[Feature] Pin Dependencies by Hash (#5168)

* pin dependencies by hash Signed-off-by: Anant Vijay <anantvijay3@gmail.com> * pin scripts Signed-off-by: Anant Vijay <anantvijay3@gmail.com> Signed-off-by: Anant Vijay <anantvijay3@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2025-03-28 02:18:15 +00:00 · 2022-11-07 14:29:26 +05:30 · 2022-11-07 14:29:26 +05:30 · 25f8d4498b
commit 25f8d4498b
parent 6325860c89
7 changed files with 8 additions and 8 deletions
--- a/.github/workflows/fossa.yml
+++ b/.github/workflows/fossa.yml
@ -25,6 +25,6 @@ jobs:
        run: |
          export GOPATH=$HOME/go
          export PATH=$PATH:$(go env GOPATH)/bin
-          curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash
+          curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/f90d8f6ea32a55bc3b08d557590066b820a7c1b8/install-latest.sh | bash # v3.5.2
          fossa init
          fossa analyze
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@ -50,7 +50,7 @@ jobs:

      - name: goimports
        run: |
-          go install golang.org/x/tools/cmd/goimports@latest
+          go install golang.org/x/tools/cmd/goimports@f112c43328372460f7ac5bc951711609e22b01cc # v0.2.0
          if [ "$(goimports -l . | wc -l)" -ne 0 ]
          then
           echo "The following files were found to have import formatting issues:"
--- a/cmd/cli/kubectl-kyverno/Dockerfile
+++ b/cmd/cli/kubectl-kyverno/Dockerfile
@ -25,7 +25,7 @@ RUN --mount=type=bind,target=. \
    CGO_ENABLED=0 xx-go build -o /output/kyverno -ldflags="${LD_FLAGS}" -v ./cmd/cli/kubectl-kyverno/

 # Packaging stage
-FROM ghcr.io/distroless/static:latest
+FROM ghcr.io/distroless/static@sha256:a9650a15060275287ebf4530b34020b8d998bd2de9aea00d113c332d8c41eb0b

 LABEL maintainer="Kyverno"

--- a/cmd/initContainer/Dockerfile
+++ b/cmd/initContainer/Dockerfile
@ -25,7 +25,7 @@ RUN --mount=type=bind,target=. \
    CGO_ENABLED=0 xx-go build -o /output/kyvernopre -ldflags="${LD_FLAGS}" -v ./cmd/initContainer/

 # Packaging stage
-FROM ghcr.io/distroless/static:latest
+FROM ghcr.io/distroless/static@sha256:a9650a15060275287ebf4530b34020b8d998bd2de9aea00d113c332d8c41eb0b

 LABEL maintainer="Kyverno"

--- a/cmd/kyverno/Dockerfile
+++ b/cmd/kyverno/Dockerfile
@ -1,4 +1,4 @@
-FROM --platform=${BUILDPLATFORM} golang:alpine AS certs
+FROM --platform=${BUILDPLATFORM} golang:alpine@sha256:e4dcdac3ed37d8c2b3b8bcef2909573b2ad9c2ab53ba53c608909e8b89ccee36 AS certs

 LABEL maintainer="Kyverno"

@ -29,7 +29,7 @@ RUN --mount=type=bind,target=. \
    CGO_ENABLED=0 xx-go build -o /output/kyverno -ldflags="${LD_FLAGS}" -v ./cmd/kyverno/

 # Packaging stage
-FROM ghcr.io/distroless/static:latest
+FROM ghcr.io/distroless/static@sha256:a9650a15060275287ebf4530b34020b8d998bd2de9aea00d113c332d8c41eb0b

 LABEL maintainer="Kyverno"
 COPY --from=builder /output/kyverno /
--- a/cmd/kyverno/localDockerfile
+++ b/cmd/kyverno/localDockerfile
@ -1,4 +1,4 @@
-FROM golang:alpine
+FROM golang@sha256:992d5fea982526ce265a0631a391e3c94694f4d15190fd170f35d91b2e6cb0ba
 ADD kyverno /kyverno
 RUN apk add --no-cache ca-certificates
 USER 10001
--- a/scripts/create-e2e-infrastruture.sh
+++ b/scripts/create-e2e-infrastruture.sh
@ -21,7 +21,7 @@ fi
 pwd=$(pwd)
 cd "$pwd"/config
 echo "Installing kustomize"
-curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"  | bash
+curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/56d82a8378dfc8dc3b3b1085e5a6e67b82966bd7/hack/install_kustomize.sh"  | bash  # v4.5.7
 kustomize edit set image ghcr.io/kyverno/kyverno:"$hash"
 kustomize edit set image ghcr.io/kyverno/kyvernopre:"$hash"
 kustomize build "$pwd"/config/ -o "$pwd"/config/install.yaml