nordeck · renovate · Dec 19, 2025
@@ -15,7 +15,7 @@ jobs:
     outputs:
       docker-tag: ${{ steps.meta.outputs.version }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           # required for changesets
           fetch-depth: '0'
@@ -24,7 +24,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 'lts/*'
           cache: 'yarn'
@@ -57,18 +57,18 @@ jobs:
         run: yarn generate-disclaimer
 
       - name: Login to ghcr.io
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
 
       - name: Generate Docker metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
         env:
           DOCKER_METADATA_PR_HEAD_SHA: true
         with:
@@ -82,7 +82,7 @@ jobs:
 
       - name: Build and push
         id: build_and_push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         with:
           push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' || github.event_name == 'pull_request' && secrets.GH_APP_OS_APP_ID != '' }}
           context: .
@@ -96,7 +96,7 @@ jobs:
         if: ${{ success() && steps.build_and_push.outputs.digest }}
         env:
           IMAGE_REF: ${{ env.DOCKER_IMAGE }}@${{ steps.build_and_push.outputs.digest }}
-        uses: aquasecurity/[email protected]
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
         with:
           scan-type: 'image'
           scanners: 'license'
@@ -107,7 +107,7 @@ jobs:
 
       - name: Upload SBOM report as a build artifact
         if: ${{ success() && steps.build_and_push.outputs.digest }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: sbom-spdx-report
           path: 'sbom.spdx.json'
@@ -134,17 +134,17 @@ jobs:
     needs: build
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0 # need main branch to diff against
       - name: Set up Helm
-        uses: azure/setup-helm@v4
-      - uses: actions/setup-python@v5
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: '3.12'
           check-latest: true
       - name: Set up chart-testing
-        uses: helm/[email protected]
+        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
       - name: Check if Helm charts updated (run chart-testing list-changed)
         id: list-changed
         run: |
@@ -158,7 +158,7 @@ jobs:
         run: ct lint --validate-maintainers=false --target-branch ${{ github.event.repository.default_branch }}
       - name: Create kind cluster
         if: steps.list-changed.outputs.changed == 'true'
-        uses: helm/[email protected]
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
       - name: Prepare k8s cluster
         if: steps.list-changed.outputs.changed == 'true'
         run: |
@@ -184,7 +184,7 @@ jobs:
           private_key: ${{ secrets.GH_APP_OS_PRIVATE_KEY }}
 
       - name: Trigger Workflow
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           github-token: ${{ steps.generate_token.outputs.token }}
           script: |

@@ -21,15 +21,15 @@ jobs:
     steps:
       - name: Generate Docker metadata of the existing image
         id: meta-existing-tag
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
         with:
           images: ${{ env.DOCKER_IMAGE }}
           tags: |
             type=sha,prefix=
 
       - name: Generate Docker metadata of the new image
         id: meta-new-tags
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
         with:
           images: ${{ env.DOCKER_IMAGE }}
           labels: |
@@ -46,7 +46,7 @@ jobs:
           echo "FROM $SOURCE_IMAGE" > Dockerfile
 
       - name: Login to ghcr.io
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -56,11 +56,11 @@ jobs:
         uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
 
       - name: Build and push
         id: build_and_push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         with:
           push: true
           context: .
@@ -71,7 +71,7 @@ jobs:
       - name: Run Trivy to get an SBOM report of the container
         env:
           IMAGE_REF: ${{ env.DOCKER_IMAGE }}@${{ steps.build_and_push.outputs.digest }}
-        uses: aquasecurity/[email protected]
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
         with:
           scan-type: 'image'
           scanners: 'license'

@@ -1,4 +1,4 @@
-FROM aquasec/trivy:latest AS scanner
+FROM aquasec/trivy:latest@sha256:05d0126976bdedcd0782a0336f77832dbea1c81b9cc5e4b3a5ea5d2ec863aca7 AS scanner
 
 # Copy yarn.lock to run SBOM scan
 COPY yarn.lock /tmp
@@ -14,7 +14,7 @@

 # Allow hashes for @carbon/charts.
 # The library sets style="text-anchor: end;" at a SVG element when we close the modal that hosts the chart.
 ENV CSP_STYLE_SRC="${CSP_STYLE_SRC} 'sha256-Iga7e6saiujlA0I0tma/RscQvHqQgY3nuYvqRYMCDF8=' 'unsafe-hashes'"

 # Allow loading images from the home server.
 ENV CSP_IMG_SRC="\${REACT_APP_HOME_SERVER_URL}"
@@ -8,7 +8,7 @@ image:
   repository: ghcr.io/nordeck/matrix-poll-widget
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
-  tag: ""
+  tag: "@sha256:2a94e2b543e33e90fd56b485d8fb85472ffb117656f2e8f02c1826d4148419a8"
 
 imagePullSecrets: []
 nameOverride: ""

@@ -42,48 +42,48 @@
     "uuid": "^9.0.1"
   },
   "devDependencies": {
-    "@changesets/cli": "^2.28.0",
-    "@eslint/compat": "^1.3.1",
-    "@eslint/js": "^9.28.0",
-    "@matrix-widget-toolkit/testing": "^4.0.0",
-    "@testing-library/dom": "^10.4.0",
-    "@testing-library/jest-dom": "^6.6.3",
-    "@testing-library/react": "^16.0.1",
-    "@testing-library/user-event": "^14.5.2",
-    "@types/lodash": "^4.14.202",
-    "@types/luxon": "^3.2.0",
-    "@types/node": "^20.17.22",
-    "@types/pdfmake": "^0.2.11",
-    "@types/react": "^18.3.23",
-    "@types/react-beautiful-dnd": "^13.1.8",
-    "@types/react-dom": "^18.3.1",
-    "@types/uuid": "^9.0.7",
-    "@vitejs/plugin-basic-ssl": "^1.2.0",
-    "@vitejs/plugin-react-swc": "^3.8.0",
-    "@vitest/coverage-v8": "^3.0.6",
-    "@vitest/eslint-plugin": "^1.3.4",
-    "axe-core": "^4.10.0",
-    "depcheck": "^1.4.7",
-    "dotenv-cli": "^7.4.4",
-    "eslint": "^9.28.0",
-    "eslint-config-prettier": "^10.1.5",
-    "eslint-plugin-notice": "^1.0.0",
-    "eslint-plugin-promise": "^7.2.1",
-    "eslint-plugin-react": "^7.37.5",
-    "eslint-plugin-react-hooks": "^5.2.0",
-    "eslint-plugin-testing-library": "^7.6.0",
-    "happy-dom": "^20.0.8",
-    "husky": "^9.1.7",
-    "i18next-cli": "^1.20.1",
-    "lint-staged": "^15.4.3",
-    "prettier": "^3.5.1",
-    "prettier-plugin-organize-imports": "^4.1.0",
-    "sass": "^1.85.0",
-    "typescript": "^5.7.2",
-    "typescript-eslint": "^8.33.1",
+    "@changesets/cli": "2.28.1",
+    "@eslint/compat": "1.4.1",
+    "@eslint/js": "9.31.0",
+    "@matrix-widget-toolkit/testing": "4.0.0",
+    "@testing-library/dom": "10.4.0",
+    "@testing-library/jest-dom": "6.6.3",
+    "@testing-library/react": "16.3.0",
+    "@testing-library/user-event": "14.5.2",
+    "@types/lodash": "4.14.202",
+    "@types/luxon": "3.2.0",
+    "@types/node": "20.19.24",
+    "@types/pdfmake": "0.2.11",
+    "@types/react": "18.3.26",
+    "@types/react-beautiful-dnd": "13.1.8",
+    "@types/react-dom": "18.3.7",
+    "@types/uuid": "9.0.7",
+    "@vitejs/plugin-basic-ssl": "1.2.0",
+    "@vitejs/plugin-react-swc": "3.10.2",
+    "@vitest/coverage-v8": "3.2.4",
+    "@vitest/eslint-plugin": "1.3.26",
+    "axe-core": "4.10.3",
+    "depcheck": "1.4.7",
+    "dotenv-cli": "7.4.4",
+    "eslint": "9.31.0",
+    "eslint-config-prettier": "10.1.5",
+    "eslint-plugin-notice": "1.0.0",
+    "eslint-plugin-promise": "7.2.1",
+    "eslint-plugin-react": "7.37.5",
+    "eslint-plugin-react-hooks": "5.2.0",
+    "eslint-plugin-testing-library": "7.13.3",
+    "happy-dom": "20.0.10",
+    "husky": "9.1.7",
+    "i18next-cli": "1.20.1",
+    "lint-staged": "15.4.3",
+    "prettier": "3.5.3",
+    "prettier-plugin-organize-imports": "4.1.0",
+    "sass": "1.85.1",
+    "typescript": "5.9.3",
+    "typescript-eslint": "8.37.0",
     "vite": "^6.4.1",
-    "vitest": "^3.2.4",
-    "yarn-deduplicate": "^6.0.2"
+    "vitest": "3.2.4",
+    "yarn-deduplicate": "6.0.2"
   },
   "engines": {
     "node": ">=20",