From 5b0f0f93756b1b4e4d2ab7053572151e8979fc54 Mon Sep 17 00:00:00 2001
From: Alex Welsh <alex@stackhpc.com>
Date: Mon, 27 Apr 2026 10:49:23 +0100
Subject: [PATCH 1/3] Fix actions permissions

---
 .github/workflows/test-pr.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/test-pr.yml b/.github/workflows/test-pr.yml
index 2eec68b..39cd561 100644
--- a/.github/workflows/test-pr.yml
+++ b/.github/workflows/test-pr.yml
@@ -31,6 +31,11 @@ jobs:
     with:
       ref: ${{ github.sha }}
     secrets: inherit
+    permissions:
+      packages: write
+      security-events: write
+      id-token: write
+      contents: read
 
   publish_charts:
     needs: [fail_on_remote]

From 8128c9ff4e15d7812f81deb6f59d3df24711677a Mon Sep 17 00:00:00 2001
From: Victor Hang <victor@stackhpc.com>
Date: Thu, 30 Apr 2026 09:43:35 +0200
Subject: [PATCH 2/3] fix(chat): pin libssl3 and openssl to specific versions
 in Dockerfile

Signed-off-by: Victor Hang <victor@stackhpc.com>
---
 web-apps/chat/Dockerfile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/web-apps/chat/Dockerfile b/web-apps/chat/Dockerfile
index 0dd199b..5b7be0c 100644
--- a/web-apps/chat/Dockerfile
+++ b/web-apps/chat/Dockerfile
@@ -1,5 +1,7 @@
 FROM ghcr.io/astral-sh/uv:python3.11-bookworm-slim
 
+RUN apt-get update && apt-get install -y libssl3=3.0.19-1~deb12u2 openssl=3.0.19-1~deb12u2 && rm -rf /var/lib/apt/lists/*
+
 ARG DIR=chat
 
 COPY $DIR/requirements.txt requirements.txt

From e57068f1149bfb23582e2cac62fd7cdc98c1673a Mon Sep 17 00:00:00 2001
From: Alex Welsh <alex@stackhpc.com>
Date: Thu, 30 Apr 2026 08:53:18 +0100
Subject: [PATCH 3/3] Pin actions to versions allowed in org

---
 .github/workflows/build-push-charts.yml   | 4 ++--
 .github/workflows/build-push-images.yml   | 8 ++++----
 .github/workflows/build-push-vllm-cpu.yml | 4 ++--
 .github/workflows/build-push-vllm-xpu.yml | 2 +-
 .github/workflows/test-pr.yml             | 6 +++---
 .github/workflows/update-dependencies.yml | 2 +-
 6 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/build-push-charts.yml b/.github/workflows/build-push-charts.yml
index cc4aafb..3084c4c 100644
--- a/.github/workflows/build-push-charts.yml
+++ b/.github/workflows/build-push-charts.yml
@@ -31,10 +31,10 @@ jobs:
 
       - name: Get SemVer version for current commit
         id: semver
-        uses: azimuth-cloud/github-actions/semver@master
+        uses: azimuth-cloud/github-actions/semver@8771cb1c1db134e99becf314f07db6a84b8d7fbf
 
       - name: Publish Helm charts
-        uses: azimuth-cloud/github-actions/helm-publish@master
+        uses: azimuth-cloud/github-actions/helm-publish@8771cb1c1db134e99becf314f07db6a84b8d7fbf
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           version: ${{ steps.semver.outputs.version }}
diff --git a/.github/workflows/build-push-images.yml b/.github/workflows/build-push-images.yml
index 99d7aad..f0301a9 100644
--- a/.github/workflows/build-push-images.yml
+++ b/.github/workflows/build-push-images.yml
@@ -31,7 +31,7 @@ jobs:
           ref: ${{ inputs.ref }}
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -39,11 +39,11 @@ jobs:
 
       - name: Get SemVer version for current commit
         id: semver
-        uses: azimuth-cloud/github-actions/semver@master
+        uses: azimuth-cloud/github-actions/semver@8771cb1c1db134e99becf314f07db6a84b8d7fbf
 
       - name: Calculate metadata for image
         id: image-meta
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
         with:
           images: ghcr.io/stackhpc/azimuth-llm-${{ matrix.component }}-ui
           # Produce the branch name or tag and the SHA as tags
@@ -53,7 +53,7 @@ jobs:
             type=raw,value=${{ steps.semver.outputs.short-sha }}
 
       - name: Build and push image
-        uses: azimuth-cloud/github-actions/docker-multiarch-build-push@master
+        uses: azimuth-cloud/github-actions/docker-multiarch-build-push@8771cb1c1db134e99becf314f07db6a84b8d7fbf
         with:
           cache-key: ${{ matrix.component }}
           context: ./web-apps/
diff --git a/.github/workflows/build-push-vllm-cpu.yml b/.github/workflows/build-push-vllm-cpu.yml
index ab7d612..b8b0377 100644
--- a/.github/workflows/build-push-vllm-cpu.yml
+++ b/.github/workflows/build-push-vllm-cpu.yml
@@ -30,7 +30,7 @@ jobs:
           ref: ${{ inputs.vllm_ref }}
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -58,7 +58,7 @@ jobs:
           ref: ${{ inputs.vllm_ref }}
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
diff --git a/.github/workflows/build-push-vllm-xpu.yml b/.github/workflows/build-push-vllm-xpu.yml
index a87b4ce..8ea95c7 100644
--- a/.github/workflows/build-push-vllm-xpu.yml
+++ b/.github/workflows/build-push-vllm-xpu.yml
@@ -30,7 +30,7 @@ jobs:
           ref: ${{ inputs.vllm_ref }}
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
diff --git a/.github/workflows/test-pr.yml b/.github/workflows/test-pr.yml
index 39cd561..de5f6d3 100644
--- a/.github/workflows/test-pr.yml
+++ b/.github/workflows/test-pr.yml
@@ -89,19 +89,19 @@ jobs:
         working-directory: web-apps
 
       - name: Install Helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
 
       - name: Run base chart templating with default values
         run: helm template ci-test charts/azimuth-llm
 
       - name: Set up chart testing
-        uses: helm/chart-testing-action@v2
+        uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f # v2.8.0
 
       - name: Run chart linting
         run: ct lint --config ct.yaml
 
       - name: Create Kind Cluster
-        uses: helm/kind-action@v1
+        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0
         with:
           cluster_name: ${{ env.CLUSTER_NAME }}
 
diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml
index 7de1298..7a60ba0 100644
--- a/.github/workflows/update-dependencies.yml
+++ b/.github/workflows/update-dependencies.yml
@@ -61,7 +61,7 @@ jobs:
 
       - name: Create Pull Request
         if: ${{ steps.dependency_updates.outputs.new_vllm_tag }}
-        uses: peter-evans/create-pull-request@v8
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
         with:
           base: main
           branch: update/vllm-${{ steps.dependency_updates.outputs.new_vllm_tag }}