Pin images to digests

Signed-off-by: egibs <[email protected]>
egibs · Jun 17, 2024 · c6e1bf4 · c6e1bf4
1 parent 0e325fa
commit c6e1bf4
Show file tree

Hide file tree

Showing 7 changed files with 23 additions and 12 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: daily
diff --git a/Dockerfile-3.11.rocky b/Dockerfile-3.11.rocky
@@ -1,6 +1,6 @@
 # Patch Python to support OpenSSL FIPS module
 # Patchutils installs Python which we want to avoid in the final image
-FROM --platform=$TARGETPLATFORM rockylinux:9-minimal as patch
+FROM --platform=$TARGETPLATFORM rockylinux:9-minimal@sha256:305de618a5681ff75b1d608fd22b10f362867dff2f550a4f1d427d21cd7f42b4 as patch
 
 ARG PYTHON_VERSION="3.11.9"
 
@@ -20,7 +20,7 @@ RUN wget https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VER
     && cd -
 
 # Main stage
-FROM --platform=$TARGETPLATFORM rockylinux:9-minimal
+FROM --platform=$TARGETPLATFORM rockylinux:9-minimal@sha256:305de618a5681ff75b1d608fd22b10f362867dff2f550a4f1d427d21cd7f42b4 as build
 
 ARG OPENSSL_BASE_FIPS_VERSION="3.0.9"
 ARG OPENSSL_FIPS_VERSION="openssl-${OPENSSL_BASE_FIPS_VERSION}"

diff --git a/Dockerfile-3.11.wolfi b/Dockerfile-3.11.wolfi
@@ -1,6 +1,6 @@
 # Patch Python to support OpenSSL FIPS module
 # Patchutils installs Python which we want to avoid in the final image
-FROM --platform=$TARGETPLATFORM cgr.dev/chainguard/wolfi-base as patch
+FROM --platform=$TARGETPLATFORM cgr.dev/chainguard/wolfi-base@sha256:3eff851ab805966c768d2a8107545a96218426cee1e5cc805865505edbe6ce92 as patch
 
 ARG PYTHON_VERSION="3.11.9"
 
@@ -19,7 +19,7 @@ RUN wget https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VER
     && cd -
 
 # Main stage
-FROM --platform=$TARGETPLATFORM cgr.dev/chainguard/wolfi-base as build
+FROM --platform=$TARGETPLATFORM cgr.dev/chainguard/wolfi-base@sha256:3eff851ab805966c768d2a8107545a96218426cee1e5cc805865505edbe6ce92 as build
 
 USER root
 

diff --git a/Dockerfile-3.12.rocky b/Dockerfile-3.12.rocky
@@ -1,6 +1,6 @@
 # Patch Python to support OpenSSL FIPS module
 # Patchutils installs Python which we want to avoid in the final image
-FROM --platform=$TARGETPLATFORM rockylinux:9-minimal as patch
+FROM --platform=$TARGETPLATFORM rockylinux:9-minimal@sha256:305de618a5681ff75b1d608fd22b10f362867dff2f550a4f1d427d21cd7f42b4 as patch
 
 ARG PYTHON_VERSION="3.12.3"
 
@@ -20,7 +20,7 @@ RUN wget https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VER
     && cd -
 
 # Main stage
-FROM --platform=$TARGETPLATFORM rockylinux:9-minimal
+FROM --platform=$TARGETPLATFORM rockylinux:9-minimal@sha256:305de618a5681ff75b1d608fd22b10f362867dff2f550a4f1d427d21cd7f42b4 as build
 
 ARG OPENSSL_BASE_FIPS_VERSION="3.0.9"
 ARG OPENSSL_FIPS_VERSION="openssl-${OPENSSL_BASE_FIPS_VERSION}"

diff --git a/Dockerfile-3.12.wolfi b/Dockerfile-3.12.wolfi
@@ -1,6 +1,6 @@
 # Patch Python to support OpenSSL FIPS module
 # Patchutils installs Python which we want to avoid in the final image
-FROM --platform=$TARGETPLATFORM cgr.dev/chainguard/wolfi-base as patch
+FROM --platform=$TARGETPLATFORM cgr.dev/chainguard/wolfi-base@sha256:3eff851ab805966c768d2a8107545a96218426cee1e5cc805865505edbe6ce92 as patch
 
 ARG PYTHON_VERSION="3.12.3"
 
@@ -19,7 +19,7 @@ RUN wget https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VER
     && cd -
 
 # Main stage
-FROM --platform=$TARGETPLATFORM cgr.dev/chainguard/wolfi-base as build
+FROM --platform=$TARGETPLATFORM cgr.dev/chainguard/wolfi-base@sha256:3eff851ab805966c768d2a8107545a96218426cee1e5cc805865505edbe6ce92 as build
 
 ARG OPENSSL_BASE_FIPS_VERSION="3.0.9"
 ARG OPENSSL_FIPS_VERSION="openssl-${OPENSSL_BASE_FIPS_VERSION}"

diff --git a/Dockerfile-3.9.rocky b/Dockerfile-3.9.rocky
@@ -1,6 +1,6 @@
 # Patch Python to support OpenSSL FIPS module
 # Patchutils installs Python which we want to avoid in the final image
-FROM --platform=$TARGETPLATFORM rockylinux:9-minimal as patch
+FROM --platform=$TARGETPLATFORM rockylinux:9-minimal@sha256:305de618a5681ff75b1d608fd22b10f362867dff2f550a4f1d427d21cd7f42b4 as patch
 
 ARG PYTHON_VERSION="3.9.19"
 
@@ -20,7 +20,7 @@ RUN wget https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VER
     && cd -
 
 # Main stage
-FROM --platform=$TARGETPLATFORM rockylinux:9-minimal
+FROM --platform=$TARGETPLATFORM rockylinux:9-minimal@sha256:305de618a5681ff75b1d608fd22b10f362867dff2f550a4f1d427d21cd7f42b4 as build
 
 ARG OPENSSL_BASE_VERSION="1.0.2"
 ARG OPENSSL_FIPS_VERSION="openssl-fips-2.0.16"

diff --git a/Dockerfile-3.9.wolfi b/Dockerfile-3.9.wolfi
@@ -1,6 +1,6 @@
 # Patch Python to support OpenSSL FIPS module
 # Patchutils installs Python which we want to avoid in the final image
-FROM --platform=$TARGETPLATFORM cgr.dev/chainguard/wolfi-base as patch
+FROM --platform=$TARGETPLATFORM cgr.dev/chainguard/wolfi-base@sha256:3eff851ab805966c768d2a8107545a96218426cee1e5cc805865505edbe6ce92 as patch
 
 ARG PYTHON_VERSION="3.9.19"
 
@@ -19,7 +19,7 @@ RUN wget https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VER
     && cd -
 
 # Main stage
-FROM --platform=$TARGETPLATFORM cgr.dev/chainguard/wolfi-base as build
+FROM --platform=$TARGETPLATFORM cgr.dev/chainguard/wolfi-base@sha256:3eff851ab805966c768d2a8107545a96218426cee1e5cc805865505edbe6ce92 as build
 
 ARG OPENSSL_BASE_VERSION="1.0.2"
 ARG OPENSSL_FIPS_VERSION="openssl-fips-2.0.16"