From c6e1bf4594878aa797c3427bf61897473b3db791 Mon Sep 17 00:00:00 2001
From: egibs <20933572+egibs@users.noreply.github.com>
Date: Mon, 17 Jun 2024 07:28:06 -0500
Subject: [PATCH] Pin images to digests

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
---
 .github/dependabot.yml | 11 +++++++++++
 Dockerfile-3.11.rocky  |  4 ++--
 Dockerfile-3.11.wolfi  |  4 ++--
 Dockerfile-3.12.rocky  |  4 ++--
 Dockerfile-3.12.wolfi  |  4 ++--
 Dockerfile-3.9.rocky   |  4 ++--
 Dockerfile-3.9.wolfi   |  4 ++--
 7 files changed, 23 insertions(+), 12 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..007dfdb
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: daily
diff --git a/Dockerfile-3.11.rocky b/Dockerfile-3.11.rocky
index 77ef394..fec1bff 100644
--- a/Dockerfile-3.11.rocky
+++ b/Dockerfile-3.11.rocky
@@ -1,6 +1,6 @@
 # Patch Python to support OpenSSL FIPS module
 # Patchutils installs Python which we want to avoid in the final image
-FROM --platform=$TARGETPLATFORM rockylinux:9-minimal as patch
+FROM --platform=$TARGETPLATFORM rockylinux:9-minimal@sha256:305de618a5681ff75b1d608fd22b10f362867dff2f550a4f1d427d21cd7f42b4 as patch
 
 ARG PYTHON_VERSION="3.11.9"
 
@@ -20,7 +20,7 @@ RUN wget https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VER
     && cd -
 
 # Main stage
-FROM --platform=$TARGETPLATFORM rockylinux:9-minimal
+FROM --platform=$TARGETPLATFORM rockylinux:9-minimal@sha256:305de618a5681ff75b1d608fd22b10f362867dff2f550a4f1d427d21cd7f42b4 as build
 
 ARG OPENSSL_BASE_FIPS_VERSION="3.0.9"
 ARG OPENSSL_FIPS_VERSION="openssl-${OPENSSL_BASE_FIPS_VERSION}"
diff --git a/Dockerfile-3.11.wolfi b/Dockerfile-3.11.wolfi
index 0e117c3..58bacf8 100644
--- a/Dockerfile-3.11.wolfi
+++ b/Dockerfile-3.11.wolfi
@@ -1,6 +1,6 @@
 # Patch Python to support OpenSSL FIPS module
 # Patchutils installs Python which we want to avoid in the final image
-FROM --platform=$TARGETPLATFORM cgr.dev/chainguard/wolfi-base as patch
+FROM --platform=$TARGETPLATFORM cgr.dev/chainguard/wolfi-base@sha256:3eff851ab805966c768d2a8107545a96218426cee1e5cc805865505edbe6ce92 as patch
 
 ARG PYTHON_VERSION="3.11.9"
 
@@ -19,7 +19,7 @@ RUN wget https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VER
     && cd -
 
 # Main stage
-FROM --platform=$TARGETPLATFORM cgr.dev/chainguard/wolfi-base as build
+FROM --platform=$TARGETPLATFORM cgr.dev/chainguard/wolfi-base@sha256:3eff851ab805966c768d2a8107545a96218426cee1e5cc805865505edbe6ce92 as build
 
 USER root
 
diff --git a/Dockerfile-3.12.rocky b/Dockerfile-3.12.rocky
index c7a1958..d9fd833 100644
--- a/Dockerfile-3.12.rocky
+++ b/Dockerfile-3.12.rocky
@@ -1,6 +1,6 @@
 # Patch Python to support OpenSSL FIPS module
 # Patchutils installs Python which we want to avoid in the final image
-FROM --platform=$TARGETPLATFORM rockylinux:9-minimal as patch
+FROM --platform=$TARGETPLATFORM rockylinux:9-minimal@sha256:305de618a5681ff75b1d608fd22b10f362867dff2f550a4f1d427d21cd7f42b4 as patch
 
 ARG PYTHON_VERSION="3.12.3"
 
@@ -20,7 +20,7 @@ RUN wget https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VER
     && cd -
 
 # Main stage
-FROM --platform=$TARGETPLATFORM rockylinux:9-minimal
+FROM --platform=$TARGETPLATFORM rockylinux:9-minimal@sha256:305de618a5681ff75b1d608fd22b10f362867dff2f550a4f1d427d21cd7f42b4 as build
 
 ARG OPENSSL_BASE_FIPS_VERSION="3.0.9"
 ARG OPENSSL_FIPS_VERSION="openssl-${OPENSSL_BASE_FIPS_VERSION}"
diff --git a/Dockerfile-3.12.wolfi b/Dockerfile-3.12.wolfi
index 7407012..933a455 100644
--- a/Dockerfile-3.12.wolfi
+++ b/Dockerfile-3.12.wolfi
@@ -1,6 +1,6 @@
 # Patch Python to support OpenSSL FIPS module
 # Patchutils installs Python which we want to avoid in the final image
-FROM --platform=$TARGETPLATFORM cgr.dev/chainguard/wolfi-base as patch
+FROM --platform=$TARGETPLATFORM cgr.dev/chainguard/wolfi-base@sha256:3eff851ab805966c768d2a8107545a96218426cee1e5cc805865505edbe6ce92 as patch
 
 ARG PYTHON_VERSION="3.12.3"
 
@@ -19,7 +19,7 @@ RUN wget https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VER
     && cd -
 
 # Main stage
-FROM --platform=$TARGETPLATFORM cgr.dev/chainguard/wolfi-base as build
+FROM --platform=$TARGETPLATFORM cgr.dev/chainguard/wolfi-base@sha256:3eff851ab805966c768d2a8107545a96218426cee1e5cc805865505edbe6ce92 as build
 
 ARG OPENSSL_BASE_FIPS_VERSION="3.0.9"
 ARG OPENSSL_FIPS_VERSION="openssl-${OPENSSL_BASE_FIPS_VERSION}"
diff --git a/Dockerfile-3.9.rocky b/Dockerfile-3.9.rocky
index f19a57e..2bca7f9 100644
--- a/Dockerfile-3.9.rocky
+++ b/Dockerfile-3.9.rocky
@@ -1,6 +1,6 @@
 # Patch Python to support OpenSSL FIPS module
 # Patchutils installs Python which we want to avoid in the final image
-FROM --platform=$TARGETPLATFORM rockylinux:9-minimal as patch
+FROM --platform=$TARGETPLATFORM rockylinux:9-minimal@sha256:305de618a5681ff75b1d608fd22b10f362867dff2f550a4f1d427d21cd7f42b4 as patch
 
 ARG PYTHON_VERSION="3.9.19"
 
@@ -20,7 +20,7 @@ RUN wget https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VER
     && cd -
 
 # Main stage
-FROM --platform=$TARGETPLATFORM rockylinux:9-minimal
+FROM --platform=$TARGETPLATFORM rockylinux:9-minimal@sha256:305de618a5681ff75b1d608fd22b10f362867dff2f550a4f1d427d21cd7f42b4 as build
 
 ARG OPENSSL_BASE_VERSION="1.0.2"
 ARG OPENSSL_FIPS_VERSION="openssl-fips-2.0.16"
diff --git a/Dockerfile-3.9.wolfi b/Dockerfile-3.9.wolfi
index d67405e..aaa5bd4 100644
--- a/Dockerfile-3.9.wolfi
+++ b/Dockerfile-3.9.wolfi
@@ -1,6 +1,6 @@
 # Patch Python to support OpenSSL FIPS module
 # Patchutils installs Python which we want to avoid in the final image
-FROM --platform=$TARGETPLATFORM cgr.dev/chainguard/wolfi-base as patch
+FROM --platform=$TARGETPLATFORM cgr.dev/chainguard/wolfi-base@sha256:3eff851ab805966c768d2a8107545a96218426cee1e5cc805865505edbe6ce92 as patch
 
 ARG PYTHON_VERSION="3.9.19"
 
@@ -19,7 +19,7 @@ RUN wget https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VER
     && cd -
 
 # Main stage
-FROM --platform=$TARGETPLATFORM cgr.dev/chainguard/wolfi-base as build
+FROM --platform=$TARGETPLATFORM cgr.dev/chainguard/wolfi-base@sha256:3eff851ab805966c768d2a8107545a96218426cee1e5cc805865505edbe6ce92 as build
 
 ARG OPENSSL_BASE_VERSION="1.0.2"
 ARG OPENSSL_FIPS_VERSION="openssl-fips-2.0.16"