From 33f648dd98abe24825a4898496d762e7db26f664 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 12 Apr 2026 08:58:22 +0000 Subject: [PATCH] chore: pin Dockerfile base images to specific SHA digests (OSSF) Agent-Logs-Url: https://github.com/mikefarah/yq/sessions/7a8f6690-37fb-42ab-b3dc-0dd23c270fbe Co-authored-by: mikefarah <1151925+mikefarah@users.noreply.github.com> --- Dockerfile | 4 ++-- Dockerfile.dev | 2 +- github-action/Dockerfile | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index a598c449..003948a4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.26.2 AS builder +FROM golang:1.26.2@sha256:2a2b4b5791cea8ae09caecba7bad0bd9631def96e5fe362e4a5e67009fe4ae61 AS builder WORKDIR /go/src/mikefarah/yq @@ -10,7 +10,7 @@ RUN ./scripts/acceptance.sh # Choose alpine as a base image to make this useful for CI, as many # CI tools expect an interactive shell inside the container -FROM alpine:3 AS production +FROM alpine:3@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659 AS production LABEL maintainer="Mike Farah " COPY --from=builder /go/src/mikefarah/yq/yq /usr/bin/yq diff --git a/Dockerfile.dev b/Dockerfile.dev index 51209dc6..d12597e3 100644 --- a/Dockerfile.dev +++ b/Dockerfile.dev @@ -1,4 +1,4 @@ -FROM golang:1.26.2 +FROM golang:1.26.2@sha256:2a2b4b5791cea8ae09caecba7bad0bd9631def96e5fe362e4a5e67009fe4ae61 RUN apt-get update && \ apt-get install -y npm && \ diff --git a/github-action/Dockerfile b/github-action/Dockerfile index dfc90866..cc737fda 100644 --- a/github-action/Dockerfile +++ b/github-action/Dockerfile @@ -1,4 +1,4 @@ -FROM mikefarah/yq:4 +FROM mikefarah/yq:4@sha256:603ebff15eb308a05f1c5b8b7613179cad859aed3ec9fdd04f2ef5d32345950e COPY entrypoint.sh /entrypoint.sh