chore(deps): pin dependencies

.github/workflows/ci.yml

@@ -13,7 +13,7 @@ jobs:
 
     services:
       db:
-        image: postgres:18.1
+        image: postgres:18.1@sha256:1090bc3a8ccfb0b55f78a494d76f8d603434f7e4553543d6e807bc7bd6bbd17f
         # Health checks to wait until postgres has started
         options: >-
           --health-cmd pg_isready
@@ -28,7 +28,7 @@ jobs:
         - 5432:5432
 
       redis:
-        image: redis:8.4.0
+        image: redis:8.4.0@sha256:c22af04bb576503bf16b3e34a1fd2fd82de0f765afd866d2e380145e0af30d78
         ports:
         - 6379:6379
 

Dockerfile

@@ -1,5 +1,5 @@
 # Build stage
-FROM python:3.13.7-slim as builder
+FROM python:3.13.7-slim@sha256:5f55cdf0c5d9dc1a415637a5ccc4a9e18663ad203673173b8cda8f8dcacef689 as builder
 LABEL maintainer="ODL DevOps <mitx-devops@mit.edu>"
 
 # Set environment variables for build
@@ -29,7 +29,7 @@ ENV PYTHONUNBUFFERED=1 \
 ENV PATH="/opt/venv/bin:$PATH"
 
 # Install uv
-COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /usr/local/bin/
+COPY --from=ghcr.io/astral-sh/uv:latest@sha256:240fb85ab0f263ef12f492d8476aa3a2e4e1e333f7d67fbdd923d00a506a516a /uv /uvx /usr/local/bin/
 
 COPY pyproject.toml uv.lock /src/
 RUN mkdir -p /opt/venv && chown -R mitodl:mitodl /src /opt/venv
@@ -38,14 +38,14 @@ USER mitodl
 WORKDIR /src
 RUN uv sync --frozen --no-install-project
 
-FROM node:24-slim AS node_builder
+FROM node:24-slim@sha256:b506e7321f176aae77317f99d67a24b272c1f09f1d10f1761f2773447d8da26c AS node_builder
 COPY . /src
 WORKDIR /src
 ENV NODE_ENV=production
 RUN yarn install --immutable && yarn build
 
 # Runtime stage
-FROM python:3.13.7-slim as runtime
+FROM python:3.13.7-slim@sha256:5f55cdf0c5d9dc1a415637a5ccc4a9e18663ad203673173b8cda8f8dcacef689 as runtime
 
 # Set environment variables for production
 ENV PYTHONUNBUFFERED=1 \

docker-compose.yml

@@ -28,7 +28,7 @@ networks:
       - subnet: "10.1.0.0/24"
 services:
   db:
-    image: postgres:18.1
+    image: postgres:18.1@sha256:1090bc3a8ccfb0b55f78a494d76f8d603434f7e4553543d6e807bc7bd6bbd17f
     ports:
     - "5431:5432"
     environment:
@@ -39,15 +39,15 @@ services:
         ipv4_address: 10.1.0.103
 
   redis:
-    image: redis:8.4.0
+    image: redis:8.4.0@sha256:c22af04bb576503bf16b3e34a1fd2fd82de0f765afd866d2e380145e0af30d78
     ports:
     - "6379"
     networks:
     - default-network
     - concourse-network
 
   nginx:
-    image: nginx:1.29.7
+    image: nginx:1.29.7@sha256:1854da86e82d5dfb49a8f3d78b099adcc7e36608b207146ed95cd47937938a40
     environment:
       AWS_PREVIEW_BUCKET_NAME: $AWS_PREVIEW_BUCKET_NAME
       AWS_PUBLISH_BUCKET_NAME: $AWS_PUBLISH_BUCKET_NAME
@@ -102,7 +102,7 @@ services:
     - django_media:/var/media
 
   watch:
-    image: node:24.14.1
+    image: node:24.14.1@sha256:80fc934952c8f1b2b4d39907af7211f8a9fff1a4c2cf673fb49099292c251cec
     working_dir: /src
     command: >
       /bin/bash -c './webpack_dev_server.sh --install'
@@ -146,7 +146,7 @@ services:
     - django_media:/var/media
 
   concourse-db:
-    image: postgres:latest
+    image: postgres:latest@sha256:52e6ffd11fddd081ae63880b635b2a61c14008c17fc98cdc7ce5472265516dd0
     environment:
       POSTGRES_DB: concourse
       POSTGRES_USER: postgres
@@ -161,7 +161,7 @@ services:
     - default-network
 
   concourse-keys:
-    image: gotechnies/alpine-ssh
+    image: gotechnies/alpine-ssh@sha256:c356c4aec99f7ef1e64e180260152e4607f45fccc93c9e72088746f506d63a16
     entrypoint: /scripts/keys.sh
     healthcheck:
       test: "exit 0"
@@ -170,7 +170,7 @@ services:
     - concourse-keys:/concourse-keys
 
   concourse:
-    image: concourse/concourse:7.14
+    image: concourse/concourse:7.14@sha256:ff7ee75c781c2e073296b915f0612f4bda8d9267ded13678b6d6217b1f7b4369
     command: web
     privileged: true
     depends_on:
@@ -219,7 +219,7 @@ services:
         ipv4_address: 10.1.0.101
 
   concourse-worker:
-    image: concourse/concourse:7.14
+    image: concourse/concourse:7.14@sha256:ff7ee75c781c2e073296b915f0612f4bda8d9267ded13678b6d6217b1f7b4369
     command: worker
     privileged: true
     depends_on:
@@ -250,7 +250,7 @@ services:
         ipv4_address: 10.1.0.104
 
   s3:
-    image: minio/minio:latest
+    image: minio/minio:latest@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
     ports:
     - "9000:9000"
     - "9001:9001"
@@ -271,7 +271,7 @@ services:
       concourse-network:
         ipv4_address: 10.1.0.100
   create-buckets:
-    image: minio/mc
+    image: minio/mc@sha256:a7fe349ef4bd8521fb8497f55c6042871b2ae640607cf99d9bede5e9bdf11727
     depends_on:
       s3:
         condition: service_healthy