From 3ec4b7924482805b76442fa53417b9f9b7042eaf Mon Sep 17 00:00:00 2001
From: "ll-renovate-bot[bot]"
 <242255147+ll-renovate-bot[bot]@users.noreply.github.com>
Date: Wed, 6 May 2026 20:39:06 +0000
Subject: [PATCH 1/2] Pin dependencies

---
 compose.yaml               | 2 +-
 docker/app/Dockerfile      | 6 +++---
 docker/prettier/Dockerfile | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/compose.yaml b/compose.yaml
index 4fe50ab..5c175f4 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -1,7 +1,7 @@
 ---
 services:
   db:
-    image: postgres:18-alpine
+    image: postgres:18-alpine@sha256:54451ecb8ab38c24c3ec123f2fd501303a3a1856a5c66e98cecf2460d5e1e9d7
     environment:
       - POSTGRES_PASSWORD=postgres
     volumes:
diff --git a/docker/app/Dockerfile b/docker/app/Dockerfile
index 9372f2d..c679a1b 100644
--- a/docker/app/Dockerfile
+++ b/docker/app/Dockerfile
@@ -1,7 +1,7 @@
 ARG PROJECT_NAME="{{ project_name }}"
 
 # STAGE 1: BUILD NODE
-FROM node:25.9-alpine AS build-node
+FROM node:25.9-alpine@sha256:bdf2cca6fe3dabd014ea60163eca3f0f7015fbd5c7ee1b0e9ccb4ced6eb02ef4 AS build-node
 ARG PROJECT_NAME
 
 WORKDIR /app
@@ -18,10 +18,10 @@ RUN --mount=type=bind,source=package.json,target=package.json \
 
 
 # STAGE 2: BUILD PYTHON
-FROM python:3.14 AS build-python
+FROM python:3.14@sha256:0ba001803c72c128063cfa88863755f905cefabe73c026c66a5a86d8f1d63e98 AS build-python
 WORKDIR /app
 
-COPY --from=ghcr.io/astral-sh/uv:0.11.2 /uv /uvx /bin/
+COPY --from=ghcr.io/astral-sh/uv:0.11.2@sha256:c4f5de312ee66d46810635ffc5df34a1973ba753e7241ce3a08ef979ddd7bea5 /uv /uvx /bin/
 ENV PYTHONPYCACHEPREFIX=/tmp/pycache
 ENV PYTHONUNBUFFERED=1
 ENV UV_COMPILE_BYTECODE=1
diff --git a/docker/prettier/Dockerfile b/docker/prettier/Dockerfile
index 9df7dbd..f490ed1 100644
--- a/docker/prettier/Dockerfile
+++ b/docker/prettier/Dockerfile
@@ -1,4 +1,4 @@
-FROM node:25.9-alpine AS ui
+FROM node:25.9-alpine@sha256:bdf2cca6fe3dabd014ea60163eca3f0f7015fbd5c7ee1b0e9ccb4ced6eb02ef4 AS ui
 
 WORKDIR /root
 RUN --mount=type=bind,source=docker/prettier/package.json,target=package.json \

From efb423d98a3782e3306cd8758a1798d231ce63c4 Mon Sep 17 00:00:00 2001
From: Marc Gibbons <1726961+marcgibbons@users.noreply.github.com>
Date: Wed, 6 May 2026 18:13:07 -0400
Subject: [PATCH 2/2] Disable yamllint line-length on pinned postgres digest

Pinned image digest pushes the line past the 88-char limit. Hadolint
(used for the Dockerfiles) doesn't enforce line length, so no
equivalent comment is needed there.
---
 compose.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/compose.yaml b/compose.yaml
index 5c175f4..d19606f 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -1,6 +1,7 @@
 ---
 services:
   db:
+    # yamllint disable-line rule:line-length
     image: postgres:18-alpine@sha256:54451ecb8ab38c24c3ec123f2fd501303a3a1856a5c66e98cecf2460d5e1e9d7
     environment:
       - POSTGRES_PASSWORD=postgres