diff --git a/.github/workflows/image-arm.yaml b/.github/workflows/image-arm.yaml index 650a0d2e2..9668e901a 100644 --- a/.github/workflows/image-arm.yaml +++ b/.github/workflows/image-arm.yaml @@ -17,7 +17,7 @@ jobs: outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - run: | git fetch --prune --unshallow - id: set-matrix @@ -36,7 +36,7 @@ jobs: outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - run: | @@ -49,7 +49,7 @@ jobs: id: buildx uses: docker/setup-buildx-action@master - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: utils/earthly @@ -84,7 +84,7 @@ jobs: build-nvidia-base: runs-on: fast steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - name: Check if cache image is available @@ -97,13 +97,13 @@ jobs: fi - name: Get changed files id: changed-files - uses: tj-actions/changed-files@v44 + uses: tj-actions/changed-files@cc733854b1f224978ef800d29e4709d5ee2883e4 # v44 with: files_yaml: | nvidia: - 'images/Dockerfile.nvidia' - name: Install kairos-agent (for versioneer) - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: system/kairos-agent @@ -212,7 +212,7 @@ jobs: - build-arm-core - image_and_iso_arm64_generic steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - run: | git fetch --prune --unshallow - name: save commit-message @@ -220,7 +220,7 @@ jobs: run: echo "COMMIT_MSG=$(git log -1 --pretty=format:%s)" >> $GITHUB_ENV - name: notify if failure if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} && failure() - uses: slackapi/slack-github-action@v1.26.0 + uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0 env: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml index 41ee4e9d6..906c99ce0 100644 --- a/.github/workflows/image.yaml +++ b/.github/workflows/image.yaml @@ -18,7 +18,7 @@ jobs: outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - run: | git fetch --prune --unshallow sudo apt update && sudo apt install -y jq @@ -364,7 +364,7 @@ jobs: - various - standard-upgrade-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - run: | git fetch --prune --unshallow - name: save commit-message @@ -372,7 +372,7 @@ jobs: run: echo "COMMIT_MSG=$(git log -1 --pretty=format:%s)" >> $GITHUB_ENV - name: notify if failure if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} && failure() - uses: slackapi/slack-github-action@v1.26.0 + uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0 env: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index da5410511..b17f777d8 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -10,7 +10,7 @@ env: FORCE_COLOR: 1 jobs: call-workflow: - uses: kairos-io/linting-composite-action/.github/workflows/reusable-linting.yaml@v0.0.8 + uses: kairos-io/linting-composite-action/.github/workflows/reusable-linting.yaml@46a1d906df5eb4706008e8f063038ba4746aefb6 # v0.0.8 with: yamldirs: ".github/workflows/" is-go: false diff --git a/.github/workflows/release-arm.yaml b/.github/workflows/release-arm.yaml index e3bd76efc..0565f05a1 100644 --- a/.github/workflows/release-arm.yaml +++ b/.github/workflows/release-arm.yaml @@ -9,7 +9,7 @@ jobs: outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - id: set-matrix @@ -28,13 +28,13 @@ jobs: outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - run: | sudo apt update && sudo apt install -y jq - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: utils/earthly @@ -76,11 +76,11 @@ jobs: build-nvidia-base: runs-on: fast steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - name: Install kairos-agent (for versioneer) - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: system/kairos-agent @@ -205,7 +205,7 @@ jobs: echo sudo rm -rfv build || true df -h - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - name: Set up QEMU @@ -215,7 +215,7 @@ jobs: - name: Install Cosign uses: sigstore/cosign-installer@main - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: utils/earthly @@ -223,7 +223,7 @@ jobs: id: buildx uses: docker/setup-buildx-action@master - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} @@ -271,7 +271,7 @@ jobs: sudo rm -rf build/IMAGE - name: Release - uses: softprops/action-gh-release@v2.0.6 + uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6 if: startsWith(github.ref, 'refs/tags/') with: files: | @@ -281,7 +281,7 @@ jobs: mkdir sarif sudo mv build/*.sarif sarif/ - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3 if: startsWith(github.ref, 'refs/tags/') with: sarif_file: 'sarif' @@ -305,7 +305,7 @@ jobs: sudo apt-get update sudo apt-get install -y \ curl - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - name: Set up QEMU @@ -315,7 +315,7 @@ jobs: - name: Install Cosign uses: sigstore/cosign-installer@main - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: utils/earthly @@ -329,7 +329,7 @@ jobs: run: | df -h - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} @@ -372,7 +372,7 @@ jobs: sudo -E docker push "$IMAGE" sudo rm -rf build/IMAGE - name: Release - uses: softprops/action-gh-release@v2.0.6 + uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6 if: startsWith(github.ref, 'refs/tags/') with: files: | @@ -383,7 +383,7 @@ jobs: sudo mv build/*.sarif sarif/ - name: Upload Trivy scan results to GitHub Security tab if: startsWith(github.ref, 'refs/tags/') - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3 with: sarif_file: 'sarif' category: ${{ matrix.flavor }} @@ -409,11 +409,11 @@ jobs: model: generic variant: standard steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: utils/earthly @@ -423,7 +423,7 @@ jobs: platforms: all - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3 - name: Login to Quay Registry run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io - name: Build iso 🔧 @@ -446,7 +446,7 @@ jobs: run: | docker push $(cat release/IMAGE) - name: Release - uses: softprops/action-gh-release@v2.0.6 + uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6 if: startsWith(github.ref, 'refs/tags/') with: files: | diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index c84cf6364..00360c075 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -12,7 +12,7 @@ jobs: outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - run: | @@ -31,7 +31,7 @@ jobs: outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - run: | @@ -52,13 +52,13 @@ jobs: outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - run: | sudo apt update && sudo apt install -y jq wget - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: utils/earthly @@ -104,7 +104,7 @@ jobs: fail-fast: false matrix: ${{ fromJson(needs.get-core-matrix.outputs.matrix) }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - name: Install Cosign @@ -154,7 +154,7 @@ jobs: - name: Login to Quay Registry run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: utils/earthly @@ -203,13 +203,13 @@ jobs: cd .. rm release/IMAGE release/VERSION release/versions.yaml - name: Release - uses: softprops/action-gh-release@v2.0.6 + uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6 if: startsWith(github.ref, 'refs/tags/') with: files: | release/* - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3 if: startsWith(github.ref, 'refs/tags/') with: sarif_file: 'sarif' @@ -266,7 +266,7 @@ jobs: echo sudo rm -rfv build || true df -h - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - run: | git fetch --prune --unshallow - name: Release space from worker @@ -285,7 +285,7 @@ jobs: - name: Login to Quay Registry run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: utils/earthly @@ -306,7 +306,7 @@ jobs: sudo mv build/* . sudo rm -rf build - name: Install kairos-agent (for versioneer) - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: system/kairos-agent @@ -326,7 +326,7 @@ jobs: --BASE_IMAGE=quay.io/kairos/${{ matrix.flavor }}:${{ matrix.flavorRelease }}-${{ matrix.variant }}-${{ matrix.arch }}-${{ matrix.model }}-${{ github.ref_name }}-uki \ --ENKI_CREATE_CI_KEYS=true - name: Release - uses: softprops/action-gh-release@v2.0.6 + uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6 if: startsWith(github.ref, 'refs/tags/') with: files: | @@ -345,7 +345,7 @@ jobs: fail-fast: false matrix: ${{ fromJson(needs.get-standard-matrix.outputs.matrix) }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - name: Install Cosign @@ -391,7 +391,7 @@ jobs: sudo rm -rfv build || true df -h - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: utils/earthly @@ -430,7 +430,7 @@ jobs: cd .. sudo rm -rf release/VERSION release/IMAGE release/versions.yaml - name: Release - uses: softprops/action-gh-release@v2.0.6 + uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6 if: startsWith(github.ref, 'refs/tags/') with: files: | diff --git a/.github/workflows/reusable-build-flavor.yaml b/.github/workflows/reusable-build-flavor.yaml index f814b5753..7d1aebe17 100644 --- a/.github/workflows/reusable-build-flavor.yaml +++ b/.github/workflows/reusable-build-flavor.yaml @@ -74,7 +74,7 @@ jobs: echo sudo rm -rfv build || true df -h - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - run: | git fetch --prune --unshallow - name: Release space from worker @@ -94,7 +94,7 @@ jobs: if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: utils/earthly @@ -116,7 +116,7 @@ jobs: sudo mv build/* . sudo rm -rf build - name: Install kairos-agent (for versioneer) - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: system/kairos-agent @@ -138,11 +138,11 @@ jobs: mv *.sarif sarif/ - name: Upload Trivy scan results to GitHub Security tab if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3 with: sarif_file: 'sarif' category: ${{ inputs.flavor }}-${{ inputs.flavor_release }} - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip path: | @@ -150,7 +150,7 @@ jobs: *.sha256 versions.yaml if-no-files-found: error - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.sbom.zip diff --git a/.github/workflows/reusable-build-provider.yaml b/.github/workflows/reusable-build-provider.yaml index 74d13b00c..8dbeb5a2a 100644 --- a/.github/workflows/reusable-build-provider.yaml +++ b/.github/workflows/reusable-build-provider.yaml @@ -74,11 +74,11 @@ jobs: echo sudo rm -rfv build || true df -h - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - run: | git fetch --prune --unshallow - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: utils/earthly @@ -105,7 +105,7 @@ jobs: sudo mv build/* . sudo rm -rf build - name: Install kairos-agent (for versioneer) - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: system/kairos-agent @@ -127,7 +127,7 @@ jobs: sudo mv build/* . sudo rm -rf build - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}-provider.iso.zip path: | diff --git a/.github/workflows/reusable-custom-partitioning-test.yaml b/.github/workflows/reusable-custom-partitioning-test.yaml index 9220d31eb..352dd6524 100644 --- a/.github/workflows/reusable-custom-partitioning-test.yaml +++ b/.github/workflows/reusable-custom-partitioning-test.yaml @@ -20,11 +20,11 @@ jobs: security-events: write steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 with: go-version-file: tests/go.mod cache-dependency-path: tests/go.sum @@ -38,12 +38,12 @@ jobs: sudo apt-get install -y libvirt-clients libvirt-daemon-system libvirt-daemon virtinst bridge-utils qemu qemu-system-x86 qemu-system-x86 qemu-utils qemu-kvm acl udev sudo setfacl -m u:runner:rwx /dev/kvm - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: utils/earthly - name: Download artifacts - uses: actions/download-artifact@v4.1.7 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release}}.iso.zip - name: Run tests @@ -59,7 +59,7 @@ jobs: echo "ISO is: $ISO" cp tests/go.* . go run github.com/onsi/ginkgo/v2/ginkgo -v --label-filter "custom-partitioning" --fail-fast -r ./tests/ - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: failure() with: name: ${{ inputs.flavor }}-${{ inputs.flavor_release }}-${{ inputs.label }}-test.logs.zip diff --git a/.github/workflows/reusable-docker-arm-build.yaml b/.github/workflows/reusable-docker-arm-build.yaml index d2c13fb15..b3a61f967 100644 --- a/.github/workflows/reusable-docker-arm-build.yaml +++ b/.github/workflows/reusable-docker-arm-build.yaml @@ -80,7 +80,7 @@ jobs: run: | sudo iptables -I INPUT -s 169.254.169.254 -j DROP sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - name: Set up QEMU @@ -90,7 +90,7 @@ jobs: - name: Install Cosign uses: sigstore/cosign-installer@main - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: utils/earthly @@ -99,7 +99,7 @@ jobs: uses: docker/setup-buildx-action@master - name: Login to Quay Registry if: ${{ github.event_name == 'push' && (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/v')) }} - uses: docker/login-action@v3 + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} @@ -133,7 +133,7 @@ jobs: filename=$(ls *-grype.json | head -n 1) && filename=${filename%%-grype.json} sudo tar cvf "${filename}-sbom-scan-reports.tar.gz" *.json - name: Install kairos-agent (for versioneer) - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: system/kairos-agent @@ -170,7 +170,7 @@ jobs: sudo rm -rf build/IMAGE - name: Release if: startsWith(github.ref, 'refs/tags/v') - uses: softprops/action-gh-release@v2.0.6 + uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6 with: files: | build/*scan-reports.tar.gz @@ -180,7 +180,7 @@ jobs: mkdir sarif sudo mv build/*.sarif sarif/ - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3 if: startsWith(github.ref, 'refs/tags/v') with: sarif_file: 'sarif' @@ -191,14 +191,14 @@ jobs: mkdir sarif sudo mv build/*.sarif sarif/ - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3 if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} with: sarif_file: 'sarif' category: ${{ inputs.flavor }} - name: Upload results if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.model != 'nvidia-jetson-agx-orin' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: ${{ inputs.flavor }}-${{ inputs.flavor_release }}-arm-${{ inputs.model }} path: build diff --git a/.github/workflows/reusable-encryption-test.yaml b/.github/workflows/reusable-encryption-test.yaml index cfaa618df..6b118f1f4 100644 --- a/.github/workflows/reusable-encryption-test.yaml +++ b/.github/workflows/reusable-encryption-test.yaml @@ -61,11 +61,11 @@ jobs: sudo rm -rfv build || true df -h - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 with: go-version-file: tests/go.mod cache-dependency-path: tests/go.sum @@ -83,7 +83,7 @@ jobs: LUET_NOLOCK=true sudo -E luet install -y container/kubectl utils/k3d utils/earthly - name: Download ISO id: iso - uses: actions/download-artifact@v4.1.7 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip - name: Display structure of downloaded files diff --git a/.github/workflows/reusable-image-and-iso-arm-generic.yaml b/.github/workflows/reusable-image-and-iso-arm-generic.yaml index 03d3d878d..c320c00fc 100644 --- a/.github/workflows/reusable-image-and-iso-arm-generic.yaml +++ b/.github/workflows/reusable-image-and-iso-arm-generic.yaml @@ -23,11 +23,11 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - name: Install earthly if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: utils/earthly @@ -39,7 +39,7 @@ jobs: - name: Set up Docker Buildx if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} id: buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3 - name: Login to Quay Registry if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io @@ -65,7 +65,7 @@ jobs: export _NEW_IMG=$(echo $_IMG | cut -f1 -d:):latest docker tag $_IMG $_NEW_IMG docker push $_NEW_IMG - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}-arm64.iso.zip diff --git a/.github/workflows/reusable-install-test.yaml b/.github/workflows/reusable-install-test.yaml index d20abc658..626b543a6 100644 --- a/.github/workflows/reusable-install-test.yaml +++ b/.github/workflows/reusable-install-test.yaml @@ -17,16 +17,16 @@ jobs: test: runs-on: kvm steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - run: | git fetch --prune --unshallow - name: Download ISO id: iso - uses: actions/download-artifact@v4.1.7 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release}}.iso.zip - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 with: go-version-file: tests/go.mod cache-dependency-path: tests/go.sum @@ -66,7 +66,7 @@ jobs: echo "ISO is: $ISO" cp tests/go.* . go run github.com/onsi/ginkgo/v2/ginkgo -v --label-filter "install-test" --fail-fast -r ./tests - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: failure() with: name: ${{ inputs.flavor }}.logs.zip diff --git a/.github/workflows/reusable-provider-tests.yaml b/.github/workflows/reusable-provider-tests.yaml index ca9981cdd..3340b6107 100644 --- a/.github/workflows/reusable-provider-tests.yaml +++ b/.github/workflows/reusable-provider-tests.yaml @@ -23,11 +23,11 @@ jobs: security-events: write steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 with: go-version-file: tests/go.mod cache-dependency-path: tests/go.sum @@ -50,12 +50,12 @@ jobs: # https://askubuntu.com/a/1081326 sudo setfacl -m u:runner:rwx /dev/kvm - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: utils/earthly - name: Download artifacts - uses: actions/download-artifact@v4.1.7 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}-provider.iso.zip - name: Run tests @@ -72,7 +72,7 @@ jobs: echo "ISO is: $ISO" cp tests/go.* . go run github.com/onsi/ginkgo/v2/ginkgo -v --label-filter "${{ inputs.label }}" --fail-fast -r ./tests/ - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: failure() with: name: ${{ inputs.flavor }}-${{ inputs.flavor_release }}-${{ inputs.label }}-provider-test.logs.zip diff --git a/.github/workflows/reusable-provider-upgrade-latest-test.yaml b/.github/workflows/reusable-provider-upgrade-latest-test.yaml index aab5e2666..3fb7bcbfd 100644 --- a/.github/workflows/reusable-provider-upgrade-latest-test.yaml +++ b/.github/workflows/reusable-provider-upgrade-latest-test.yaml @@ -24,11 +24,11 @@ jobs: MATCHER: ${{ inputs.release_matcher || inputs.flavor_release }} steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 with: go-version-file: tests/go.mod cache-dependency-path: tests/go.sum @@ -51,13 +51,13 @@ jobs: # https://askubuntu.com/a/1081326 sudo setfacl -m u:runner:rwx /dev/kvm - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: utils/earthly - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Download artifacts - uses: robinraju/release-downloader@v1.10 + uses: robinraju/release-downloader@c39a3b234af58f0cf85888573d361fb6fa281534 # v1.10 with: latest: true repository: "kairos-io/kairos" diff --git a/.github/workflows/reusable-qemu-acceptance-test.yaml b/.github/workflows/reusable-qemu-acceptance-test.yaml index ddc4e2e50..a598e627f 100644 --- a/.github/workflows/reusable-qemu-acceptance-test.yaml +++ b/.github/workflows/reusable-qemu-acceptance-test.yaml @@ -57,18 +57,18 @@ jobs: echo sudo rm -rfv build || true df -h - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - run: | git fetch --prune --unshallow - name: Download ISO id: iso - uses: actions/download-artifact@v4.1.7 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip - name: Display structure of downloaded files run: ls -las . - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: utils/earthly diff --git a/.github/workflows/reusable-qemu-bundles-test.yaml b/.github/workflows/reusable-qemu-bundles-test.yaml index cdb085fb3..797a36eda 100644 --- a/.github/workflows/reusable-qemu-bundles-test.yaml +++ b/.github/workflows/reusable-qemu-bundles-test.yaml @@ -14,18 +14,18 @@ jobs: test: runs-on: kvm steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - run: | git fetch --prune --unshallow - name: Download ISO id: iso - uses: actions/download-artifact@v4.1.7 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip - name: Display structure of downloaded files run: ls -las . - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: utils/earthly diff --git a/.github/workflows/reusable-qemu-netboot-test.yaml b/.github/workflows/reusable-qemu-netboot-test.yaml index 00ccf8db4..b84d87722 100644 --- a/.github/workflows/reusable-qemu-netboot-test.yaml +++ b/.github/workflows/reusable-qemu-netboot-test.yaml @@ -66,11 +66,11 @@ jobs: echo sudo rm -rfv build || true df -h - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - run: | git fetch --prune --unshallow - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: utils/earthly diff --git a/.github/workflows/reusable-qemu-reset-test.yaml b/.github/workflows/reusable-qemu-reset-test.yaml index 40709f625..7e4e868c7 100644 --- a/.github/workflows/reusable-qemu-reset-test.yaml +++ b/.github/workflows/reusable-qemu-reset-test.yaml @@ -14,18 +14,18 @@ jobs: test: runs-on: kvm steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - run: | git fetch --prune --unshallow - name: Download ISO id: iso - uses: actions/download-artifact@v4.1.7 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip - name: Display structure of downloaded files run: ls -las . - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: utils/earthly diff --git a/.github/workflows/reusable-uki-test.yaml b/.github/workflows/reusable-uki-test.yaml index 12ab0d47e..4762c59e9 100644 --- a/.github/workflows/reusable-uki-test.yaml +++ b/.github/workflows/reusable-uki-test.yaml @@ -28,9 +28,9 @@ jobs: FLAVOR: ${{ inputs.flavor }} FLAVOR_RELEASE: ${{ inputs.flavor_release }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 with: go-version-file: tests/go.mod cache-dependency-path: tests/go.sum @@ -48,7 +48,7 @@ jobs: # https://askubuntu.com/a/1081326 sudo setfacl -m u:runner:rwx /dev/kvm - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: utils/earthly @@ -92,7 +92,7 @@ jobs: go run github.com/onsi/ginkgo/v2/ginkgo -v --label-filter "uki" --fail-fast -r ./tests/ - name: Install kairos-agent (for versioneer) if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.flavor == 'ubuntu' }} - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: system/kairos-agent @@ -113,7 +113,7 @@ jobs: docker push "$IMAGE$SUFFIX" image_ref=$(docker image inspect --format='{{index .RepoDigests 0}}' "$IMAGE$SUFFIX") cosign sign $image_ref - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: failure() with: name: ${{ env.FLAVOR }}-${{ env.FLAVOR_RELEASE }}.logs.zip diff --git a/.github/workflows/reusable-upgrade-latest-test.yaml b/.github/workflows/reusable-upgrade-latest-test.yaml index 1d2a97ff2..3b93e1662 100644 --- a/.github/workflows/reusable-upgrade-latest-test.yaml +++ b/.github/workflows/reusable-upgrade-latest-test.yaml @@ -62,10 +62,10 @@ jobs: echo sudo rm -rfv build || true df -h - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - run: | git fetch --prune --unshallow - - uses: robinraju/release-downloader@v1.10 + - uses: robinraju/release-downloader@c39a3b234af58f0cf85888573d361fb6fa281534 # v1.10 with: # A flag to set the download target as latest release # The default value is 'false' @@ -75,7 +75,7 @@ jobs: - name: Display structure of downloaded files run: ls -las . - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: utils/earthly @@ -90,7 +90,7 @@ jobs: earthly +run-qemu-test --PREBUILT_ISO=$ISO \ --CONTAINER_IMAGE=ttl.sh/kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}-${{ github.sha }}:24h \ --TEST_SUITE=upgrade-latest-with-cli - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: failure() with: name: ${{ inputs.flavor }}-${{ inputs.flavor_release }}-upgrade-test.logs.zip diff --git a/.github/workflows/reusable-upgrade-with-cli-test.yaml b/.github/workflows/reusable-upgrade-with-cli-test.yaml index f2265d099..f79f72c1a 100644 --- a/.github/workflows/reusable-upgrade-with-cli-test.yaml +++ b/.github/workflows/reusable-upgrade-with-cli-test.yaml @@ -55,16 +55,16 @@ jobs: sudo rm -rfv build || true df -h - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: utils/earthly - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - run: | git fetch --prune --unshallow - name: Download ISO id: iso - uses: actions/download-artifact@v4.1.7 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip - name: Display structure of downloaded files @@ -78,7 +78,7 @@ jobs: --FLAVOR=${{ inputs.flavor }} \ --CONTAINER_IMAGE=ttl.sh/kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}-${{ github.sha }}:24h \ --TEST_SUITE=upgrade-with-cli - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 if: failure() with: name: ${{ inputs.flavor }}-${{ inputs.flavor_release }}-upgrade-test.logs.zip diff --git a/.github/workflows/reusable-zfs-test.yaml b/.github/workflows/reusable-zfs-test.yaml index 96bc60dfe..050fa0e8e 100644 --- a/.github/workflows/reusable-zfs-test.yaml +++ b/.github/workflows/reusable-zfs-test.yaml @@ -14,16 +14,16 @@ jobs: test: runs-on: kvm steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Download ISO id: iso - uses: actions/download-artifact@v4.1.7 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip - name: Display structure of downloaded files run: ls -R - name: Install earthly - uses: Luet-lab/luet-install-action@v1.1 + uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 with: repository: quay.io/kairos/packages packages: utils/earthly diff --git a/examples/bundle/Dockerfile b/examples/bundle/Dockerfile index ad75e613d..1b0901d7c 100644 --- a/examples/bundle/Dockerfile +++ b/examples/bundle/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine as build +FROM alpine@sha256:b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0 as build # Install a binary RUN wget https://github.com/ipfs/kubo/releases/download/v0.15.0/kubo_v0.15.0_linux-amd64.tar.gz -O kubo.tar.gz diff --git a/examples/byoi/fedora-fips/Dockerfile b/examples/byoi/fedora-fips/Dockerfile index 4b94cdde1..406e237dc 100644 --- a/examples/byoi/fedora-fips/Dockerfile +++ b/examples/byoi/fedora-fips/Dockerfile @@ -1,8 +1,8 @@ -ARG BASE_IMAGE=fedora:36 +ARG BASE_IMAGE=fedora:36@sha256:64cd00a0e2b92d527c0a0954162a73e85f160e3a53c38325b51e87d6aab4e266 FROM $BASE_IMAGE as base # Generate os-release file -FROM quay.io/kairos/osbuilder-tools:latest as osbuilder +FROM quay.io/kairos/osbuilder-tools:latest@sha256:87f256550bd66675ea32ce3e1cd8389b15eb0142dd7459cfb038f47e9b5b305c as osbuilder RUN zypper install -y gettext && zypper clean RUN mkdir /workspace COPY --from=base /etc/os-release /workspace/os-release @@ -76,7 +76,7 @@ RUN mkdir -p /run/lock && \ # Copy the os-release file to identify the OS COPY --from=osbuilder /workspace/os-release /etc/os-release -COPY --from=quay.io/kairos/framework:master_fips-systemd / / +COPY --from=quay.io/kairos/framework:master_fips-systemd@sha256:b4c475bba210cff0ba503ba15da67d463f2a93b470cb3432b4e2d755af25f64c / / # Copy the custom dracut config file COPY dracut.conf /etc/dracut.conf.d/kairos-fips.conf diff --git a/examples/byoi/fedora/Dockerfile b/examples/byoi/fedora/Dockerfile index 96b9d8ade..500e34c9d 100644 --- a/examples/byoi/fedora/Dockerfile +++ b/examples/byoi/fedora/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE=fedora:36 +ARG BASE_IMAGE=fedora:36@sha256:64cd00a0e2b92d527c0a0954162a73e85f160e3a53c38325b51e87d6aab4e266 FROM $BASE_IMAGE @@ -46,7 +46,7 @@ RUN dnf install -y \ RUN mkdir -p /run/lock RUN touch /usr/libexec/.keep -COPY --from=quay.io/kairos/framework:master_fedora / / +COPY --from=quay.io/kairos/framework:master_fedora@sha256:e4d8facc9464a2cfdf0b32cf7bf9832ed7f76cd7113f194975d9278d89c7e6a6 / / # Activate Kairos services RUN systemctl enable cos-setup-reconcile.timer && \ diff --git a/examples/byoi/rockylinux-fips/Dockerfile b/examples/byoi/rockylinux-fips/Dockerfile index 090642cb6..3c56cad3d 100644 --- a/examples/byoi/rockylinux-fips/Dockerfile +++ b/examples/byoi/rockylinux-fips/Dockerfile @@ -1,8 +1,8 @@ -ARG BASE_IMAGE=rockylinux:9 +ARG BASE_IMAGE=rockylinux:9@sha256:d7be1c094cc5845ee815d4632fe377514ee6ebcf8efaed6892889657e5ddaaa6 FROM $BASE_IMAGE as base # Generate os-release file -FROM quay.io/kairos/osbuilder-tools:latest as osbuilder +FROM quay.io/kairos/osbuilder-tools:latest@sha256:87f256550bd66675ea32ce3e1cd8389b15eb0142dd7459cfb038f47e9b5b305c as osbuilder RUN zypper install -y gettext && zypper clean RUN mkdir /workspace COPY --from=base /etc/os-release /workspace/os-release @@ -78,7 +78,7 @@ RUN systemctl enable sshd # Copy the os-release file to identify the OS COPY --from=osbuilder /workspace/os-release /etc/os-release -COPY --from=quay.io/kairos/framework:master_fips-systemd / / +COPY --from=quay.io/kairos/framework:master_fips-systemd@sha256:b4c475bba210cff0ba503ba15da67d463f2a93b470cb3432b4e2d755af25f64c / / # Copy the custom dracut config file COPY dracut.conf /etc/dracut.conf.d/kairos-fips.conf diff --git a/examples/byoi/ubuntu-fips/Dockerfile b/examples/byoi/ubuntu-fips/Dockerfile index 51aaa1c18..d3c0bebc8 100644 --- a/examples/byoi/ubuntu-fips/Dockerfile +++ b/examples/byoi/ubuntu-fips/Dockerfile @@ -1,12 +1,12 @@ # Kairos framework packages for ubuntu fips -FROM quay.io/kairos/framework:master_fips-systemd as kairos-fips +FROM quay.io/kairos/framework:master_fips-systemd@sha256:b4c475bba210cff0ba503ba15da67d463f2a93b470cb3432b4e2d755af25f64c as kairos-fips # Base ubuntu image (focal) -FROM ubuntu:focal as base +FROM ubuntu:focal@sha256:0b897358ff6624825fb50d20ffb605ab0eaea77ced0adb8c6a4b756513dec6fc as base # Generate os-release file -FROM quay.io/kairos/osbuilder-tools:latest as osbuilder +FROM quay.io/kairos/osbuilder-tools:latest@sha256:87f256550bd66675ea32ce3e1cd8389b15eb0142dd7459cfb038f47e9b5b305c as osbuilder RUN zypper install -y gettext && zypper clean RUN mkdir /workspace COPY --from=base /etc/os-release /workspace/os-release diff --git a/examples/byoi/ubuntu-non-hwe/Dockerfile b/examples/byoi/ubuntu-non-hwe/Dockerfile index 6118d3147..15e120eef 100644 --- a/examples/byoi/ubuntu-non-hwe/Dockerfile +++ b/examples/byoi/ubuntu-non-hwe/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:22.04 +FROM ubuntu:22.04@sha256:19478ce7fc2ffbce89df29fea5725a8d12e57de52eb9ea570890dc5852aac1ac RUN apt-get update && \ apt-get install -y --no-install-recommends \ linux-image-generic diff --git a/images/Dockerfile.alpine b/images/Dockerfile.alpine index 40cc4e148..dd9d4d4d4 100644 --- a/images/Dockerfile.alpine +++ b/images/Dockerfile.alpine @@ -8,7 +8,7 @@ ARG FAMILY=alpine ARG FLAVOR ARG FLAVOR_RELEASE ARG MODEL=generic -ARG BASE_IMAGE=alpine:3.19 +ARG BASE_IMAGE=alpine:3.19@sha256:af4785ccdbcd5cde71bfd5b93eabd34250b98651f19fe218c91de6c8d10e21c5 ARG VARIANT ARG VERSION ARG FRAMEWORK_VERSION=main diff --git a/images/Dockerfile.debian b/images/Dockerfile.debian index 39d944828..4f936c033 100644 --- a/images/Dockerfile.debian +++ b/images/Dockerfile.debian @@ -8,7 +8,7 @@ ARG FAMILY=debian ARG FLAVOR ARG FLAVOR_RELEASE ARG MODEL=generic -ARG BASE_IMAGE=debian:testing +ARG BASE_IMAGE=debian:testing@sha256:aaa92941460dd5ae0698c1671556a32b9c4fea0062e0dd8ec50833611bde33a3 ARG VARIANT ARG VERSION ARG FRAMEWORK_VERSION=main diff --git a/images/Dockerfile.kairos-alpine b/images/Dockerfile.kairos-alpine index ff839a8b3..0315d3232 100644 --- a/images/Dockerfile.kairos-alpine +++ b/images/Dockerfile.kairos-alpine @@ -7,10 +7,10 @@ ARG FAMILY=alpine ARG FLAVOR ARG FLAVOR_RELEASE ARG MODEL=generic -ARG BASE_IMAGE=alpine:3.19 +ARG BASE_IMAGE=alpine:3.19@sha256:af4785ccdbcd5cde71bfd5b93eabd34250b98651f19fe218c91de6c8d10e21c5 ARG VARIANT ARG VERSION -ARG FRAMEWORK_VERSION=main +ARG FRAMEWORK_VERSION=main@sha256:00e2a262016ca1afd2fa7c5c87519e4c77649cb5a5c339e6dd63d671d39480aa ############################################################### #### Common #### diff --git a/images/Dockerfile.kairos-debian b/images/Dockerfile.kairos-debian index 60c85c1d4..126ab3ac8 100644 --- a/images/Dockerfile.kairos-debian +++ b/images/Dockerfile.kairos-debian @@ -7,10 +7,10 @@ ARG FAMILY=debian ARG FLAVOR ARG FLAVOR_RELEASE ARG MODEL=generic -ARG BASE_IMAGE=debian:testing +ARG BASE_IMAGE=debian:testing@sha256:aaa92941460dd5ae0698c1671556a32b9c4fea0062e0dd8ec50833611bde33a3 ARG VARIANT ARG VERSION -ARG FRAMEWORK_VERSION=main +ARG FRAMEWORK_VERSION=main@sha256:00e2a262016ca1afd2fa7c5c87519e4c77649cb5a5c339e6dd63d671d39480aa ############################################################### #### Upstream Images #### diff --git a/images/Dockerfile.kairos-opensuse b/images/Dockerfile.kairos-opensuse index 0e1f8a4dc..b8c84b0a9 100644 --- a/images/Dockerfile.kairos-opensuse +++ b/images/Dockerfile.kairos-opensuse @@ -10,7 +10,7 @@ ARG MODEL=generic ARG BASE_IMAGE ARG VARIANT ARG VERSION -ARG FRAMEWORK_VERSION=main +ARG FRAMEWORK_VERSION=main@sha256:00e2a262016ca1afd2fa7c5c87519e4c77649cb5a5c339e6dd63d671d39480aa FROM $BASE_IMAGE AS base diff --git a/images/Dockerfile.kairos-rhel b/images/Dockerfile.kairos-rhel index f52eabff7..3bac02d2c 100644 --- a/images/Dockerfile.kairos-rhel +++ b/images/Dockerfile.kairos-rhel @@ -10,7 +10,7 @@ ARG MODEL=generic ARG BASE_IMAGE ARG VARIANT ARG VERSION -ARG FRAMEWORK_VERSION=main +ARG FRAMEWORK_VERSION=main@sha256:00e2a262016ca1afd2fa7c5c87519e4c77649cb5a5c339e6dd63d671d39480aa ARG BOOTLOADER=grub FROM $BASE_IMAGE AS base diff --git a/images/Dockerfile.kairos-ubuntu b/images/Dockerfile.kairos-ubuntu index 07df44764..c6f7b6b78 100644 --- a/images/Dockerfile.kairos-ubuntu +++ b/images/Dockerfile.kairos-ubuntu @@ -20,7 +20,7 @@ ARG MODEL=generic ARG BASE_IMAGE ARG VARIANT ARG VERSION -ARG FRAMEWORK_VERSION=main +ARG FRAMEWORK_VERSION=main@sha256:00e2a262016ca1afd2fa7c5c87519e4c77649cb5a5c339e6dd63d671d39480aa ARG BOOTLOADER=grub ############################################################### @@ -41,7 +41,7 @@ FROM ${BASE_IMAGE} AS ubuntu-22.04-upstream # Ubuntu and the zfsutils-linux package, there is a fix in # nohang upstream but it's not yet available in the Ubuntu # package, so we build it from source -FROM ubuntu:22.04 as nohang-src +FROM ubuntu:22.04@sha256:19478ce7fc2ffbce89df29fea5725a8d12e57de52eb9ea570890dc5852aac1ac as nohang-src WORKDIR /root RUN apt-get update \ && apt-get install -y --no-install-recommends \ diff --git a/images/Dockerfile.nvidia b/images/Dockerfile.nvidia index 9669bbd38..b8d2204f3 100644 --- a/images/Dockerfile.nvidia +++ b/images/Dockerfile.nvidia @@ -1,4 +1,4 @@ -FROM ubuntu:20.04 as base +FROM ubuntu:20.04@sha256:0b897358ff6624825fb50d20ffb605ab0eaea77ced0adb8c6a4b756513dec6fc as base RUN apt-get update RUN apt-get install -y ca-certificates diff --git a/images/Dockerfile.ubuntu b/images/Dockerfile.ubuntu index 86d0d9365..d8c373b3d 100644 --- a/images/Dockerfile.ubuntu +++ b/images/Dockerfile.ubuntu @@ -42,7 +42,7 @@ FROM ${BASE_IMAGE} AS ubuntu-22.04-upstream # Ubuntu and the zfsutils-linux package, there is a fix in # nohang upstream but it's not yet available in the Ubuntu # package, so we build it from source -FROM ubuntu:22.04 as nohang-src +FROM ubuntu:22.04@sha256:19478ce7fc2ffbce89df29fea5725a8d12e57de52eb9ea570890dc5852aac1ac as nohang-src WORKDIR /root RUN apt-get update \ && apt-get install -y --no-install-recommends \