[Feature] Pin Dependencies by Hash (kyverno#5168)

* pin dependencies by hash Signed-off-by: Anant Vijay <anantvijay3@gmail.com> * pin scripts Signed-off-by: Anant Vijay <anantvijay3@gmail.com> Signed-off-by: Anant Vijay <anantvijay3@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
infracloudio · Nov 7, 2022 · 25f8d44 · 25f8d44
1 parent 6325860
commit 25f8d44
Show file tree

Hide file tree

Showing 7 changed files with 8 additions and 8 deletions.
diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml
@@ -25,6 +25,6 @@ jobs:
         run: |
           export GOPATH=$HOME/go
           export PATH=$PATH:$(go env GOPATH)/bin
-          curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash
+          curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/f90d8f6ea32a55bc3b08d557590066b820a7c1b8/install-latest.sh | bash # v3.5.2
           fossa init
           fossa analyze
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -50,7 +50,7 @@ jobs:
 
       - name: goimports
         run: |
-          go install golang.org/x/tools/cmd/goimports@latest
+          go install golang.org/x/tools/cmd/goimports@f112c43328372460f7ac5bc951711609e22b01cc # v0.2.0
           if [ "$(goimports -l . | wc -l)" -ne 0 ]
           then
            echo "The following files were found to have import formatting issues:"

diff --git a/cmd/cli/kubectl-kyverno/Dockerfile b/cmd/cli/kubectl-kyverno/Dockerfile
@@ -25,7 +25,7 @@ RUN --mount=type=bind,target=. \
     CGO_ENABLED=0 xx-go build -o /output/kyverno -ldflags="${LD_FLAGS}" -v ./cmd/cli/kubectl-kyverno/
 
 # Packaging stage
-FROM ghcr.io/distroless/static:latest
+FROM ghcr.io/distroless/static@sha256:a9650a15060275287ebf4530b34020b8d998bd2de9aea00d113c332d8c41eb0b
 
 LABEL maintainer="Kyverno"
 

diff --git a/cmd/initContainer/Dockerfile b/cmd/initContainer/Dockerfile
@@ -25,7 +25,7 @@ RUN --mount=type=bind,target=. \
     CGO_ENABLED=0 xx-go build -o /output/kyvernopre -ldflags="${LD_FLAGS}" -v ./cmd/initContainer/
 
 # Packaging stage
-FROM ghcr.io/distroless/static:latest
+FROM ghcr.io/distroless/static@sha256:a9650a15060275287ebf4530b34020b8d998bd2de9aea00d113c332d8c41eb0b
 
 LABEL maintainer="Kyverno"
 

diff --git a/cmd/kyverno/Dockerfile b/cmd/kyverno/Dockerfile
@@ -1,4 +1,4 @@
-FROM --platform=${BUILDPLATFORM} golang:alpine AS certs
+FROM --platform=${BUILDPLATFORM} golang:alpine@sha256:e4dcdac3ed37d8c2b3b8bcef2909573b2ad9c2ab53ba53c608909e8b89ccee36 AS certs
 
 LABEL maintainer="Kyverno"
 
@@ -29,7 +29,7 @@ RUN --mount=type=bind,target=. \
     CGO_ENABLED=0 xx-go build -o /output/kyverno -ldflags="${LD_FLAGS}" -v ./cmd/kyverno/
 
 # Packaging stage
-FROM ghcr.io/distroless/static:latest
+FROM ghcr.io/distroless/static@sha256:a9650a15060275287ebf4530b34020b8d998bd2de9aea00d113c332d8c41eb0b
 
 LABEL maintainer="Kyverno"
 COPY --from=builder /output/kyverno /

diff --git a/cmd/kyverno/localDockerfile b/cmd/kyverno/localDockerfile
@@ -1,4 +1,4 @@
-FROM golang:alpine
+FROM golang@sha256:992d5fea982526ce265a0631a391e3c94694f4d15190fd170f35d91b2e6cb0ba
 ADD kyverno /kyverno
 RUN apk add --no-cache ca-certificates
 USER 10001

diff --git a/scripts/create-e2e-infrastruture.sh b/scripts/create-e2e-infrastruture.sh
@@ -21,7 +21,7 @@ fi
 pwd=$(pwd)
 cd "$pwd"/config
 echo "Installing kustomize"
-curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"  | bash
+curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/56d82a8378dfc8dc3b3b1085e5a6e67b82966bd7/hack/install_kustomize.sh"  | bash  # v4.5.7
 kustomize edit set image ghcr.io/kyverno/kyverno:"$hash"
 kustomize edit set image ghcr.io/kyverno/kyvernopre:"$hash"
 kustomize build "$pwd"/config/ -o "$pwd"/config/install.yaml