From 501c9e1e06e6645fbe762764a77bac36d216f614 Mon Sep 17 00:00:00 2001 From: Alan Greene Date: Thu, 26 Sep 2024 14:29:31 +0100 Subject: [PATCH] Pin images used in the release pipeline --- tekton/build-publish-images-manifests.yaml | 8 ++++---- tekton/operator-release-pipeline.yaml | 2 +- tekton/task-fetch-components.yaml | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/tekton/build-publish-images-manifests.yaml b/tekton/build-publish-images-manifests.yaml index 480341dcb5..5913f18104 100644 --- a/tekton/build-publish-images-manifests.yaml +++ b/tekton/build-publish-images-manifests.yaml @@ -65,7 +65,7 @@ spec: steps: - name: container-registy-auth - image: gcr.io/go-containerregistry/crane:debug + image: gcr.io/go-containerregistry/crane:debug@sha256:ff0e08eeae8097d28b2381c7f7123bf542757abc68d11bff58fb882b72843785 script: | #!/busybox/sh set -ex @@ -84,7 +84,7 @@ spec: cp ${DOCKER_CONFIG} /workspace/docker-config.json - name: run-kustomize-ko - image: gcr.io/tekton-releases/dogfooding/ko-gcloud:latest + image: gcr.io/tekton-releases/dogfooding/ko-gcloud:v20240920-6c2a999d36@sha256:1756ca55a09b360028695792e638a7cc366292d7aef44c926a8cb765085664c8 env: - name: KO_DOCKER_REPO value: $(params.imageRegistry)/$(params.imageRegistryPath) @@ -134,7 +134,7 @@ spec: kustomize build ${PROJECT_ROOT}/config/${KUBE_DISTRO}/overlays/default | ko resolve --platform=$(params.platforms) --preserve-import-paths -f - > $OUTPUT_RELEASE_DIR/${FILENAME_PREFIX}release.notags.yaml - name: koparse - image: gcr.io/tekton-releases/dogfooding/koparse:latest + image: gcr.io/tekton-releases/dogfooding/koparse:v20240910-ec3cf3c749@sha256:5e8a522fc1e587fc00b69a6d73e0bfdf7a29ca143537a5542eb224680d2dbf2f script: | set -ex @@ -151,7 +151,7 @@ spec: --base ${IMAGES_PATH} --images ${IMAGES} > /workspace/built_images - name: tag-images - image: gcr.io/go-containerregistry/crane:debug + image: gcr.io/go-containerregistry/crane:debug@sha256:ff0e08eeae8097d28b2381c7f7123bf542757abc68d11bff58fb882b72843785 script: | #!/busybox/sh set -ex diff --git a/tekton/operator-release-pipeline.yaml b/tekton/operator-release-pipeline.yaml index 101287e900..f594a0c276 100644 --- a/tekton/operator-release-pipeline.yaml +++ b/tekton/operator-release-pipeline.yaml @@ -259,7 +259,7 @@ spec: description: The full URL of the release file (no tag, platform - OpenShift) in the bucket steps: - name: create-results - image: alpine + image: docker.io/library/alpine:3.20.3@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d script: | BASE_URL=$(echo "$(params.releaseBucket)/previous/$(params.versionTag)") # If the bucket is in the gs:// return the corresponding public https URL diff --git a/tekton/task-fetch-components.yaml b/tekton/task-fetch-components.yaml index eb2ffe7a99..dae0b6447a 100644 --- a/tekton/task-fetch-components.yaml +++ b/tekton/task-fetch-components.yaml @@ -14,7 +14,7 @@ spec: description: Target platform for for which the payload is going to be used default: "kubernetes openshift" steps: - - image: docker.io/library/golang:1.22 + - image: docker.io/library/golang:1.22@sha256:4594271250150c1a322ed749abfd218e1a8c6eb1ade90872e325a664412e2037 name: fetch-components workingDir: /go/src/github.com/tektoncd/operator script: |