From f70cd4222f666df7d529b5c5fcb918a73b3b054b Mon Sep 17 00:00:00 2001
From: Shubham Gupta <shubham.gupta2956@gmail.com>
Date: Tue, 12 Apr 2022 14:52:38 +0530
Subject: [PATCH] Update hash of dependencies instead of mutable version
 (#3582)

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
---
 .github/workflows/image-build.yaml | 2 +-
 .github/workflows/reuse.yaml       | 4 ++--
 cmd/cli/kubectl-kyverno/Dockerfile | 2 +-
 cmd/initContainer/Dockerfile       | 2 +-
 cmd/kyverno/Dockerfile             | 2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/image-build.yaml b/.github/workflows/image-build.yaml
index 3dda4a7fe0..d1d6da38ad 100644
--- a/.github/workflows/image-build.yaml
+++ b/.github/workflows/image-build.yaml
@@ -133,7 +133,7 @@ jobs:
           make docker-build-kyverno
 
       - name: Trivy Scan Image
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@40c4ca9e7421287d0c5576712fdff370978f9c3c
         with:
           scan-type: 'fs'
           ignore-unfixed: true
diff --git a/.github/workflows/reuse.yaml b/.github/workflows/reuse.yaml
index 600d036255..feab387bbe 100644
--- a/.github/workflows/reuse.yaml
+++ b/.github/workflows/reuse.yaml
@@ -64,7 +64,7 @@ jobs:
             ${{ runner.os }}-go-
 
       - name: Log into ghcr.io
-        uses: docker/login-action@master
+        uses: docker/login-action@7c79b598eaa33458e78e8d0d71e0a9c217dd92af
         with:
           registry: ghcr.io
           username: ${{secrets.registry_username}}
@@ -81,7 +81,7 @@ jobs:
 
       - name: Run Trivy vulnerability scanner in repo mode
         if: ${{inputs.tag == 'release'}}
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@40c4ca9e7421287d0c5576712fdff370978f9c3c
         with:
           scan-type: 'fs'
           ignore-unfixed: true
diff --git a/cmd/cli/kubectl-kyverno/Dockerfile b/cmd/cli/kubectl-kyverno/Dockerfile
index 0b2b6c0f0d..074aa8c6c9 100644
--- a/cmd/cli/kubectl-kyverno/Dockerfile
+++ b/cmd/cli/kubectl-kyverno/Dockerfile
@@ -1,6 +1,6 @@
 # Multi-stage docker build
 # Build stage
-FROM golang:1.17.6 AS builder
+FROM golang@sha256:ec67c62f48ddfbca1ccaef18f9b3addccd707e1885fa28702a3954340786fcf6 AS builder
 
 LABEL maintainer="Kyverno"
 
diff --git a/cmd/initContainer/Dockerfile b/cmd/initContainer/Dockerfile
index b8ff0a15b8..4de4d7a07c 100644
--- a/cmd/initContainer/Dockerfile
+++ b/cmd/initContainer/Dockerfile
@@ -1,6 +1,6 @@
 # Multi-stage docker build
 # Build stage
-FROM golang:1.17.6 AS builder
+FROM golang@sha256:ec67c62f48ddfbca1ccaef18f9b3addccd707e1885fa28702a3954340786fcf6 AS builder
 
 LABEL maintainer="Kyverno"
 
diff --git a/cmd/kyverno/Dockerfile b/cmd/kyverno/Dockerfile
index d83a12967a..e65ef8aafc 100644
--- a/cmd/kyverno/Dockerfile
+++ b/cmd/kyverno/Dockerfile
@@ -1,6 +1,6 @@
 # Multi-stage docker build
 # Build stage
-FROM golang:1.17.6 AS builder
+FROM golang@sha256:ec67c62f48ddfbca1ccaef18f9b3addccd707e1885fa28702a3954340786fcf6 AS builder
 
 LABEL maintainer="Kyverno"