Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pinned the dockerfile to sha256 #619

Merged
merged 1 commit into from
Sep 12, 2021
Merged

Pinned the dockerfile to sha256 #619

merged 1 commit into from
Sep 12, 2021

Conversation

naveensrinivasan
Copy link
Contributor

The dockerfile was referring to the tag. It is recommended to use pinned
dependencies based on SHA https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies

Changed the go:1.17 to SHA256 digest. This still works with dependabot.

@naveensrinivasan
Pinned the dockerfile to sha256
7bc8fd2 
The dockerfile was referring to the tag. It is recommended to use pinned
dependencies based on SHA
https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies

Changed the go:1.17 to SHA256 digest. This still works with dependabot.

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
@dlorenc
Copy link
Member

dlorenc commented Sep 4, 2021

Cc @cpanato can we just delete these Dockerfiles? Are they used anywhere?

@naveensrinivasan
Copy link
Contributor Author

Cc @cpanato can we just delete these Dockerfiles? Are they used anywhere?

It is used https://github.com/sigstore/cosign/search?q=Dockerfile

@cpanato
Copy link
Member

cpanato commented Sep 6, 2021

@dlorenc @naveensrinivasan the file Dockerfile.cosigned is used now to build the cosigned image, I can follow up on that to instead having the dockerfile we have the similar approach that we have for cosign (using KO)

the other Dockerfile we used to use that to build the image without KO.

@cpanato
Copy link
Member

cpanato commented Sep 7, 2021
edited

yep we use here: https://github.com/sigstore/cosign/blob/main/release/cloudbuild.yaml#L69-L74

why we have the docker files is because if I need to build the image locally (mac or windows) the cross-compilation does not work

@dlorenc dlorenc merged commit f8f2e7a into sigstore:main Sep 12, 2021
@naveensrinivasan naveensrinivasan deleted the naveen/feat/fix-docker-digest branch September 12, 2021 02:49
@cpanato cpanato added this to the v1.2.0 milestone Sep 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlorenc dlorenc dlorenc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.2.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@naveensrinivasan @dlorenc @cpanato