPolicy: Always
               env:
                 - name: EXPORT_JSON
@@ -85,7 +85,7 @@ spec:
                 # - name: backup-cache-volume
                 #   mountPath: /cache
             - name: ionos-com-objectstorage-eu-central-3-s3-restic-backup
-              image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup
+              image: ghcr.io/tryrocket-cloud/tryrocket-cloud:backup@sha256:884d07598aeff3a91ea8f29e8f393c63ac04dedf6e4845582fa94cbb434bcb4c
               imagePullPolicy: Always
               env:
                 - name: EXPORT_JSON

k8s/vaultwarden/export-and-backup-2/export-and-backup-cronjob-3.yaml

@@ -42,7 +42,7 @@ spec:
 
           initContainers:
             - name: vaultwarden-export
-              image: ghcr.io/tryrocket-cloud/home-ops:toolkit-38dfa08a823162b91b8b4b579a025a471c475a33
+              image: ghcr.io/tryrocket-cloud/home-ops:toolkit-38dfa08a823162b91b8b4b579a025a471c475a33@sha256:0bfead9e4ae9f6b86fc8b14f89cc8a396909dbc9a08acc7246cd60892a3ced84
               imagePullPolicy: IfNotPresent
               env:
                 - name: TZ
@@ -134,7 +134,7 @@ spec:
                   echo "All jobs finished!"
 
             - name: restic-s3-policy
-              image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a
+              image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a@sha256:2a9ba7ee98f0af4a7fbad3ef11e8acb388024c2e95936c825fae014b9c8da164
               imagePullPolicy: IfNotPresent
               env:
                 - name: TZ
@@ -177,7 +177,7 @@ spec:
 
           containers:
             - name: restic-ionos-backup
-              image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a
+              image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a@sha256:2a9ba7ee98f0af4a7fbad3ef11e8acb388024c2e95936c825fae014b9c8da164
               imagePullPolicy: IfNotPresent
               env:
                 - name: TZ
@@ -236,7 +236,7 @@ spec:
                   run_restic_backup
 
             - name: kopia-ionos-backup
-              image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a
+              image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a@sha256:2a9ba7ee98f0af4a7fbad3ef11e8acb388024c2e95936c825fae014b9c8da164
               imagePullPolicy: IfNotPresent
               env:
                 - name: TZ
@@ -302,7 +302,7 @@ spec:
                   run_kopia_backup
 
             - name: deny-all-s3-policy
-              image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a
+              image: ghcr.io/tryrocket-cloud/home-ops:toolkit-ac3e21cade59942ed7c1ef4a8dc595b3a71d815a@sha256:2a9ba7ee98f0af4a7fbad3ef11e8acb388024c2e95936c825fae014b9c8da164
               volumeMounts:
                 - name: signals
                   mountPath: /signals