From caa1c7f47155ec2875afb50dbfe823dd6626fdd8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Gra=CC=88fenstein?= <mail@thomas-graefenstein.de>
Date: Sun, 22 Mar 2026 12:23:52 +0100
Subject: [PATCH] pin versions

---
 gitea/docker-compose.yml      | 2 +-
 monitoring/docker-compose.yml | 2 +-
 review.md                     | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/gitea/docker-compose.yml b/gitea/docker-compose.yml
index bc60d55..d6d8fdb 100644
--- a/gitea/docker-compose.yml
+++ b/gitea/docker-compose.yml
@@ -1,6 +1,6 @@
 services:
   gitea:
-    image: gitea/gitea:latest-rootless
+    image: gitea/gitea:1.25.5-rootless
     container_name: gitea
     restart: unless-stopped
     env_file: .env
diff --git a/monitoring/docker-compose.yml b/monitoring/docker-compose.yml
index 8260e33..64b68fb 100644
--- a/monitoring/docker-compose.yml
+++ b/monitoring/docker-compose.yml
@@ -29,7 +29,7 @@ services:
       - monitoring
 
   alloy:
-    image: grafana/alloy:latest
+    image: grafana/alloy:v1.14.1
     container_name: alloy
     restart: unless-stopped
     depends_on:
diff --git a/review.md b/review.md
index 19778f3..6d9e159 100644
--- a/review.md
+++ b/review.md
@@ -10,5 +10,5 @@
 | 6  | High     | `scripts/deploy.sh:13`          | `source .env` in a root-privileged script can execute arbitrary commands. Consider safer parsing or variable validation                                                                                                            | DONE   |
 | 7  | Medium   | `monitoring/docker-compose.yml` | Docker socket + `/proc` + `/sys` + `/` mounted into Alloy container. Consider using a Docker socket proxy to limit API access                                                                                                      | DONE   |
 | 8  | Medium   | `caddy/Caddyfile`               | No rate limiting configured at the reverse proxy layer                                                                                                                                                                             | DONE   |
-| 9  | Low      | `gitea/docker-compose.yml`      | `gitea/gitea:latest-rootless` unpinned — pin to specific version like Nextcloud does                                                                                                                                               | TODO   |
-| 10 | Low      | `monitoring/docker-compose.yml` | `grafana/alloy:latest` unpinned — pin to specific version                                                                                                                                                                          | TODO   |
+| 9  | Low      | `gitea/docker-compose.yml`      | `gitea/gitea:latest-rootless` unpinned — pin to specific version like Nextcloud does                                                                                                                                               | DONE   |
+| 10 | Low      | `monitoring/docker-compose.yml` | `grafana/alloy:latest` unpinned — pin to specific version                                                                                                                                                                          | DONE   |