From ee949cdd8eedd4ded6ebf17da0e627234e1480a5 Mon Sep 17 00:00:00 2001
From: John Boyes <john@agilepathway.co.uk>
Date: Mon, 30 Mar 2020 23:07:39 +0700
Subject: [PATCH 1/2] Use renovate to pin docker pulls to the digest

This is so that the docker image used in the builds are immutable,
preventing potential subtle bugs that are very difficiult to detect.

See:

https://renovate.whitesourcesoftware.com/blog/overcoming-dockers-mutable-image-tags/

https://docs.microsoft.com/en-us/archive/blogs/stevelasker/docker-tagging-best-practices-for-tagging-and-versioning-docker-images
---
 renovate.json | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/renovate.json b/renovate.json
index f45d8f1..31b2980 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,5 +1,11 @@
 {
   "extends": [
     "config:base"
-  ]
+  ],
+  "dockerfile": {
+    "fileMatch": [
+      ".circleci/config.yml"
+    ],
+    "pinDigests": true
+  }
 }

From 7b197b3201c06738e75f016b5f2e578c775f38a3 Mon Sep 17 00:00:00 2001
From: John Boyes <john@agilepathway.co.uk>
Date: Tue, 31 Mar 2020 13:08:46 +0700
Subject: [PATCH 2/2] Enable digest pinning

---
 renovate.json | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/renovate.json b/renovate.json
index 31b2980..c6fb4f1 100644
--- a/renovate.json
+++ b/renovate.json
@@ -2,10 +2,14 @@
   "extends": [
     "config:base"
   ],
-  "dockerfile": {
-    "fileMatch": [
-      ".circleci/config.yml"
-    ],
-    "pinDigests": true
+  "docker": {
+    "digest": {
+      "enabled": true
+    }
+  },
+  "circleci": {
+    "digest": {
+      "enabled": true
+    }
   }
 }