diff --git a/.github/workflows/image-pr.yaml b/.github/workflows/image-pr.yaml index 642c5602d..4395a052b 100644 --- a/.github/workflows/image-pr.yaml +++ b/.github/workflows/image-pr.yaml @@ -25,7 +25,7 @@ jobs: repository: quay.io/kairos/packages packages: utils/earthly - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 + uses: yogeshlonkar/trivy-cache-action@b89810131e7efaff0ab831e058f4564e6d2bfb3a # v0 with: gh-token: ${{ secrets.GITHUB_TOKEN }} - name: Populate trivy Cache diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml index 7209e40cf..3a007c34a 100644 --- a/.github/workflows/image.yaml +++ b/.github/workflows/image.yaml @@ -46,7 +46,7 @@ jobs: repository: quay.io/kairos/packages packages: utils/earthly - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 + uses: yogeshlonkar/trivy-cache-action@b89810131e7efaff0ab831e058f4564e6d2bfb3a # v0 with: gh-token: ${{ secrets.GITHUB_TOKEN }} - name: Populate trivy Cache diff --git a/.github/workflows/release-arm.yaml b/.github/workflows/release-arm.yaml index a2f528324..98d811199 100644 --- a/.github/workflows/release-arm.yaml +++ b/.github/workflows/release-arm.yaml @@ -90,7 +90,7 @@ jobs: repository: quay.io/kairos/packages packages: utils/earthly - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 + uses: yogeshlonkar/trivy-cache-action@b89810131e7efaff0ab831e058f4564e6d2bfb3a # v0 with: gh-token: ${{ secrets.GITHUB_TOKEN }} - name: Populate trivy Cache @@ -270,7 +270,7 @@ jobs: username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_PASSWORD }} - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 + uses: yogeshlonkar/trivy-cache-action@b89810131e7efaff0ab831e058f4564e6d2bfb3a # v0 with: gh-token: ${{ secrets.GITHUB_TOKEN }} - name: Populate trivy Cache @@ -392,7 +392,7 @@ jobs: username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_PASSWORD }} - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 + uses: yogeshlonkar/trivy-cache-action@b89810131e7efaff0ab831e058f4564e6d2bfb3a # v0 with: gh-token: ${{ secrets.GITHUB_TOKEN }} - name: Populate trivy Cache diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 1d5d0cc0f..92bc6b7d0 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -106,7 +106,7 @@ jobs: repository: quay.io/kairos/packages packages: utils/earthly - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 + uses: yogeshlonkar/trivy-cache-action@b89810131e7efaff0ab831e058f4564e6d2bfb3a # v0 with: gh-token: ${{ secrets.GITHUB_TOKEN }} - name: Populate trivy Cache @@ -182,7 +182,7 @@ jobs: repository: quay.io/kairos/packages packages: utils/earthly - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 + uses: yogeshlonkar/trivy-cache-action@b89810131e7efaff0ab831e058f4564e6d2bfb3a # v0 with: gh-token: ${{ secrets.GITHUB_TOKEN }} - name: Populate trivy Cache @@ -439,7 +439,7 @@ jobs: - name: Login to Quay Registry run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 + uses: yogeshlonkar/trivy-cache-action@b89810131e7efaff0ab831e058f4564e6d2bfb3a # v0 with: gh-token: ${{ secrets.GITHUB_TOKEN }} - name: Populate trivy Cache diff --git a/.github/workflows/reusable-build-flavor.yaml b/.github/workflows/reusable-build-flavor.yaml index 34f62b342..ec0127743 100644 --- a/.github/workflows/reusable-build-flavor.yaml +++ b/.github/workflows/reusable-build-flavor.yaml @@ -107,7 +107,7 @@ jobs: run: | earthly account login --token ${{ secrets.EARTHLY_TOKEN }} && earthly org select Kairos - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 + uses: yogeshlonkar/trivy-cache-action@b89810131e7efaff0ab831e058f4564e6d2bfb3a # v0 with: gh-token: ${{ secrets.GITHUB_TOKEN }} - name: Populate trivy Cache diff --git a/.github/workflows/reusable-build-provider.yaml b/.github/workflows/reusable-build-provider.yaml index 9d08ca733..336f771ea 100644 --- a/.github/workflows/reusable-build-provider.yaml +++ b/.github/workflows/reusable-build-provider.yaml @@ -91,7 +91,7 @@ jobs: run: | earthly account login --token ${{ secrets.EARTHLY_TOKEN }} && earthly org select Kairos - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 + uses: yogeshlonkar/trivy-cache-action@b89810131e7efaff0ab831e058f4564e6d2bfb3a # v0 with: gh-token: ${{ secrets.GITHUB_TOKEN }} - name: Populate trivy Cache diff --git a/.github/workflows/reusable-docker-arm-build.yaml b/.github/workflows/reusable-docker-arm-build.yaml index c210612da..7e6e97b0e 100644 --- a/.github/workflows/reusable-docker-arm-build.yaml +++ b/.github/workflows/reusable-docker-arm-build.yaml @@ -132,7 +132,7 @@ jobs: run: | earthly account login --token ${{ secrets.EARTHLY_TOKEN }} && earthly org select Kairos - name: Restore trivy cache - uses: yogeshlonkar/trivy-cache-action@v0 + uses: yogeshlonkar/trivy-cache-action@b89810131e7efaff0ab831e058f4564e6d2bfb3a # v0 with: gh-token: ${{ secrets.GITHUB_TOKEN }} - name: Populate trivy Cache diff --git a/examples/bundle/Dockerfile b/examples/bundle/Dockerfile index ad75e613d..6b08738db 100644 --- a/examples/bundle/Dockerfile +++ b/examples/bundle/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine as build +FROM alpine@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d as build # Install a binary RUN wget https://github.com/ipfs/kubo/releases/download/v0.15.0/kubo_v0.15.0_linux-amd64.tar.gz -O kubo.tar.gz diff --git a/examples/byoi/fedora-fips/Dockerfile b/examples/byoi/fedora-fips/Dockerfile index 4b94cdde1..97b8a351d 100644 --- a/examples/byoi/fedora-fips/Dockerfile +++ b/examples/byoi/fedora-fips/Dockerfile @@ -1,8 +1,8 @@ -ARG BASE_IMAGE=fedora:36 +ARG BASE_IMAGE=fedora:36@sha256:64cd00a0e2b92d527c0a0954162a73e85f160e3a53c38325b51e87d6aab4e266 FROM $BASE_IMAGE as base # Generate os-release file -FROM quay.io/kairos/osbuilder-tools:latest as osbuilder +FROM quay.io/kairos/osbuilder-tools:latest@sha256:9b8da01a69f208e4066c04ab0b5c4c3382ec2f06cb508ccb08f0437d6539e10c as osbuilder RUN zypper install -y gettext && zypper clean RUN mkdir /workspace COPY --from=base /etc/os-release /workspace/os-release @@ -76,7 +76,7 @@ RUN mkdir -p /run/lock && \ # Copy the os-release file to identify the OS COPY --from=osbuilder /workspace/os-release /etc/os-release -COPY --from=quay.io/kairos/framework:master_fips-systemd / / +COPY --from=quay.io/kairos/framework:master_fips-systemd@sha256:b4c475bba210cff0ba503ba15da67d463f2a93b470cb3432b4e2d755af25f64c / / # Copy the custom dracut config file COPY dracut.conf /etc/dracut.conf.d/kairos-fips.conf diff --git a/examples/byoi/fedora/Dockerfile b/examples/byoi/fedora/Dockerfile index 96b9d8ade..500e34c9d 100644 --- a/examples/byoi/fedora/Dockerfile +++ b/examples/byoi/fedora/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=fedora:36 +ARG BASE_IMAGE=fedora:36@sha256:64cd00a0e2b92d527c0a0954162a73e85f160e3a53c38325b51e87d6aab4e266 FROM $BASE_IMAGE @@ -46,7 +46,7 @@ RUN dnf install -y \ RUN mkdir -p /run/lock RUN touch /usr/libexec/.keep -COPY --from=quay.io/kairos/framework:master_fedora / / +COPY --from=quay.io/kairos/framework:master_fedora@sha256:e4d8facc9464a2cfdf0b32cf7bf9832ed7f76cd7113f194975d9278d89c7e6a6 / / # Activate Kairos services RUN systemctl enable cos-setup-reconcile.timer && \ diff --git a/examples/byoi/rockylinux-fips/Dockerfile b/examples/byoi/rockylinux-fips/Dockerfile index 090642cb6..fd3b3de0b 100644 --- a/examples/byoi/rockylinux-fips/Dockerfile +++ b/examples/byoi/rockylinux-fips/Dockerfile @@ -1,8 +1,8 @@ -ARG BASE_IMAGE=rockylinux:9 +ARG BASE_IMAGE=rockylinux:9@sha256:d7be1c094cc5845ee815d4632fe377514ee6ebcf8efaed6892889657e5ddaaa6 FROM $BASE_IMAGE as base # Generate os-release file -FROM quay.io/kairos/osbuilder-tools:latest as osbuilder +FROM quay.io/kairos/osbuilder-tools:latest@sha256:9b8da01a69f208e4066c04ab0b5c4c3382ec2f06cb508ccb08f0437d6539e10c as osbuilder RUN zypper install -y gettext && zypper clean RUN mkdir /workspace COPY --from=base /etc/os-release /workspace/os-release @@ -78,7 +78,7 @@ RUN systemctl enable sshd # Copy the os-release file to identify the OS COPY --from=osbuilder /workspace/os-release /etc/os-release -COPY --from=quay.io/kairos/framework:master_fips-systemd / / +COPY --from=quay.io/kairos/framework:master_fips-systemd@sha256:b4c475bba210cff0ba503ba15da67d463f2a93b470cb3432b4e2d755af25f64c / / # Copy the custom dracut config file COPY dracut.conf /etc/dracut.conf.d/kairos-fips.conf diff --git a/examples/byoi/ubuntu-fips/Dockerfile b/examples/byoi/ubuntu-fips/Dockerfile index 51aaa1c18..8f1aa09c1 100644 --- a/examples/byoi/ubuntu-fips/Dockerfile +++ b/examples/byoi/ubuntu-fips/Dockerfile @@ -1,12 +1,12 @@ # Kairos framework packages for ubuntu fips -FROM quay.io/kairos/framework:master_fips-systemd as kairos-fips +FROM quay.io/kairos/framework:master_fips-systemd@sha256:b4c475bba210cff0ba503ba15da67d463f2a93b470cb3432b4e2d755af25f64c as kairos-fips # Base ubuntu image (focal) -FROM ubuntu:focal as base +FROM ubuntu:focal@sha256:6d8d9799fe6ab3221965efac00b4c34a2bcc102c086a58dff9e19a08b913c7ef as base # Generate os-release file -FROM quay.io/kairos/osbuilder-tools:latest as osbuilder +FROM quay.io/kairos/osbuilder-tools:latest@sha256:9b8da01a69f208e4066c04ab0b5c4c3382ec2f06cb508ccb08f0437d6539e10c as osbuilder RUN zypper install -y gettext && zypper clean RUN mkdir /workspace COPY --from=base /etc/os-release /workspace/os-release diff --git a/examples/byoi/ubuntu-non-hwe/Dockerfile b/examples/byoi/ubuntu-non-hwe/Dockerfile index 6118d3147..82026b7b0 100644 --- a/examples/byoi/ubuntu-non-hwe/Dockerfile +++ b/examples/byoi/ubuntu-non-hwe/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:22.04 +FROM ubuntu:22.04@sha256:58b87898e82351c6cf9cf5b9f3c20257bb9e2dcf33af051e12ce532d7f94e3fe RUN apt-get update && \ apt-get install -y --no-install-recommends \ linux-image-generic diff --git a/images/Dockerfile.alpine b/images/Dockerfile.alpine index a73e512d8..83eb51bb0 100644 --- a/images/Dockerfile.alpine +++ b/images/Dockerfile.alpine @@ -8,7 +8,7 @@ ARG FAMILY=alpine ARG FLAVOR ARG FLAVOR_RELEASE ARG MODEL=generic -ARG BASE_IMAGE=alpine:3.19 +ARG BASE_IMAGE=alpine:3.19@sha256:ae65dbf8749a7d4527648ccee1fa3deb6bfcae34cbc30fc67aa45c44dcaa90ee ARG VARIANT ARG VERSION ARG FRAMEWORK_VERSION=main diff --git a/images/Dockerfile.debian b/images/Dockerfile.debian index 39d944828..3d06e3b18 100644 --- a/images/Dockerfile.debian +++ b/images/Dockerfile.debian @@ -8,7 +8,7 @@ ARG FAMILY=debian ARG FLAVOR ARG FLAVOR_RELEASE ARG MODEL=generic -ARG BASE_IMAGE=debian:testing +ARG BASE_IMAGE=debian:testing@sha256:52d15c535a581ef578eb0759d765ecdf8417701f615152de6afeca41b9face35 ARG VARIANT ARG VERSION ARG FRAMEWORK_VERSION=main diff --git a/images/Dockerfile.kairos-alpine b/images/Dockerfile.kairos-alpine index 8c543f601..4a1b054c1 100644 --- a/images/Dockerfile.kairos-alpine +++ b/images/Dockerfile.kairos-alpine @@ -7,10 +7,10 @@ ARG FAMILY=alpine ARG FLAVOR ARG FLAVOR_RELEASE ARG MODEL=generic -ARG BASE_IMAGE=alpine:3.19 +ARG BASE_IMAGE=alpine:3.19@sha256:ae65dbf8749a7d4527648ccee1fa3deb6bfcae34cbc30fc67aa45c44dcaa90ee ARG VARIANT ARG VERSION -ARG FRAMEWORK_VERSION=main +ARG FRAMEWORK_VERSION=main@sha256:a2678d78ef200f9799b506eebf36f7c7d4fab69c331139f2016fa88ce1a21e6f ############################################################### #### Common #### diff --git a/images/Dockerfile.kairos-debian b/images/Dockerfile.kairos-debian index 8508525da..134fd3b00 100644 --- a/images/Dockerfile.kairos-debian +++ b/images/Dockerfile.kairos-debian @@ -7,10 +7,10 @@ ARG FAMILY=debian ARG FLAVOR ARG FLAVOR_RELEASE ARG MODEL=generic -ARG BASE_IMAGE=debian:testing +ARG BASE_IMAGE=debian:testing@sha256:52d15c535a581ef578eb0759d765ecdf8417701f615152de6afeca41b9face35 ARG VARIANT ARG VERSION -ARG FRAMEWORK_VERSION=main +ARG FRAMEWORK_VERSION=main@sha256:a2678d78ef200f9799b506eebf36f7c7d4fab69c331139f2016fa88ce1a21e6f ############################################################### #### Upstream Images #### diff --git a/images/Dockerfile.kairos-opensuse b/images/Dockerfile.kairos-opensuse index a33175409..d145ef831 100644 --- a/images/Dockerfile.kairos-opensuse +++ b/images/Dockerfile.kairos-opensuse @@ -11,7 +11,7 @@ ARG MODEL=generic ARG BASE_IMAGE ARG VARIANT ARG VERSION -ARG FRAMEWORK_VERSION=main +ARG FRAMEWORK_VERSION=main@sha256:a2678d78ef200f9799b506eebf36f7c7d4fab69c331139f2016fa88ce1a21e6f FROM $BASE_IMAGE AS base diff --git a/images/Dockerfile.kairos-rhel b/images/Dockerfile.kairos-rhel index 0f0e05037..f6d6666b1 100644 --- a/images/Dockerfile.kairos-rhel +++ b/images/Dockerfile.kairos-rhel @@ -10,7 +10,7 @@ ARG MODEL=generic ARG BASE_IMAGE ARG VARIANT ARG VERSION -ARG FRAMEWORK_VERSION=main +ARG FRAMEWORK_VERSION=main@sha256:a2678d78ef200f9799b506eebf36f7c7d4fab69c331139f2016fa88ce1a21e6f ARG BOOTLOADER=grub FROM $BASE_IMAGE AS base diff --git a/images/Dockerfile.kairos-ubuntu b/images/Dockerfile.kairos-ubuntu index 101d34852..5e7df1a7a 100644 --- a/images/Dockerfile.kairos-ubuntu +++ b/images/Dockerfile.kairos-ubuntu @@ -19,7 +19,7 @@ ARG MODEL=generic ARG BASE_IMAGE ARG VARIANT ARG VERSION -ARG FRAMEWORK_VERSION=main +ARG FRAMEWORK_VERSION=main@sha256:a2678d78ef200f9799b506eebf36f7c7d4fab69c331139f2016fa88ce1a21e6f ARG BOOTLOADER=grub ############################################################### @@ -38,7 +38,7 @@ FROM ${BASE_IMAGE} AS ubuntu-24.04-upstream # Ubuntu and the zfsutils-linux package, there is a fix in # nohang upstream but it's not yet available in the Ubuntu # package, so we build it from source -FROM ubuntu:22.04 as nohang-src +FROM ubuntu:22.04@sha256:58b87898e82351c6cf9cf5b9f3c20257bb9e2dcf33af051e12ce532d7f94e3fe as nohang-src WORKDIR /root RUN apt-get update \ && apt-get install -y --no-install-recommends \ diff --git a/images/Dockerfile.nvidia b/images/Dockerfile.nvidia index 9669bbd38..07c5df85d 100644 --- a/images/Dockerfile.nvidia +++ b/images/Dockerfile.nvidia @@ -1,4 +1,4 @@ -FROM ubuntu:20.04 as base +FROM ubuntu:20.04@sha256:6d8d9799fe6ab3221965efac00b4c34a2bcc102c086a58dff9e19a08b913c7ef as base RUN apt-get update RUN apt-get install -y ca-certificates diff --git a/images/Dockerfile.ubuntu b/images/Dockerfile.ubuntu index 43ae4aa21..8d0f61a89 100644 --- a/images/Dockerfile.ubuntu +++ b/images/Dockerfile.ubuntu @@ -39,7 +39,7 @@ FROM ${BASE_IMAGE} AS ubuntu-24.04-upstream # Ubuntu and the zfsutils-linux package, there is a fix in # nohang upstream but it's not yet available in the Ubuntu # package, so we build it from source -FROM ubuntu:22.04 as nohang-src +FROM ubuntu:22.04@sha256:58b87898e82351c6cf9cf5b9f3c20257bb9e2dcf33af051e12ce532d7f94e3fe as nohang-src WORKDIR /root RUN apt-get update \ && apt-get install -y --no-install-recommends \