build: fix unpinned images (#1420)

ratify-project · Apr 29, 2024 · f006b88 · f006b88
1 parent 9f9f551
commit f006b88
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 11 deletions.
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -14,8 +14,7 @@
 # See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.245.2/containers/go/.devcontainer/base.Dockerfile
 
 # [Choice] Go version (use -bullseye variants on local arm64/Apple Silicon): 1.21-bullseye, 1, 1.19, 1.18, 1-bullseye, 1.19-bullseye, 1.18-bullseye, 1-buster, 1.19-buster, 1.18-buster
-ARG VARIANT="1.21-bullseye"
-FROM mcr.microsoft.com/vscode/devcontainers/go:${VARIANT}
+FROM mcr.microsoft.com/vscode/devcontainers/go:1.21-bullseye@sha256:c23be6befc7fbe2685f2fdd8161b314bc28bf34a0d37f6777461ccb21c17972d
 
 # [Choice] Node.js version: none, lts/*, 18, 16, 14
 ARG NODE_VERSION="none"

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -17,6 +17,32 @@ updates:
     ignore:
       - dependency-name: "*"
         update-types:
-        - "version-update:semver-major"
-        - "version-update:semver-minor"
-
+          - "version-update:semver-major"
+          - "version-update:semver-minor"
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: "docker"
+    directory: "/httpserver"
+    schedule:
+      interval: "weekly"
+    ignore:
+      - dependency-name: "golang"
+        versions: '> 1.21'
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: "docker"
+    directory: "/.devcontainer"
+    schedule:
+      interval: "weekly"
+    ignore:
+      - dependency-name: "vscode/devcontainers/go"
+        versions: '> 1.21'
+    commit-message:
+      prefix: "chore"
diff --git a/crd.Dockerfile b/crd.Dockerfile
@@ -11,7 +11,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM alpine as builder
+FROM alpine@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b as builder
 
 ARG TARGETOS
 ARG TARGETARCH

diff --git a/httpserver/Dockerfile b/httpserver/Dockerfile
@@ -11,10 +11,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-ARG BUILDERIMAGE="golang:1.21"
-ARG BASEIMAGE="gcr.io/distroless/static:nonroot"
-
-FROM --platform=$BUILDPLATFORM $BUILDERIMAGE as builder
+FROM --platform=$BUILDPLATFORM golang:1.21@sha256:d83472f1ab5712a6b2b816dc811e46155e844ddc02f5f5952e72c6deedafed77 as builder
 
 ARG TARGETPLATFORM
 ARG TARGETOS
@@ -44,7 +41,7 @@ RUN if [ "$build_licensechecker" = "true" ]; then go build -o /app/out/plugins/
 RUN if [ "$build_schemavalidator" = "true" ]; then go build -o /app/out/plugins/ /app/plugins/verifier/schemavalidator; fi
 RUN if [ "$build_vulnerabilityreport" = "true" ]; then go build -o /app/out/plugins/ /app/plugins/verifier/vulnerabilityreport; fi
 
-FROM $BASEIMAGE
+FROM gcr.io/distroless/static:nonroot@sha256:e9ac71e2b8e279a8372741b7a0293afda17650d926900233ec3a7b2b7c22a246
 LABEL org.opencontainers.image.source https://github.com/deislabs/ratify
 
 ARG RATIFY_FOLDER=$HOME/.ratify/