From c8c00b58d04ad52757c84f5fef09854bc2b210ef Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Fri, 6 Dec 2024 14:13:46 +0100 Subject: [PATCH] CI: Dockerfiles: pin FROM to please OpenSSF ScoreCard Dependabot is supposed to update the pins --- .github/workflows/alpine/Dockerfile.ci | 2 +- .github/workflows/alpine_32bit/Dockerfile.ci | 2 +- .github/workflows/fedora_rawhide/Dockerfile.ci | 2 +- .github/workflows/icc/Dockerfile.ci | 4 ++-- .github/workflows/s390x/Dockerfile.ci | 2 +- .github/workflows/ubuntu_20.04/Dockerfile.ci | 2 +- .github/workflows/ubuntu_22.04/Dockerfile.ci | 2 +- .github/workflows/ubuntu_24.04/Dockerfile.ci | 2 +- swig/python/gdal-utils/test-bdist-install.sh.txt | 2 +- 9 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/alpine/Dockerfile.ci b/.github/workflows/alpine/Dockerfile.ci index 0a41699e3181..ece744f9b120 100644 --- a/.github/workflows/alpine/Dockerfile.ci +++ b/.github/workflows/alpine/Dockerfile.ci @@ -1,4 +1,4 @@ -FROM alpine:edge +FROM alpine:edge@sha256:732b6226a359f67fad4e38b34dd374bd62a6d282e20c493a38cc7d3a653f86ca RUN apk add \ apache-arrow-dev \ diff --git a/.github/workflows/alpine_32bit/Dockerfile.ci b/.github/workflows/alpine_32bit/Dockerfile.ci index e5eac11f1cb0..935527a4a707 100644 --- a/.github/workflows/alpine_32bit/Dockerfile.ci +++ b/.github/workflows/alpine_32bit/Dockerfile.ci @@ -1,4 +1,4 @@ -FROM i386/alpine:edge +FROM i386/alpine:edge@sha256:42dc76bd326908c901e0a5b6ce58ec3a54126958f4c27f788798fac2b406f76a RUN apk add \ apache-arrow-dev \ diff --git a/.github/workflows/fedora_rawhide/Dockerfile.ci b/.github/workflows/fedora_rawhide/Dockerfile.ci index 1a768c94619b..b6118251d9d4 100644 --- a/.github/workflows/fedora_rawhide/Dockerfile.ci +++ b/.github/workflows/fedora_rawhide/Dockerfile.ci @@ -1,4 +1,4 @@ -FROM fedora:rawhide +FROM fedora:rawhide@sha256:19fcecbd14f2c1e887cbeb974295f5fc0e7b81e2df133e4f1b47a6f65cd11737 # FIXME: Exclude update of dnf&rpm themselves as this results in a no longer working dnf # cf https://github.com/OSGeo/gdal/actions/runs/9448190401/job/26021669415?pr=10173 diff --git a/.github/workflows/icc/Dockerfile.ci b/.github/workflows/icc/Dockerfile.ci index 09d3eb2756af..743279171945 100644 --- a/.github/workflows/icc/Dockerfile.ci +++ b/.github/workflows/icc/Dockerfile.ci @@ -1,11 +1,11 @@ -FROM ubuntu:22.04 +FROM ubuntu:22.04@sha256:3d1556a8a18cf5307b121e0a98e93f1ddf1f3f8e092f1fddfd941254785b95d7 ENV DEBIAN_FRONTEND=noninteractive RUN apt-get update -y \ && apt-get install -y cmake gcc ccache libproj-dev wget python3-dev python3-numpy python3-pip swig -RUN wget https://registrationcenter-download.intel.com/akdlm/IRC_NAS/bb99984f-370f-413d-bbec-38928d2458f2/l_dpcpp-cpp-compiler_p_2024.0.2.29_offline.sh \ +RUN WGET_CMD=wget && $WGET_CMD https://registrationcenter-download.intel.com/akdlm/IRC_NAS/bb99984f-370f-413d-bbec-38928d2458f2/l_dpcpp-cpp-compiler_p_2024.0.2.29_offline.sh \ && sh l_dpcpp-cpp-compiler_p_2024.0.2.29_offline.sh -a -s --eula accept # It appears to be necessary to install python dependencies _before_ diff --git a/.github/workflows/s390x/Dockerfile.ci b/.github/workflows/s390x/Dockerfile.ci index 7e60290072fa..090b1f9ae9a2 100644 --- a/.github/workflows/s390x/Dockerfile.ci +++ b/.github/workflows/s390x/Dockerfile.ci @@ -1,4 +1,4 @@ -FROM ubuntu:24.04 +FROM ubuntu:24.04@sha256:6e75a10070b0fcb0bead763c5118a369bc7cc30dfc1b0749c491bbb21f15c3c7 ENV DEBIAN_FRONTEND=noninteractive ENV TARGET_ARCH=s390x diff --git a/.github/workflows/ubuntu_20.04/Dockerfile.ci b/.github/workflows/ubuntu_20.04/Dockerfile.ci index e72ea34c8741..483992d8f358 100644 --- a/.github/workflows/ubuntu_20.04/Dockerfile.ci +++ b/.github/workflows/ubuntu_20.04/Dockerfile.ci @@ -2,7 +2,7 @@ # so any change in dependencies locations might have to be reflected in # coverity_scan/build/sh as well -FROM ubuntu:20.04 +FROM ubuntu:20.04@sha256:8e5c4f0285ecbb4ead070431d29b576a530d3166df73ec44affc1cd27555141b ENV DEBIAN_FRONTEND=noninteractive diff --git a/.github/workflows/ubuntu_22.04/Dockerfile.ci b/.github/workflows/ubuntu_22.04/Dockerfile.ci index 35ee72aaa549..ec8f111a6362 100644 --- a/.github/workflows/ubuntu_22.04/Dockerfile.ci +++ b/.github/workflows/ubuntu_22.04/Dockerfile.ci @@ -1,4 +1,4 @@ -FROM ubuntu:22.04 +FROM ubuntu:22.04@sha256:3d1556a8a18cf5307b121e0a98e93f1ddf1f3f8e092f1fddfd941254785b95d7 ENV DEBIAN_FRONTEND=noninteractive diff --git a/.github/workflows/ubuntu_24.04/Dockerfile.ci b/.github/workflows/ubuntu_24.04/Dockerfile.ci index b5e4bd88d3f7..f927052222d0 100644 --- a/.github/workflows/ubuntu_24.04/Dockerfile.ci +++ b/.github/workflows/ubuntu_24.04/Dockerfile.ci @@ -1,4 +1,4 @@ -FROM ubuntu:24.04 +FROM ubuntu:24.04@sha256:6e75a10070b0fcb0bead763c5118a369bc7cc30dfc1b0749c491bbb21f15c3c7 ENV DEBIAN_FRONTEND=noninteractive diff --git a/swig/python/gdal-utils/test-bdist-install.sh.txt b/swig/python/gdal-utils/test-bdist-install.sh.txt index 4165b2412d87..da9dfd1aba36 100644 --- a/swig/python/gdal-utils/test-bdist-install.sh.txt +++ b/swig/python/gdal-utils/test-bdist-install.sh.txt @@ -5,7 +5,7 @@ python setup.py bdist_wheel python -m venv test-wheel cd test-wheel source ./bin/activate -python3 -m pip install -U pip wheel setuptools numpy +PYTHON_CMD=python3 && $PYTHON_CMD -m pip install -U pip wheel setuptools numpy pip install ../dist/gdal_utils-*.whl echo "--- Keeping shell open so the venv can be explored (verify with 'which python')."