diff --git a/.github/workflows/confbatstest-build.yaml b/.github/workflows/confbatstest-build.yaml index 9b798f1..2069c63 100644 --- a/.github/workflows/confbatstest-build.yaml +++ b/.github/workflows/confbatstest-build.yaml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: Get image tags id: image_tags @@ -26,14 +26,14 @@ jobs: TAGS+=($(grep "LABEL version" confbatstest/Dockerfile_build | cut -d '"' -f 2)) echo "${TAGS[*]}" - - uses: hadolint/hadolint-action@v3.1.0 + - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 with: dockerfile: confbatstest/Dockerfile_build ignore: DL3041 # https://github.com/hadolint/hadolint/wiki/DL3041 - name: Build image id: build_image - uses: redhat-actions/buildah-build@v2 + uses: redhat-actions/buildah-build@b4dc19b4ba891854660ab1f88a097d45aa158f76 # v2 with: context: ${{ env.context }} dockerfiles: | @@ -44,7 +44,7 @@ jobs: - name: Push to ghcr.io if: ${{ env.branch_name == 'master' }} # Stops push running when dependabot creates a PR, which fails due to token - uses: redhat-actions/push-to-registry@v2 + uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2 with: image: ${{ steps.build_image.outputs.image }} registry: ghcr.io/${{ github.repository }} diff --git a/.github/workflows/confbatstest.yaml b/.github/workflows/confbatstest.yaml index 572ce76..8a3c3d6 100644 --- a/.github/workflows/confbatstest.yaml +++ b/.github/workflows/confbatstest.yaml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: Switch the action to use the Dockerfile_build run: | diff --git a/.github/workflows/disconnected-csv.yaml b/.github/workflows/disconnected-csv.yaml index ce1071e..2a8a3dd 100644 --- a/.github/workflows/disconnected-csv.yaml +++ b/.github/workflows/disconnected-csv.yaml @@ -17,9 +17,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - - uses: hadolint/hadolint-action@v3.1.0 + - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 with: dockerfile: disconnected-csv/Dockerfile ignore: DL3013 # https://github.com/hadolint/hadolint/wiki/DL3013 diff --git a/.github/workflows/get-image-version.yaml b/.github/workflows/get-image-version.yaml index 92a60f2..7d344e8 100644 --- a/.github/workflows/get-image-version.yaml +++ b/.github/workflows/get-image-version.yaml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: get-image-version - tests id: get_image_version diff --git a/.github/workflows/github-dispatches-build.yaml b/.github/workflows/github-dispatches-build.yaml index 609ea7c..817f28d 100644 --- a/.github/workflows/github-dispatches-build.yaml +++ b/.github/workflows/github-dispatches-build.yaml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: Get image tags id: image_tags @@ -26,13 +26,13 @@ jobs: TAGS+=($(grep "LABEL version" github-dispatches/Dockerfile_build | cut -d '"' -f 2)) echo "${TAGS[*]}" - - uses: hadolint/hadolint-action@v3.1.0 + - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 with: dockerfile: github-dispatches/Dockerfile_build - name: Build image id: build_image - uses: redhat-actions/buildah-build@v2 + uses: redhat-actions/buildah-build@b4dc19b4ba891854660ab1f88a097d45aa158f76 # v2 with: context: ${{ env.context }} dockerfiles: | @@ -43,7 +43,7 @@ jobs: - name: Push to ghcr.io if: ${{ env.branch_name == 'master' }} # Stops push running when dependabot creates a PR, which fails due to token - uses: redhat-actions/push-to-registry@v2 + uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2 with: image: ${{ steps.build_image.outputs.image }} registry: ghcr.io/${{ github.repository }} diff --git a/.github/workflows/github-dispatches.yaml b/.github/workflows/github-dispatches.yaml index c1ed267..30930fb 100644 --- a/.github/workflows/github-dispatches.yaml +++ b/.github/workflows/github-dispatches.yaml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: Switch the action to use the Dockerfile_build run: | diff --git a/.github/workflows/kyverno-cli-build.yaml b/.github/workflows/kyverno-cli-build.yaml index 60d538e..d7acd95 100644 --- a/.github/workflows/kyverno-cli-build.yaml +++ b/.github/workflows/kyverno-cli-build.yaml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: Get image tags id: image_tags @@ -26,14 +26,14 @@ jobs: TAGS+=($(grep "LABEL version" kyverno-cli/Dockerfile_build | cut -d '"' -f 2)) echo "${TAGS[*]}" - - uses: hadolint/hadolint-action@v3.1.0 + - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 with: dockerfile: kyverno-cli/Dockerfile_build ignore: DL3041 # https://github.com/hadolint/hadolint/wiki/DL3041 - name: Build image id: build_image - uses: redhat-actions/buildah-build@v2 + uses: redhat-actions/buildah-build@b4dc19b4ba891854660ab1f88a097d45aa158f76 # v2 with: context: ${{ env.context }} dockerfiles: | @@ -44,7 +44,7 @@ jobs: - name: Push to ghcr.io if: ${{ env.branch_name == 'master' }} # Stops push running when dependabot creates a PR, which fails due to token - uses: redhat-actions/push-to-registry@v2 + uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2 with: image: ${{ steps.build_image.outputs.image }} registry: ghcr.io/${{ github.repository }} diff --git a/.github/workflows/kyverno-cli.yaml b/.github/workflows/kyverno-cli.yaml index c36ce61..3b6d3df 100644 --- a/.github/workflows/kyverno-cli.yaml +++ b/.github/workflows/kyverno-cli.yaml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: Switch the action to use the Dockerfile_build run: | diff --git a/.github/workflows/redhat-csp-download-build.yaml b/.github/workflows/redhat-csp-download-build.yaml index d6157be..9c86f54 100644 --- a/.github/workflows/redhat-csp-download-build.yaml +++ b/.github/workflows/redhat-csp-download-build.yaml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: Get image tags id: image_tags @@ -26,13 +26,13 @@ jobs: TAGS+=($(grep "LABEL version" redhat-csp-download/Dockerfile_build | cut -d '"' -f 2)) echo "${TAGS[*]}" - - uses: hadolint/hadolint-action@v3.1.0 + - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 with: dockerfile: redhat-csp-download/Dockerfile_build - name: Build image id: build_image - uses: redhat-actions/buildah-build@v2 + uses: redhat-actions/buildah-build@b4dc19b4ba891854660ab1f88a097d45aa158f76 # v2 with: context: ${{ env.context }} dockerfiles: | @@ -43,7 +43,7 @@ jobs: - name: Push to ghcr.io if: ${{ env.branch_name == 'master' }} # Stops push running when dependabot creates a PR, which fails due to token - uses: redhat-actions/push-to-registry@v2 + uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2 with: image: ${{ steps.build_image.outputs.image }} registry: ghcr.io/${{ github.repository }} diff --git a/.github/workflows/redhat-csp-download.yaml b/.github/workflows/redhat-csp-download.yaml index e17b726..5a3ac79 100644 --- a/.github/workflows/redhat-csp-download.yaml +++ b/.github/workflows/redhat-csp-download.yaml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: Switch the action to use the Dockerfile_build run: | diff --git a/.github/workflows/s2i.yaml b/.github/workflows/s2i.yaml index 699f6b1..10b262b 100644 --- a/.github/workflows/s2i.yaml +++ b/.github/workflows/s2i.yaml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: Clone example springboot code to build via s2i run: | diff --git a/.github/workflows/set-helm-version.yaml b/.github/workflows/set-helm-version.yaml index 4e5b476..25de800 100644 --- a/.github/workflows/set-helm-version.yaml +++ b/.github/workflows/set-helm-version.yaml @@ -17,9 +17,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - - uses: hadolint/hadolint-action@v3.1.0 + - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 with: dockerfile: set-helm-version/Dockerfile diff --git a/.github/workflows/ssh-agent.yaml b/.github/workflows/ssh-agent.yaml index 44fc68f..7d9aedf 100644 --- a/.github/workflows/ssh-agent.yaml +++ b/.github/workflows/ssh-agent.yaml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: ssh-agent uses: ./ssh-agent diff --git a/chart-repo-pr-action/Dockerfile b/chart-repo-pr-action/Dockerfile index 90ee4cd..6de080b 100644 --- a/chart-repo-pr-action/Dockerfile +++ b/chart-repo-pr-action/Dockerfile @@ -1,4 +1,4 @@ -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.1 +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.1@sha256:95413c8dacaac773421428947a431c1cb099d19b4b1125df77d5d1cd2f463ab8 ## According to the GH Actions doc, the user must run as root ## https://docs.github.com/en/actions/creating-actions/dockerfile-support-for-github-actions#user diff --git a/confbatstest/Dockerfile b/confbatstest/Dockerfile index bb00c2f..f03103e 100644 --- a/confbatstest/Dockerfile +++ b/confbatstest/Dockerfile @@ -1 +1 @@ -FROM ghcr.io/redhat-cop/github-actions/confbatstest:latest +FROM ghcr.io/redhat-cop/github-actions/confbatstest:latest@sha256:d3c5704e19974b815ac8ad678512ecaf2aa9fb63cee5c3e7db04fe95c4a3a917 diff --git a/confbatstest/Dockerfile_build b/confbatstest/Dockerfile_build index bc7fe80..7fba93a 100644 --- a/confbatstest/Dockerfile_build +++ b/confbatstest/Dockerfile_build @@ -1,5 +1,5 @@ # Builder image for go -FROM registry.access.redhat.com/ubi9/go-toolset:1.18 AS go-builder +FROM registry.access.redhat.com/ubi9/go-toolset:1.18@sha256:ff992007f16f350a6a4fe4d32324e6a92651e963c769ff544ca57f6c5392d5e3 AS go-builder # go1.19 not released yet - so need to manaully upgrade USER root @@ -13,7 +13,7 @@ RUN PATH="/usr/local/go/bin:$PATH" GOBIN=/tmp/go-bin go install github.com/plexs /tmp/go-bin/konstraint --help # Builder image -FROM registry.access.redhat.com/ubi9/ubi:9.1 AS builder +FROM registry.access.redhat.com/ubi9/ubi:9.1@sha256:49124e4acd09c98927882760476d617a85f155cb45759aea56b2ab020563c4b8 AS builder RUN export HELM_VERSION=3.11.1 && \ curl -L -o /tmp/helm-v${HELM_VERSION}-linux-amd64.tar.gz https://get.helm.sh/helm-v${HELM_VERSION}-linux-amd64.tar.gz && \ @@ -47,7 +47,7 @@ RUN export KUBEVAL_VERSION=latest && \ /tmp/kubeval --version # Runnable image -FROM registry.access.redhat.com/ubi9/python-39:1 +FROM registry.access.redhat.com/ubi9/python-39:1@sha256:81a000d48bca6b09e09a7b834e0b7c8b6ffb1907b7867e76df9b044e02f9a2ac LABEL version="1.8.0" LABEL repository="http://github.com/redhat-cop/github-actions" diff --git a/disconnected-csv/Dockerfile b/disconnected-csv/Dockerfile index b219cda..57df548 100644 --- a/disconnected-csv/Dockerfile +++ b/disconnected-csv/Dockerfile @@ -1,4 +1,4 @@ -FROM quay.io/skopeo/stable:v1 +FROM quay.io/skopeo/stable:v1@sha256:baaaf8c5fdfa71a7c5ce67826998feccff5b90b1a749825f19789d1a473c3d8a LABEL version="1.0.0" LABEL repository="http://github.com/redhat-cop/github-actions" diff --git a/github-dispatches/Dockerfile b/github-dispatches/Dockerfile index e2ad9a7..183df38 100644 --- a/github-dispatches/Dockerfile +++ b/github-dispatches/Dockerfile @@ -1 +1 @@ -FROM ghcr.io/redhat-cop/github-actions/github-dispatches:latest +FROM ghcr.io/redhat-cop/github-actions/github-dispatches:latest@sha256:20eb7ebde992d39045e142d7087cd9b0d4723b469097d8f7bc9acc206c341163 diff --git a/github-dispatches/Dockerfile_build b/github-dispatches/Dockerfile_build index 09de73a..b68d1e3 100644 --- a/github-dispatches/Dockerfile_build +++ b/github-dispatches/Dockerfile_build @@ -1,5 +1,5 @@ # Builder image -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.1 AS builder +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.1@sha256:95413c8dacaac773421428947a431c1cb099d19b4b1125df77d5d1cd2f463ab8 AS builder RUN export JQ_VERSION=1.6 && \ curl -L -o /tmp/jq-linux64 https://github.com/stedolan/jq/releases/download/jq-${JQ_VERSION}/jq-linux64 && \ @@ -7,7 +7,7 @@ RUN export JQ_VERSION=1.6 && \ /tmp/jq-linux64 --version # Runnable image -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.1 +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.1@sha256:95413c8dacaac773421428947a431c1cb099d19b4b1125df77d5d1cd2f463ab8 LABEL version="1.2.0" LABEL repository="http://github.com/redhat-cop/github-actions" diff --git a/kyverno-cli/Dockerfile b/kyverno-cli/Dockerfile index 1e10d18..1eaad6e 100644 --- a/kyverno-cli/Dockerfile +++ b/kyverno-cli/Dockerfile @@ -1 +1 @@ -FROM ghcr.io/redhat-cop/github-actions/kyverno-cli:latest +FROM ghcr.io/redhat-cop/github-actions/kyverno-cli:latest@sha256:728b2d5cc038401e24ea4437cbcefcda1fa8985a2c9b0e63b9c421b31f0ca6eb diff --git a/kyverno-cli/Dockerfile_build b/kyverno-cli/Dockerfile_build index 30127f7..9e53ac8 100644 --- a/kyverno-cli/Dockerfile_build +++ b/kyverno-cli/Dockerfile_build @@ -1,5 +1,5 @@ # Builder image -FROM registry.access.redhat.com/ubi9/ubi:9.1 AS builder +FROM registry.access.redhat.com/ubi9/ubi:9.1@sha256:49124e4acd09c98927882760476d617a85f155cb45759aea56b2ab020563c4b8 AS builder RUN export HELM_VERSION=3.11.1 && \ curl -L -o /tmp/helm-v${HELM_VERSION}-linux-amd64.tar.gz https://get.helm.sh/helm-v${HELM_VERSION}-linux-amd64.tar.gz && \ @@ -23,7 +23,7 @@ RUN export KYVERNO_VERSION=v1.9.0 && \ /tmp/kyverno --help # Runnable image -FROM registry.access.redhat.com/ubi9/python-39:1 +FROM registry.access.redhat.com/ubi9/python-39:1@sha256:81a000d48bca6b09e09a7b834e0b7c8b6ffb1907b7867e76df9b044e02f9a2ac LABEL version="1.1.0" LABEL repository="http://github.com/redhat-cop/github-actions" diff --git a/redhat-csp-download/Dockerfile b/redhat-csp-download/Dockerfile index 05b0fc2..6e176be 100644 --- a/redhat-csp-download/Dockerfile +++ b/redhat-csp-download/Dockerfile @@ -1 +1 @@ -FROM ghcr.io/redhat-cop/github-actions/redhat-csp-download:latest +FROM ghcr.io/redhat-cop/github-actions/redhat-csp-download:latest@sha256:7c516dd0355e6484633029306d93d90a5176ea3cb01c8d8d671116ed636550ba diff --git a/redhat-csp-download/Dockerfile_build b/redhat-csp-download/Dockerfile_build index 6daeae6..9537728 100644 --- a/redhat-csp-download/Dockerfile_build +++ b/redhat-csp-download/Dockerfile_build @@ -1,4 +1,4 @@ -FROM registry.access.redhat.com/ubi9/python-39:1 +FROM registry.access.redhat.com/ubi9/python-39:1@sha256:81a000d48bca6b09e09a7b834e0b7c8b6ffb1907b7867e76df9b044e02f9a2ac LABEL version="1.3.0" LABEL repository="http://github.com/redhat-cop/github-actions" diff --git a/s2i/Dockerfile b/s2i/Dockerfile index f37b532..5272f0f 100644 --- a/s2i/Dockerfile +++ b/s2i/Dockerfile @@ -1,4 +1,4 @@ -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.1 +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.1@sha256:95413c8dacaac773421428947a431c1cb099d19b4b1125df77d5d1cd2f463ab8 LABEL version="1.0.0" LABEL repository="http://github.com/redhat-cop/github-actions" diff --git a/set-helm-version/Dockerfile b/set-helm-version/Dockerfile index 1bb0294..6846009 100644 --- a/set-helm-version/Dockerfile +++ b/set-helm-version/Dockerfile @@ -1,4 +1,4 @@ -FROM registry.access.redhat.com/ubi9/python-39:1 +FROM registry.access.redhat.com/ubi9/python-39:1@sha256:81a000d48bca6b09e09a7b834e0b7c8b6ffb1907b7867e76df9b044e02f9a2ac LABEL version="1.1.0" LABEL repository="http://github.com/redhat-cop/github-actions"