From e5f90c18e40102be51ded48e50fea03e52de9c2e Mon Sep 17 00:00:00 2001
From: Charles Sibbald <123247+casibbald@users.noreply.github.com>
Date: Wed, 11 Dec 2024 21:05:15 +0200
Subject: [PATCH] fix: test pinned dependencies (#4244)

* fix: test pinned dependencies
---
 dev.dockerfile                  | 2 +-
 gitops-bucket-server.dockerfile | 4 ++--
 gitops-server.dockerfile        | 6 +++---
 gitops.dockerfile               | 8 ++++----
 test/library/libtest.dockerfile | 2 +-
 website/Dockerfile              | 4 ++--
 6 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/dev.dockerfile b/dev.dockerfile
index 44bca093a9..467487bb80 100644
--- a/dev.dockerfile
+++ b/dev.dockerfile
@@ -1,4 +1,4 @@
-FROM ubuntu
+FROM ubuntu@sha256:80dd3c3b9c6cecb9f1667e9290b3bc61b78c2678c02cbdae5f0fea92cc6734ab
 RUN apt-get update && apt-get install -yq ca-certificates
 WORKDIR /app
 ADD bin build
diff --git a/gitops-bucket-server.dockerfile b/gitops-bucket-server.dockerfile
index 48cce07d01..d451af4965 100644
--- a/gitops-bucket-server.dockerfile
+++ b/gitops-bucket-server.dockerfile
@@ -1,5 +1,5 @@
 # Go build
-FROM golang:1.23 AS go-build
+FROM golang:1.23@sha256:574185e5c6b9d09873f455a7c205ea0514bfd99738c5dc7750196403a44ed4b7 AS go-build
 
 # Add known_hosts entries for GitHub and GitLab
 RUN mkdir ~/.ssh
@@ -24,7 +24,7 @@ ARG LDFLAGS="-X localbuild=true"
 RUN --mount=type=cache,target=/root/.cache/go-build LDFLAGS=${LDFLAGS##-X localbuild=true} GIT_COMMIT=$GIT_COMMIT make gitops-bucket-server
 
 #  Distroless
-FROM gcr.io/distroless/base AS runtime
+FROM gcr.io/distroless/base@sha256:e9d0321de8927f69ce20e39bfc061343cce395996dfc1f0db6540e5145bc63a5 AS runtime
 COPY --from=go-build /app/bin/gitops-bucket-server /gitops-bucket-server
 COPY --from=go-build /root/.ssh/known_hosts /root/.ssh/known_hosts
 
diff --git a/gitops-server.dockerfile b/gitops-server.dockerfile
index 69297f2505..3b2d877b23 100644
--- a/gitops-server.dockerfile
+++ b/gitops-server.dockerfile
@@ -1,5 +1,5 @@
 # UI build
-FROM node:16-bullseye AS ui
+FROM node:16-bullseye@sha256:cd59a61258b82b86c1ff0ead50c8a689f6c3483c5ed21036e11ee741add419eb AS ui
 RUN apt-get update -y && apt-get install -y build-essential
 RUN mkdir -p /home/app && chown -R node:node /home/app
 WORKDIR /home/app
@@ -15,7 +15,7 @@ COPY --chown=node:node ui /home/app/ui
 RUN --mount=type=cache,target=/home/app/ui/.parcel-cache make ui
 
 # Go build
-FROM golang:1.23 AS go-build
+FROM golang:1.23@sha256:574185e5c6b9d09873f455a7c205ea0514bfd99738c5dc7750196403a44ed4b7 AS go-build
 
 # Add known_hosts entries for GitHub and GitLab
 RUN mkdir ~/.ssh
@@ -40,7 +40,7 @@ ARG LDFLAGS="-X localbuild=true"
 RUN --mount=type=cache,target=/root/.cache/go-build LDFLAGS=${LDFLAGS##-X localbuild=true} GIT_COMMIT=$GIT_COMMIT make gitops-server
 
 #  Distroless
-FROM gcr.io/distroless/base AS runtime
+FROM gcr.io/distroless/base@sha256:e9d0321de8927f69ce20e39bfc061343cce395996dfc1f0db6540e5145bc63a5 AS runtime
 COPY --from=ui /home/app/bin/dist/ /dist/
 COPY --from=go-build /app/bin/gitops-server /gitops-server
 COPY --from=go-build /root/.ssh/known_hosts /root/.ssh/known_hosts
diff --git a/gitops.dockerfile b/gitops.dockerfile
index a8d551efb8..ea7533d570 100644
--- a/gitops.dockerfile
+++ b/gitops.dockerfile
@@ -1,11 +1,11 @@
-ARG FLUX_VERSION=2.3.0
+ARG FLUX_VERSION=2.4.0
 ARG FLUX_CLI=ghcr.io/fluxcd/flux-cli:v$FLUX_VERSION
 
 # Alias for flux
-FROM $FLUX_CLI AS flux
+FROM $FLUX_CLI@sha256:a9cb966cddc1a0c56dc0d57dda485d9477dd397f8b45f222717b24663471fd1f AS flux
 
 # Go build
-FROM golang:1.23 AS go-build
+FROM golang:1.23@sha256:574185e5c6b9d09873f455a7c205ea0514bfd99738c5dc7750196403a44ed4b7 AS go-build
 
 # Add known_hosts entries for GitHub and GitLab
 RUN mkdir ~/.ssh
@@ -28,7 +28,7 @@ ARG GIT_COMMIT="_unset_"
 RUN LDFLAGS=$LDFLAGS GIT_COMMIT=$GIT_COMMIT make gitops
 
 # Distroless
-FROM gcr.io/distroless/base AS runtime
+FROM gcr.io/distroless/base@sha256:e9d0321de8927f69ce20e39bfc061343cce395996dfc1f0db6540e5145bc63a5 AS runtime
 COPY --from=flux /usr/local/bin/flux /usr/local/bin/flux
 COPY --from=go-build /app/bin/gitops /gitops
 COPY --from=go-build /root/.ssh/known_hosts /root/.ssh/known_hosts
diff --git a/test/library/libtest.dockerfile b/test/library/libtest.dockerfile
index 9106b1de61..bb6a8aaacc 100644
--- a/test/library/libtest.dockerfile
+++ b/test/library/libtest.dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.20
+FROM golang:1.23@sha256:574185e5c6b9d09873f455a7c205ea0514bfd99738c5dc7750196403a44ed4b7
 RUN apt-get update
 RUN apt-get -y install curl gnupg
 RUN curl -sL https://deb.nodesource.com/setup_14.x  | bash -
diff --git a/website/Dockerfile b/website/Dockerfile
index 132b890126..a966f995a6 100644
--- a/website/Dockerfile
+++ b/website/Dockerfile
@@ -1,6 +1,6 @@
 ## Base ########################################################################
 # Use a larger node image to do the build for native deps (e.g., gcc, python)
-FROM node:lts AS base
+FROM node:lts@sha256:35a5dd72bcac4bce43266408b58a02be6ff0b6098ffa6f5435aeea980a8951d7 AS base
 
 # Reduce npm log spam and colour during install within Docker
 ENV NPM_CONFIG_LOGLEVEL=warn
@@ -15,7 +15,7 @@ COPY --chown=node:node ./yarn.lock /home/node/app/
 
 ## Development #################################################################
 # Define a development target that installs devDeps and runs in dev mode
-FROM base AS development
+FROM base@sha256:35a5dd72bcac4bce43266408b58a02be6ff0b6098ffa6f5435aeea980a8951d7 AS development
 WORKDIR /home/node/app
 # Install (not ci) with dependencies, and for Linux vs. Linux Musl (which we use for -alpine)
 RUN npm install