Pin dependencies (#61)

* Pin dependencies

* terraform-docs: automated action

---------

Co-authored-by: renovate-pagopa[bot] <164534245+renovate-pagopa[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

.github/workflows/apply/action.yml

@@ -16,7 +16,7 @@ runs:
   using: "composite"
   steps:
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@v3
+      uses: aws-actions/configure-aws-credentials@50ac8dd1e1b10d09dac7b8727528b91bed831ac0 # v3
       with:
         role-to-assume: ${{ inputs.iam_role }}
         aws-region: ${{ inputs.region }}
@@ -29,7 +29,7 @@ runs:
         echo "TERRAFORM_VERSION=`cat ../../.terraform-version`" >> $GITHUB_ENV
   
     - name: Setup Terraform
-      uses: hashicorp/setup-terraform@v3
+      uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3
       with:
         terraform_version: ${{ env.TERRAFORM_VERSION }}
 

.github/workflows/deploy-oneid-core.yml

@@ -74,7 +74,7 @@ jobs:
 
       - name: Login to Amazon ECR
         id: login-ecr
-        uses: aws-actions/amazon-ecr-login@v2
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2
 
       - name: Build, tag, and push image to Amazon ECR
         id: build-image
@@ -106,14 +106,14 @@ jobs:
 
       - name: Fill in the new image ID in the Amazon ECS task definition
         id: task-def
-        uses: aws-actions/[email protected]
+        uses: aws-actions/amazon-ecs-render-task-definition@4225e0b507142a2e432b018bc3ccb728559b437a # v1.2.0
         with:
           task-definition: ./task-definition.json
           container-name: oneid-core
           image: ${{ steps.build-image.outputs.image }}
 
       - name: Deploy Amazon ECS task definition
-        uses: aws-actions/[email protected]
+        uses: aws-actions/amazon-ecs-deploy-task-definition@df9643053eda01f169e64a0e60233aacca83799a # v1.4.11
         with:
          task-definition: ${{ steps.task-def.outputs.task-definition }}
          service: oneid-${{ env.REGION_SHORT }}-${{ env.ENV_SHORT }}-core

.github/workflows/plan/action.yml

@@ -23,13 +23,13 @@ runs:
         echo "TERRAFORM_VERSION=`cat ../../.terraform-version`" >> $GITHUB_ENV
 
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@v3
+      uses: aws-actions/configure-aws-credentials@50ac8dd1e1b10d09dac7b8727528b91bed831ac0 # v3
       with:
         role-to-assume: ${{ inputs.iam_role }}
         aws-region: ${{ inputs.region }}
 
     - name: Setup Terraform
-      uses: hashicorp/setup-terraform@v3
+      uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3
       with:
         terraform_version: ${{ env.TERRAFORM_VERSION }}
 

src/infra/prod/eu-south-1/README.md

@@ -65,6 +65,7 @@
 | <a name="module_dev_ns_record"></a> [dev\_ns\_record](#module\_dev\_ns\_record) | terraform-aws-modules/route53/aws//modules/records | 2.11.0 |
 | <a name="module_frontend"></a> [frontend](#module\_frontend) | ../../modules/frontend | n/a |
 | <a name="module_iam"></a> [iam](#module\_iam) | ../../modules/iam | n/a |
+| <a name="module_monitoring"></a> [monitoring](#module\_monitoring) | ../../modules/monitoring | n/a |
 | <a name="module_network"></a> [network](#module\_network) | ../../modules/network | n/a |
 | <a name="module_r53_zones"></a> [r53\_zones](#module\_r53\_zones) | ../../modules/dns | n/a |
 | <a name="module_sns"></a> [sns](#module\_sns) | ../../modules/sns | n/a |

src/oneid/oneid-ecs-core/Dockerfile

@@ -1,5 +1,5 @@
 ## Stage 1 : build with maven builder image with native capabilities
-FROM quay.io/quarkus/ubi-quarkus-graalvmce-builder-image:jdk-21 AS build
+FROM quay.io/quarkus/ubi-quarkus-graalvmce-builder-image:jdk-21@sha256:5f2a1c5004b1fd7996d8a04c8e8798db57827fbd92629690ec6a7ffe319993ac AS build
 # Copy all needed files and directories
 # Parent pom
 COPY  --chown=quarkus:quarkus ../pom.xml /code/
@@ -26,7 +26,7 @@ RUN ["./mvnw", "verify", "clean", "--fail-never"]
 RUN export $(grep -v ^# ${ENVFILE}| xargs); ./mvnw -f pom.xml -B package -P oneid-ecs-core-aggregate -Dmaven.test.skip=true
 
 ## Stage 2 : create the docker final image
-FROM registry.access.redhat.com/ubi8/openjdk-21-runtime:1.20-2
+FROM registry.access.redhat.com/ubi8/openjdk-21-runtime:1.20-2@sha256:6a3242526aebd99245eee76feb55c0b9a10325cddfc9530b24c096064a5ed81e
 WORKDIR /work/
 
 COPY --from=build /code/oneid-ecs-core/metadata/ /deployments/metadata/

src/oneid/oneid-ecs-core/Dockerfile.native

@@ -1,5 +1,5 @@
 ## Stage 1 : build with maven builder image with native capabilities
-FROM quay.io/quarkus/ubi-quarkus-graalvmce-builder-image:jdk-21 AS build
+FROM quay.io/quarkus/ubi-quarkus-graalvmce-builder-image:jdk-21@sha256:5f2a1c5004b1fd7996d8a04c8e8798db57827fbd92629690ec6a7ffe319993ac AS build
 # Copy all needed files and directories
 # Parent pom
 COPY  --chown=quarkus:quarkus ../pom.xml /code/
@@ -18,7 +18,7 @@ WORKDIR /code
 RUN ./mvnw -f pom.xml -B package -P oneid-ecs-core-aggregate,native
 
 ## Stage 2 : create the docker final image
-FROM quay.io/quarkus/quarkus-micro-image:2.0
+FROM quay.io/quarkus/quarkus-micro-image:2.0@sha256:bcf061654314f88907f07fd91232925cf7c11360c142de36f4c7db05512934f1
 WORKDIR /work/
 COPY --from=build /code/oneid-ecs-core/target/*-runner /work/application
 

src/oneid/oneid-ecs-core/docker-compose.yaml

@@ -2,7 +2,7 @@ version: "3.9"
 services:
   dynamodb-local:
     command: "-jar DynamoDBLocal.jar -sharedDb -dbPath ./data"
-    image: "amazon/dynamodb-local:latest"
+    image: "amazon/dynamodb-local:latest@sha256:d7ebddeb60fa418bcda218a6c6a402a58441b2a20d54c9cb1d85fd5194341753"
     container_name: dynamodb-local
     ports:
       - "8000:8000"
@@ -27,6 +27,6 @@ services:
       AWS_SECRET_ACCESS_KEY: "DUMMYEXAMPLEKEY"
       REGION: "eu-south-1"
   spid-saml-check:
-    image: "italia/spid-saml-check:1.10.6"
+    image: "italia/spid-saml-check:1.10.6@sha256:3c659836344b743f8e1f66d01b0fd336a8893386959a87173fc92d9966a9a289"
     ports:
       - "8443:8443"