diff --git a/.github/workflows/image-arm-pr.yaml b/.github/workflows/image-arm-pr.yaml index 44c8bfc1a..23f696939 100644 --- a/.github/workflows/image-arm-pr.yaml +++ b/.github/workflows/image-arm-pr.yaml @@ -26,7 +26,7 @@ jobs: repository: quay.io/kairos/packages packages: utils/earthly - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 + uses: yogeshlonkar/trivy-cache-action@b89810131e7efaff0ab831e058f4564e6d2bfb3a # v0 with: gh-token: ${{ secrets.GITHUB_TOKEN }} - name: Populate trivy Cache diff --git a/.github/workflows/image-arm.yaml b/.github/workflows/image-arm.yaml index 009b838d3..370554cde 100644 --- a/.github/workflows/image-arm.yaml +++ b/.github/workflows/image-arm.yaml @@ -94,7 +94,7 @@ jobs: repository: quay.io/kairos/packages packages: utils/earthly - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 + uses: yogeshlonkar/trivy-cache-action@b89810131e7efaff0ab831e058f4564e6d2bfb3a # v0 with: gh-token: ${{ secrets.GITHUB_TOKEN }} - name: Populate trivy Cache diff --git a/.github/workflows/image-pr.yaml b/.github/workflows/image-pr.yaml index 42d3288b0..21afbec3e 100644 --- a/.github/workflows/image-pr.yaml +++ b/.github/workflows/image-pr.yaml @@ -25,7 +25,7 @@ jobs: repository: quay.io/kairos/packages packages: utils/earthly - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 + uses: yogeshlonkar/trivy-cache-action@b89810131e7efaff0ab831e058f4564e6d2bfb3a # v0 with: gh-token: ${{ secrets.GITHUB_TOKEN }} - name: Populate trivy Cache diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml index aa5fae811..076adedd9 100644 --- a/.github/workflows/image.yaml +++ b/.github/workflows/image.yaml @@ -46,7 +46,7 @@ jobs: repository: quay.io/kairos/packages packages: utils/earthly - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 + uses: yogeshlonkar/trivy-cache-action@b89810131e7efaff0ab831e058f4564e6d2bfb3a # v0 with: gh-token: ${{ secrets.GITHUB_TOKEN }} - name: Populate trivy Cache diff --git a/.github/workflows/release-arm.yaml b/.github/workflows/release-arm.yaml index 27c1b8bb4..ca25d4698 100644 --- a/.github/workflows/release-arm.yaml +++ b/.github/workflows/release-arm.yaml @@ -90,7 +90,7 @@ jobs: repository: quay.io/kairos/packages packages: utils/earthly - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 + uses: yogeshlonkar/trivy-cache-action@b89810131e7efaff0ab831e058f4564e6d2bfb3a # v0 with: gh-token: ${{ secrets.GITHUB_TOKEN }} - name: Populate trivy Cache @@ -187,7 +187,7 @@ jobs: username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_PASSWORD }} - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 + uses: yogeshlonkar/trivy-cache-action@b89810131e7efaff0ab831e058f4564e6d2bfb3a # v0 with: gh-token: ${{ secrets.GITHUB_TOKEN }} - name: Populate trivy Cache @@ -302,7 +302,7 @@ jobs: username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_PASSWORD }} - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 + uses: yogeshlonkar/trivy-cache-action@b89810131e7efaff0ab831e058f4564e6d2bfb3a # v0 with: gh-token: ${{ secrets.GITHUB_TOKEN }} - name: Populate trivy Cache diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 1d999d336..7bbf32f3c 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -106,7 +106,7 @@ jobs: repository: quay.io/kairos/packages packages: utils/earthly - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 + uses: yogeshlonkar/trivy-cache-action@b89810131e7efaff0ab831e058f4564e6d2bfb3a # v0 with: gh-token: ${{ secrets.GITHUB_TOKEN }} - name: Populate trivy Cache @@ -182,7 +182,7 @@ jobs: repository: quay.io/kairos/packages packages: utils/earthly - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 + uses: yogeshlonkar/trivy-cache-action@b89810131e7efaff0ab831e058f4564e6d2bfb3a # v0 with: gh-token: ${{ secrets.GITHUB_TOKEN }} - name: Populate trivy Cache @@ -439,7 +439,7 @@ jobs: - name: Login to Quay Registry run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 + uses: yogeshlonkar/trivy-cache-action@b89810131e7efaff0ab831e058f4564e6d2bfb3a # v0 with: gh-token: ${{ secrets.GITHUB_TOKEN }} - name: Populate trivy Cache diff --git a/.github/workflows/reusable-build-flavor.yaml b/.github/workflows/reusable-build-flavor.yaml index 1d59f03a2..bff3a1d97 100644 --- a/.github/workflows/reusable-build-flavor.yaml +++ b/.github/workflows/reusable-build-flavor.yaml @@ -107,7 +107,7 @@ jobs: run: | earthly account login --token ${{ secrets.EARTHLY_TOKEN }} && earthly org select Kairos - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 + uses: yogeshlonkar/trivy-cache-action@b89810131e7efaff0ab831e058f4564e6d2bfb3a # v0 with: gh-token: ${{ secrets.GITHUB_TOKEN }} - name: Populate trivy Cache diff --git a/.github/workflows/reusable-build-provider.yaml b/.github/workflows/reusable-build-provider.yaml index 402bb36c0..0840f5820 100644 --- a/.github/workflows/reusable-build-provider.yaml +++ b/.github/workflows/reusable-build-provider.yaml @@ -91,7 +91,7 @@ jobs: run: | earthly account login --token ${{ secrets.EARTHLY_TOKEN }} && earthly org select Kairos - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 + uses: yogeshlonkar/trivy-cache-action@b89810131e7efaff0ab831e058f4564e6d2bfb3a # v0 with: gh-token: ${{ secrets.GITHUB_TOKEN }} - name: Populate trivy Cache diff --git a/.github/workflows/reusable-docker-arm-build.yaml b/.github/workflows/reusable-docker-arm-build.yaml index 4a638129f..a17bd8529 100644 --- a/.github/workflows/reusable-docker-arm-build.yaml +++ b/.github/workflows/reusable-docker-arm-build.yaml @@ -87,7 +87,7 @@ jobs: run: | earthly account login --token ${{ secrets.EARTHLY_TOKEN }} && earthly org select Kairos - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 + uses: yogeshlonkar/trivy-cache-action@b89810131e7efaff0ab831e058f4564e6d2bfb3a # v0 with: gh-token: ${{ secrets.GITHUB_TOKEN }} - name: Populate trivy Cache diff --git a/examples/bundle/Dockerfile b/examples/bundle/Dockerfile index ad75e613d..6b08738db 100644 --- a/examples/bundle/Dockerfile +++ b/examples/bundle/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine as build +FROM alpine@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d as build # Install a binary RUN wget https://github.com/ipfs/kubo/releases/download/v0.15.0/kubo_v0.15.0_linux-amd64.tar.gz -O kubo.tar.gz diff --git a/examples/byoi/fedora-fips/Dockerfile b/examples/byoi/fedora-fips/Dockerfile index 4b94cdde1..7ec2560c4 100644 --- a/examples/byoi/fedora-fips/Dockerfile +++ b/examples/byoi/fedora-fips/Dockerfile @@ -1,8 +1,8 @@ -ARG BASE_IMAGE=fedora:36 +ARG BASE_IMAGE=fedora:36@sha256:64cd00a0e2b92d527c0a0954162a73e85f160e3a53c38325b51e87d6aab4e266 FROM $BASE_IMAGE as base # Generate os-release file -FROM quay.io/kairos/osbuilder-tools:latest as osbuilder +FROM quay.io/kairos/osbuilder-tools:latest@sha256:2276b404e26a1c4cb2288521e27c2d62c2982a9ea6ee3aed9d8ef8a41ffd539e as osbuilder RUN zypper install -y gettext && zypper clean RUN mkdir /workspace COPY --from=base /etc/os-release /workspace/os-release @@ -76,7 +76,7 @@ RUN mkdir -p /run/lock && \ # Copy the os-release file to identify the OS COPY --from=osbuilder /workspace/os-release /etc/os-release -COPY --from=quay.io/kairos/framework:master_fips-systemd / / +COPY --from=quay.io/kairos/framework:master_fips-systemd@sha256:b4c475bba210cff0ba503ba15da67d463f2a93b470cb3432b4e2d755af25f64c / / # Copy the custom dracut config file COPY dracut.conf /etc/dracut.conf.d/kairos-fips.conf diff --git a/examples/byoi/fedora/Dockerfile b/examples/byoi/fedora/Dockerfile index 96b9d8ade..500e34c9d 100644 --- a/examples/byoi/fedora/Dockerfile +++ b/examples/byoi/fedora/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=fedora:36 +ARG BASE_IMAGE=fedora:36@sha256:64cd00a0e2b92d527c0a0954162a73e85f160e3a53c38325b51e87d6aab4e266 FROM $BASE_IMAGE @@ -46,7 +46,7 @@ RUN dnf install -y \ RUN mkdir -p /run/lock RUN touch /usr/libexec/.keep -COPY --from=quay.io/kairos/framework:master_fedora / / +COPY --from=quay.io/kairos/framework:master_fedora@sha256:e4d8facc9464a2cfdf0b32cf7bf9832ed7f76cd7113f194975d9278d89c7e6a6 / / # Activate Kairos services RUN systemctl enable cos-setup-reconcile.timer && \ diff --git a/examples/byoi/rockylinux-fips/Dockerfile b/examples/byoi/rockylinux-fips/Dockerfile index 090642cb6..443198baf 100644 --- a/examples/byoi/rockylinux-fips/Dockerfile +++ b/examples/byoi/rockylinux-fips/Dockerfile @@ -1,8 +1,8 @@ -ARG BASE_IMAGE=rockylinux:9 +ARG BASE_IMAGE=rockylinux:9@sha256:d7be1c094cc5845ee815d4632fe377514ee6ebcf8efaed6892889657e5ddaaa6 FROM $BASE_IMAGE as base # Generate os-release file -FROM quay.io/kairos/osbuilder-tools:latest as osbuilder +FROM quay.io/kairos/osbuilder-tools:latest@sha256:2276b404e26a1c4cb2288521e27c2d62c2982a9ea6ee3aed9d8ef8a41ffd539e as osbuilder RUN zypper install -y gettext && zypper clean RUN mkdir /workspace COPY --from=base /etc/os-release /workspace/os-release @@ -78,7 +78,7 @@ RUN systemctl enable sshd # Copy the os-release file to identify the OS COPY --from=osbuilder /workspace/os-release /etc/os-release -COPY --from=quay.io/kairos/framework:master_fips-systemd / / +COPY --from=quay.io/kairos/framework:master_fips-systemd@sha256:b4c475bba210cff0ba503ba15da67d463f2a93b470cb3432b4e2d755af25f64c / / # Copy the custom dracut config file COPY dracut.conf /etc/dracut.conf.d/kairos-fips.conf diff --git a/examples/byoi/ubuntu-fips/Dockerfile b/examples/byoi/ubuntu-fips/Dockerfile index 51aaa1c18..72ff84fa0 100644 --- a/examples/byoi/ubuntu-fips/Dockerfile +++ b/examples/byoi/ubuntu-fips/Dockerfile @@ -1,12 +1,12 @@ # Kairos framework packages for ubuntu fips -FROM quay.io/kairos/framework:master_fips-systemd as kairos-fips +FROM quay.io/kairos/framework:master_fips-systemd@sha256:b4c475bba210cff0ba503ba15da67d463f2a93b470cb3432b4e2d755af25f64c as kairos-fips # Base ubuntu image (focal) -FROM ubuntu:focal as base +FROM ubuntu:focal@sha256:8e5c4f0285ecbb4ead070431d29b576a530d3166df73ec44affc1cd27555141b as base # Generate os-release file -FROM quay.io/kairos/osbuilder-tools:latest as osbuilder +FROM quay.io/kairos/osbuilder-tools:latest@sha256:2276b404e26a1c4cb2288521e27c2d62c2982a9ea6ee3aed9d8ef8a41ffd539e as osbuilder RUN zypper install -y gettext && zypper clean RUN mkdir /workspace COPY --from=base /etc/os-release /workspace/os-release diff --git a/examples/byoi/ubuntu-non-hwe/Dockerfile b/examples/byoi/ubuntu-non-hwe/Dockerfile index 6118d3147..0607d4727 100644 --- a/examples/byoi/ubuntu-non-hwe/Dockerfile +++ b/examples/byoi/ubuntu-non-hwe/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:22.04 +FROM ubuntu:22.04@sha256:0e5e4a57c2499249aafc3b40fcd541e9a456aab7296681a3994d631587203f97 RUN apt-get update && \ apt-get install -y --no-install-recommends \ linux-image-generic diff --git a/images/Dockerfile.alpine b/images/Dockerfile.alpine index a73e512d8..83eb51bb0 100644 --- a/images/Dockerfile.alpine +++ b/images/Dockerfile.alpine @@ -8,7 +8,7 @@ ARG FAMILY=alpine ARG FLAVOR ARG FLAVOR_RELEASE ARG MODEL=generic -ARG BASE_IMAGE=alpine:3.19 +ARG BASE_IMAGE=alpine:3.19@sha256:ae65dbf8749a7d4527648ccee1fa3deb6bfcae34cbc30fc67aa45c44dcaa90ee ARG VARIANT ARG VERSION ARG FRAMEWORK_VERSION=main diff --git a/images/Dockerfile.debian b/images/Dockerfile.debian index 39d944828..0e9f5fa5a 100644 --- a/images/Dockerfile.debian +++ b/images/Dockerfile.debian @@ -8,7 +8,7 @@ ARG FAMILY=debian ARG FLAVOR ARG FLAVOR_RELEASE ARG MODEL=generic -ARG BASE_IMAGE=debian:testing +ARG BASE_IMAGE=debian:testing@sha256:9e0fe246f9b448b7b39c4f910d8bc76ef50a170e311e7f199eebde5339bcc94f ARG VARIANT ARG VERSION ARG FRAMEWORK_VERSION=main diff --git a/images/Dockerfile.kairos-alpine b/images/Dockerfile.kairos-alpine index e061d0d3c..4451f9a50 100644 --- a/images/Dockerfile.kairos-alpine +++ b/images/Dockerfile.kairos-alpine @@ -7,10 +7,10 @@ ARG FAMILY=alpine ARG FLAVOR ARG FLAVOR_RELEASE ARG MODEL=generic -ARG BASE_IMAGE=alpine:3.19 +ARG BASE_IMAGE=alpine:3.19@sha256:ae65dbf8749a7d4527648ccee1fa3deb6bfcae34cbc30fc67aa45c44dcaa90ee ARG VARIANT ARG VERSION -ARG FRAMEWORK_VERSION=main +ARG FRAMEWORK_VERSION=main@sha256:a54ba6aab9732531de6d009e32149138fa8f2bc1502a2b57e4c6eab4419a513a ############################################################### #### Common #### diff --git a/images/Dockerfile.kairos-debian b/images/Dockerfile.kairos-debian index 785eaa112..4a71a8893 100644 --- a/images/Dockerfile.kairos-debian +++ b/images/Dockerfile.kairos-debian @@ -7,10 +7,10 @@ ARG FAMILY=debian ARG FLAVOR ARG FLAVOR_RELEASE ARG MODEL=generic -ARG BASE_IMAGE=debian:testing +ARG BASE_IMAGE=debian:testing@sha256:9e0fe246f9b448b7b39c4f910d8bc76ef50a170e311e7f199eebde5339bcc94f ARG VARIANT ARG VERSION -ARG FRAMEWORK_VERSION=main +ARG FRAMEWORK_VERSION=main@sha256:a54ba6aab9732531de6d009e32149138fa8f2bc1502a2b57e4c6eab4419a513a ############################################################### #### Upstream Images #### diff --git a/images/Dockerfile.kairos-opensuse b/images/Dockerfile.kairos-opensuse index 69a18df56..360de89e4 100644 --- a/images/Dockerfile.kairos-opensuse +++ b/images/Dockerfile.kairos-opensuse @@ -11,7 +11,7 @@ ARG MODEL=generic ARG BASE_IMAGE ARG VARIANT ARG VERSION -ARG FRAMEWORK_VERSION=main +ARG FRAMEWORK_VERSION=main@sha256:a54ba6aab9732531de6d009e32149138fa8f2bc1502a2b57e4c6eab4419a513a FROM $BASE_IMAGE AS base diff --git a/images/Dockerfile.kairos-rhel b/images/Dockerfile.kairos-rhel index 17e416acf..ec89bbfd9 100644 --- a/images/Dockerfile.kairos-rhel +++ b/images/Dockerfile.kairos-rhel @@ -10,7 +10,7 @@ ARG MODEL=generic ARG BASE_IMAGE ARG VARIANT ARG VERSION -ARG FRAMEWORK_VERSION=main +ARG FRAMEWORK_VERSION=main@sha256:a54ba6aab9732531de6d009e32149138fa8f2bc1502a2b57e4c6eab4419a513a ARG BOOTLOADER=grub FROM $BASE_IMAGE AS base diff --git a/images/Dockerfile.kairos-ubuntu b/images/Dockerfile.kairos-ubuntu index e946df4ac..0fcd29eb2 100644 --- a/images/Dockerfile.kairos-ubuntu +++ b/images/Dockerfile.kairos-ubuntu @@ -20,7 +20,7 @@ ARG MODEL=generic ARG BASE_IMAGE ARG VARIANT ARG VERSION -ARG FRAMEWORK_VERSION=main +ARG FRAMEWORK_VERSION=main@sha256:a54ba6aab9732531de6d009e32149138fa8f2bc1502a2b57e4c6eab4419a513a ARG BOOTLOADER=grub ############################################################### @@ -38,7 +38,7 @@ FROM ${BASE_IMAGE} AS ubuntu-20.04-upstream # Ubuntu and the zfsutils-linux package, there is a fix in # nohang upstream but it's not yet available in the Ubuntu # package, so we build it from source -FROM ubuntu:22.04 as nohang-src +FROM ubuntu:22.04@sha256:0e5e4a57c2499249aafc3b40fcd541e9a456aab7296681a3994d631587203f97 as nohang-src WORKDIR /root RUN apt-get update \ && apt-get install -y --no-install-recommends \ diff --git a/images/Dockerfile.nvidia b/images/Dockerfile.nvidia index acac5c220..5507f591a 100644 --- a/images/Dockerfile.nvidia +++ b/images/Dockerfile.nvidia @@ -1,4 +1,4 @@ -FROM ubuntu:20.04 as base +FROM ubuntu:20.04@sha256:8e5c4f0285ecbb4ead070431d29b576a530d3166df73ec44affc1cd27555141b as base RUN apt-get update RUN apt-get install -y ca-certificates diff --git a/images/Dockerfile.ubuntu b/images/Dockerfile.ubuntu index d95e22412..9edbeeec7 100644 --- a/images/Dockerfile.ubuntu +++ b/images/Dockerfile.ubuntu @@ -39,7 +39,7 @@ FROM ${BASE_IMAGE} AS ubuntu-20.04-upstream # Ubuntu and the zfsutils-linux package, there is a fix in # nohang upstream but it's not yet available in the Ubuntu # package, so we build it from source -FROM ubuntu:22.04 as nohang-src +FROM ubuntu:22.04@sha256:0e5e4a57c2499249aafc3b40fcd541e9a456aab7296681a3994d631587203f97 as nohang-src WORKDIR /root RUN apt-get update \ && apt-get install -y --no-install-recommends \