Pin images used in the release pipeline

tektoncd · Oct 1, 2024 · a528a4d · a528a4d
1 parent 37cf976
commit a528a4d
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 6 deletions.
diff --git a/tekton/build-publish-images-manifests.yaml b/tekton/build-publish-images-manifests.yaml
@@ -65,7 +65,7 @@ spec:
   steps:
 
   - name: container-registy-auth
-    image: gcr.io/go-containerregistry/crane:debug
+    image: gcr.io/go-containerregistry/crane:debug@sha256:ff0e08eeae8097d28b2381c7f7123bf542757abc68d11bff58fb882b72843785
     script: |
       #!/busybox/sh
       set -ex
@@ -84,7 +84,7 @@ spec:
       cp ${DOCKER_CONFIG} /workspace/docker-config.json
 
   - name: run-kustomize-ko
-    image: gcr.io/tekton-releases/dogfooding/ko-gcloud:latest
+    image: gcr.io/tekton-releases/dogfooding/ko-gcloud:v20240920-6c2a999d36@sha256:1756ca55a09b360028695792e638a7cc366292d7aef44c926a8cb765085664c8
     env:
     - name: KO_DOCKER_REPO
       value: $(params.imageRegistry)/$(params.imageRegistryPath)
@@ -134,7 +134,7 @@ spec:
       kustomize build ${PROJECT_ROOT}/config/${KUBE_DISTRO}/overlays/default | ko resolve --platform=$(params.platforms) --preserve-import-paths -f - > $OUTPUT_RELEASE_DIR/${FILENAME_PREFIX}release.notags.yaml
 
   - name: koparse
-    image: gcr.io/tekton-releases/dogfooding/koparse:latest
+    image: gcr.io/tekton-releases/dogfooding/koparse:v20240910-ec3cf3c749@sha256:5e8a522fc1e587fc00b69a6d73e0bfdf7a29ca143537a5542eb224680d2dbf2f
     script: |
       set -ex
 
@@ -151,7 +151,7 @@ spec:
         --base ${IMAGES_PATH} --images ${IMAGES} > /workspace/built_images
 
   - name: tag-images
-    image: gcr.io/go-containerregistry/crane:debug
+    image: gcr.io/go-containerregistry/crane:debug@sha256:ff0e08eeae8097d28b2381c7f7123bf542757abc68d11bff58fb882b72843785
     script: |
       #!/busybox/sh
       set -ex

diff --git a/tekton/operator-release-pipeline.yaml b/tekton/operator-release-pipeline.yaml
@@ -259,7 +259,7 @@ spec:
         description: The full URL of the release file (no tag, platform - OpenShift) in the bucket
       steps:
       - name: create-results
-        image: alpine
+        image: docker.io/library/alpine:3.20.3@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d
         script: |
           BASE_URL=$(echo "$(params.releaseBucket)/previous/$(params.versionTag)")
           # If the bucket is in the gs:// return the corresponding public https URL

diff --git a/tekton/task-fetch-components.yaml b/tekton/task-fetch-components.yaml
@@ -14,7 +14,7 @@ spec:
     description: Target platform for for which the payload is going to be used
     default: "kubernetes openshift"
   steps:
-  - image: docker.io/library/golang:1.22
+  - image: docker.io/library/golang:1.22@sha256:4594271250150c1a322ed749abfd218e1a8c6eb1ade90872e325a664412e2037
     name: fetch-components
     workingDir: /go/src/github.com/tektoncd/operator
     script: |