From 7ba9aec25286ffd724ac95a36bf87ed3c990e847 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Fri, 22 May 2026 10:11:23 +0000
Subject: [PATCH] Pin dependencies

---
 .github/workflows/ci.yml |  2 +-
 Dockerfile               |  4 ++--
 docker-compose.yml       | 12 ++++++------
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3b5b409cb6..cfdc14374c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,7 +6,7 @@ jobs:
 
     services:
       db:
-        image: postgres:15.16
+        image: postgres:15.16@sha256:2bc89eed5490967e6b1fa5175d84cb45d65f19fbb8973c7b23450dea785b9505
         # Health checks to wait until postgres has started
         options: >-
           --health-cmd pg_isready
diff --git a/Dockerfile b/Dockerfile
index d401032ec6..2d07e514a8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM python:3.11-slim AS base
+FROM python:3.11-slim@sha256:a3ab0b966bc4e91546a033e22093cb840908979487a9fc0e6e38295747e49ac0 AS base
 
 LABEL maintainer="ODL DevOps <mitx-devops@mit.edu>"
 
@@ -34,7 +34,7 @@ ENV  \
 ENV PATH="/opt/venv/bin:$PATH"
 
 # Install uv
-COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /usr/local/bin/
+COPY --from=ghcr.io/astral-sh/uv:latest@sha256:440fd6477af86a2f1b38080c539f1672cd22acb1b1a47e321dba5158ab08864d /uv /uvx /usr/local/bin/
 
 COPY pyproject.toml /src
 COPY uv.lock /src
diff --git a/docker-compose.yml b/docker-compose.yml
index d2608385a6..254d8b855e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -32,7 +32,7 @@ x-extra-hosts:
 
 services:
   db:
-    image: postgres:15.16
+    image: postgres:15.16@sha256:2bc89eed5490967e6b1fa5175d84cb45d65f19fbb8973c7b23450dea785b9505
     ports:
       - "5432"
     environment:
@@ -177,7 +177,7 @@ services:
       - "8080:8080"
 
   varnish:
-    image: varnish:fresh
+    image: varnish:fresh@sha256:2af8792bddd0417e8d2d0c8e0786b4c0e9be065b80ee115f0bf25114074579e7
     links:
       - nginx
     ports:
@@ -188,7 +188,7 @@ services:
       - nginx
 
   keycloak:
-    image: quay.io/keycloak/keycloak:latest
+    image: quay.io/keycloak/keycloak:latest@sha256:5afd40414096432903a5374ba4ba70b931dcca598a6bd9f44239fe66ef8d9737
     profiles:
       - keycloak
     depends_on:
@@ -216,7 +216,7 @@ services:
       - ./config/keycloak/realms:/opt/keycloak/data/import
 
   api:
-    image: apache/apisix:latest
+    image: apache/apisix:latest@sha256:468a384f8b9236a904dd65a19fc3eab9492ea98d0054b69e840e04e529120dcd
     profiles:
       - apisix
     environment:
@@ -238,13 +238,13 @@ services:
   coordinator:
     profiles:
       - verifiable-creds
-    image: digitalcredentials/issuer-coordinator:1.0.0
+    image: digitalcredentials/issuer-coordinator:1.0.0@sha256:8610376d4c35420e1c780f90c9b6402ebcfa965ee0e67383493dde31afa95a91
     ports:
       - "4005:4005"
   signer:
     profiles:
       - verifiable-creds
-    image: digitalcredentials/signing-service:1.2.0
+    image: digitalcredentials/signing-service:1.2.0@sha256:2a2e2fe4f4782b5c62783fc06d8b3931e95f3873779df34a2aa441545eaa3446
 
 
 volumes: