Pin the distroless base image to a stable alpine

The "latest" tag in the distroless image we use as base image is based on and alpha release of Alpine 3.19_alpha20230901. Pin the image instead to the latest available version that is based on Alpine 3.18.0 instead. Fixes: tektoncd#6456 Signed-off-by: Andrea Frittoli <andrea.frittoli@uk.ibm.com>
tekton-robot · Nov 14, 2023 · 478cffe · 478cffe
1 parent a22f812
commit 478cffe
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/tekton/publish.yaml b/tekton/publish.yaml
@@ -94,8 +94,9 @@ spec:
       cd ${PROJECT_ROOT}
 
       # Combine Distroless with a Windows base image, used for the entrypoint image.
+      # Distroless is pinned to the last version based on Alpine 3.18. Newer versions are based on Alpine 3.19_alpha20230901.
       COMBINED_BASE_IMAGE=$(go run ./vendor/github.com/tektoncd/plumbing/cmd/combine/main.go \
-        cgr.dev/chainguard/static \
+        cgr.dev/chainguard/static@sha256:67a1b00e0134e2b3a614c7198a26f7deed9d11b7acad4d52c79c0cfd47a2eae7 \
         mcr.microsoft.com/windows/nanoserver:ltsc2019 \
         mcr.microsoft.com/windows/nanoserver:ltsc2022 \
         ${CONTAINER_REGISTRY}/$(params.package)/combined-base-image:latest)