Pin dependencies to hash

Author: benjaminskiljan

.github/workflows/scorecard.yml

@@ -73,6 +73,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.7
         with:
           sarif_file: results.sarif

images/algorand/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1.3-labs
-FROM debian:12 as build
+FROM debian:12@sha256:b6507e340c43553136f5078284c8c68d86ec8262b1724dde73c325e8d3dcdeba as build
 
 ARG ALGORAND_VERSION=v4.1.2-stable
 ARG GO_VERSION=1.23.9
@@ -11,64 +11,66 @@ ENV GOPATH=/opt/algorand/go
 ENV DEBIAN_FRONTEND="noninteractive" TZ="Europe/London"
 
 RUN <<-EOF
-    apt-get -y update && \
-    apt-get -y install \
-    curl \
-    git \
-    make \
-    gcc \
-    g++ \
-    pkg-config \
-    libboost-dev \
-    autoconf \
-    automake \
-    python3 && \
-    curl -L -o /tmp/go-linux-amd64.tar.gz https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz && \
+    set -e
+    apt-get -y update && apt-get -y install \
+        curl \
+        git \
+        make \
+        gcc \
+        g++ \
+        pkg-config \
+        libboost-dev \
+        autoconf \
+        automake \
+        python3
+    curl -L -o /tmp/go-linux-amd64.tar.gz https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz
     tar -C /usr/local -xf /tmp/go-linux-amd64.tar.gz
 EOF
 
 RUN <<-EOF
-    git clone --branch "$ALGORAND_VERSION" https://github.com/algorand/go-algorand.git && \
-    cd go-algorand && \
-    ./scripts/configure_dev.sh && \
-    ./scripts/buildtools/install_buildtools.sh && \
-    make build && \
-    find /opt/algorand/go/bin -type f -executable -exec strip -s {} + 2>/dev/null || true && \
-    ./scripts/local_install.sh -c stable -p ${GOPATH}/bin -d /opt/algorand/algorand-defaults -f -s && \
-    rm /opt/algorand/algorand-defaults/genesis.json && \
-    cp installer/genesis/mainnet/genesis.json /opt/algorand/algorand-defaults/genesis-mainnet.json && \
-    cp installer/genesis/betanet/genesis.json /opt/algorand/algorand-defaults/genesis-betanet.json && \
-    cp installer/genesis/devnet/genesis.json /opt/algorand/algorand-defaults/genesis-devnet.json && \
+    set -e
+    git clone --branch "$ALGORAND_VERSION" https://github.com/algorand/go-algorand.git
+    cd go-algorand
+    ./scripts/configure_dev.sh
+    ./scripts/buildtools/install_buildtools.sh
+    make build
+    find /opt/algorand/go/bin -type f -executable -exec strip -s {} + 2>/dev/null || true
+    ./scripts/local_install.sh -c stable -p ${GOPATH}/bin -d /opt/algorand/algorand-defaults -f -s
+    rm /opt/algorand/algorand-defaults/genesis.json
+    cp installer/genesis/mainnet/genesis.json /opt/algorand/algorand-defaults/genesis-mainnet.json
+    cp installer/genesis/betanet/genesis.json /opt/algorand/algorand-defaults/genesis-betanet.json
+    cp installer/genesis/devnet/genesis.json /opt/algorand/algorand-defaults/genesis-devnet.json
     cp installer/genesis/testnet/genesis.json /opt/algorand/algorand-defaults/genesis-testnet.json
 EOF
 
-RUN mkdir -p /opt/algorand/.algorand && \
-    touch /opt/algorand/.algorand/algod.token && \
-    touch /opt/algorand/.algorand/algod.admin.token && \
-    chown -R 65532:65532 /opt/algorand/
+RUN <<-EOF
+    set -e
+    mkdir -p /opt/algorand/.algorand
+    touch /opt/algorand/.algorand/algod.token
+    touch /opt/algorand/.algorand/algod.admin.token
+EOF
 
 COPY scripts/entrypoint.go /tmp/entrypoint.go
-RUN go build -o /tmp/entrypoint /tmp/entrypoint.go && \
-    chown 65532:65532 /tmp/entrypoint
+RUN go build -o /tmp/entrypoint /tmp/entrypoint.go
 
-FROM gcr.io/distroless/static-debian12:nonroot as final
+FROM gcr.io/distroless/static-debian12:nonroot@sha256:cdf4daaf154e3e27cfffc799c16f343a384228f38646928a1513d925f473cb46 as final
 
 ENV DEBIAN_FRONTEND="noninteractive" TZ="Europe/London"
 
 ENV GOPATH=/opt/algorand/go
 ENV ALGORAND_DATA=/opt/algorand/.algorand
 
 # Binaries for core functionality
-COPY --from=build \
+COPY --from=build --chown=65532:65532 \
     /opt/algorand/go/bin/algod \
     /opt/algorand/go/bin/goal \
     /opt/algorand/go/bin/kmd \
     /opt/algorand/go/bin/
-COPY --from=build /opt/algorand/algorand-defaults/ /opt/algorand/algorand-defaults/
+COPY --from=build --chown=65532:65532 /opt/algorand/algorand-defaults/ /opt/algorand/algorand-defaults/
 COPY --from=build --chown=65532:65532 /opt/algorand/.algorand/ /opt/algorand/.algorand/
 
-COPY --from=build /tmp/entrypoint /opt/algorand/scripts/entrypoint
-COPY default-config/ /opt/algorand/default-config/
+COPY --from=build --chown=65532:65532 /tmp/entrypoint /opt/algorand/scripts/entrypoint
+COPY --chown=65532:65532 default-config/ /opt/algorand/default-config/
 
 ENTRYPOINT ["/opt/algorand/scripts/entrypoint"]
 CMD ["/opt/algorand/go/bin/algod"]

images/ethereumd/geth/Dockerfile

@@ -4,7 +4,7 @@ ARG VERSION=""
 ARG BUILDNUM=""
 
 # Build Geth in a stock Go builder container
-FROM golang:1.19-alpine as builder
+FROM golang:1.19-alpine@sha256:0ec0646e208ea58e5d29e558e39f2e59fccf39b7bda306cb53bbaff91919eca5 as builder
 
 RUN apk add --no-cache gcc musl-dev linux-headers git
 
@@ -17,7 +17,7 @@ ADD . /go-ethereum
 RUN cd /go-ethereum && go run build/ci.go install -static ./cmd/geth
 
 # Pull Geth into a second stage deploy alpine container
-FROM alpine:latest
+FROM alpine:3@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1
 
 RUN apk add --no-cache ca-certificates
 COPY --from=builder /go-ethereum/build/bin/geth /usr/local/bin/

images/k8s_hc_sidecar/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1.3-labs
-FROM alpine:3
+FROM alpine:3@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1
 
 RUN apk add --no-cache bash netcat-openbsd jq curl ts expect
 

images/polygond/bor/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:latest
+FROM golang:1.24.6@sha256:2c89c41fb9efc3807029b59af69645867cfe978d2b877d475be0d72f6c6ce6f6
 
 ARG BOR_DIR=/bor
 ENV BOR_DIR=$BOR_DIR

images/polygond/heimdall/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.14
+FROM alpine:3.14@sha256:0f2d5c38dd7a4f4f733e688e3a6733cb5ab1ac6e3cb4603a5dd564e5bfb80eed
 
 ARG HEIMDALL_DIR=/heimdall
 ENV HEIMDALL_DIR=$HEIMDALL_DIR