docker/xesite: shalock everything

Signed-off-by: Xe Iaso <me@xeiaso.net>

2 files changed, 26 insertions, 3 deletions

diff --git a/docker-bake.hcl b/docker-bake.hcl
index e92eb55..1867bf5 100644
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -1,8 +1,14 @@
 variable "ALPINE_VERSION" { default = "edge" }
+variable "DENO_SHA" { default = "6ef38d16cbe99c3d610576b56aaa9ede9d988e8a2e5c1ed9c9d502e3167ef758" }
 variable "DENO_VERSION" { default = "2.2.11" }
 variable "DHALL_VERSION" { default = "1.42.2" }
 variable "DHALL_JSON_VERSION" { default = "1.7.12" }
+variable "DHALL_JSON_SHA" { default = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" }
+variable "FONTS_SHA" { default = "2d96002c16d611fe8498a71c0b44362b4a98e18023cce34e7e37f581f34def22" }
+variable "FONTS_VERSION" { default = "20250421" }
 variable "GO_VERSION" { default = "1.24" }
+variable "TYPST_SHA" { default = "7d214bfeffc2e585dc422d1a09d2b144969421281e8c7f5d784b65fc69b5673f" }
+variable "TYPST_VERSION" { default = "0.13.1" }
 variable "UBUNTU_VERSION" { default = "24.04" }
 
 group "default" {
@@ -26,10 +32,16 @@ target "patreon-saasproxy" {
 target "xesite" {
   args = {
     ALPINE_VERSION = null
+    DENO_SHA = null
     DENO_VERSION = null
     DHALL_VERSION = null
     DHALL_JSON_VERSION = null
+    DHALL_JSON_SHA = null
+    FONTS_VERSION = null
+    FONTS_SHA = null
     GO_VERSION = null
+    TYPST_SHA = null
+    TYPST_VERSION = null
     UBUNTU_VERSION = "24.04"
   }
   context = "."
diff --git a/docker/xesite.Dockerfile b/docker/xesite.Dockerfile
index 41dbe7c..a2029c0 100644
--- a/docker/xesite.Dockerfile
+++ b/docker/xesite.Dockerfile
@@ -21,39 +21,50 @@ RUN --mount=type=cache,target=/root/.cache GOOS=${TARGETOS} GOARCH=${TARGETARCH}
 
 # Iosevka for the resume
 FROM --platform=${BUILDPLATFORM} alpine:${ALPINE_VERSION} AS fonts
+ARG FONTS_VERSION=20250421
+ARG FONTS_SHA=2d96002c16d611fe8498a71c0b44362b4a98e18023cce34e7e37f581f34def22
 WORKDIR /fonts
-RUN apk add -U unzip ca-certificates curl \
-  && curl -Lo iosevka.zip https://cdn.xeiaso.net/static/pkg/iosevka/ttf.zip \
+RUN set -x \
+  && apk add -U unzip ca-certificates curl \
+  && curl -Lo iosevka.zip https://files.xeiaso.net/dl/iosevka-${FONTS_VERSION}.zip \
+  && echo "${FONTS_SHA}  iosevka.zip" | sha256sum -c -s \
   && unzip -d /fonts iosevka.zip
 
 # dhall-json for configuration building
 FROM --platform=${BUILDPLATFORM} alpine:${ALPINE_VERSION} AS dhall-json
 ARG DHALL_VERSION=1.42.2
 ARG DHALL_JSON_VERSION=1.7.12
+ARG DHALL_JSON_SHA=acbada5e29ecc9b6a723c3f390beb76b9db26df81546d1f472415a2f387bc457
 RUN mkdir -p /app
 WORKDIR /app
-RUN apk add -U curl bzip2 ca-certificates \
+RUN set -x \
+  && apk add -U curl bzip2 ca-certificates \
   && curl -L -o dhall-linux.tar.bz2 https://github.com/dhall-lang/dhall-haskell/releases/download/${DHALL_VERSION}/dhall-json-${DHALL_JSON_VERSION}-x86_64-linux.tar.bz2 \
+  && echo "${DHALL_JSON_SHA}  dhall-linux.tar.bz2" | sha256sum -c -s \
   && tar -xvjf dhall-linux.tar.bz2 \
   && mv bin/dhall-to-json .
 
 # deno 
 FROM alpine:${ALPINE_VERSION} AS deno
 ARG DENO_VERSION=2.2.11
+ARG DENO_SHA=6ef38d16cbe99c3d610576b56aaa9ede9d988e8a2e5c1ed9c9d502e3167ef758
 RUN mkdir -p /app
 WORKDIR /app
 RUN apk add -U curl unzip ca-certificates \
   && curl -sSLo deno.zip https://github.com/denoland/deno/releases/download/v${DENO_VERSION}/deno-$(uname -m)-unknown-linux-gnu.zip \
+  && echo "${DENO_SHA}  deno.zip" | sha256sum -c -s \
   && unzip deno.zip
 
 # typst
 FROM alpine:${ALPINE_VERSION} AS typst
 ARG TYPST_VERSION=0.13.1
+ARG TYPST_SHA=7d214bfeffc2e585dc422d1a09d2b144969421281e8c7f5d784b65fc69b5673f
 RUN mkdir -p /app
 WORKDIR /app
 RUN set -x \
   && apk add -U curl xz ca-certificates \
   && curl -sSLo typst.tar.xz https://github.com/typst/typst/releases/download/v${TYPST_VERSION}/typst-$(uname -m)-unknown-linux-musl.tar.xz \
+  && echo "${TYPST_SHA}  typst.tar.xz" | sha256sum -c -s \
   && tar xJf typst.tar.xz -C . \
   && mv typst-$(uname -m)-unknown-linux-musl/typst .