From 6b694029e00112f1ea8697d2af2a1d9a7bb7eb7f Mon Sep 17 00:00:00 2001
From: Alan Greene <github.com@alangreene.net>
Date: Thu, 26 Sep 2024 13:12:11 +0100
Subject: [PATCH] Pin images used for the common release pipeline

This is used by the following experimental projects:
- concurrency
- pipeline-in-pod
- workflows
---
 tekton/customtask-release-pipeline.yaml |  2 +-
 tekton/publish-customtask.yaml          | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/tekton/customtask-release-pipeline.yaml b/tekton/customtask-release-pipeline.yaml
index 524cffdc8..ce29129dd 100644
--- a/tekton/customtask-release-pipeline.yaml
+++ b/tekton/customtask-release-pipeline.yaml
@@ -172,7 +172,7 @@ spec:
             description: The full URL of the release file (no tag) in the bucket
         steps:
           - name: create-results
-            image: alpine
+            image: docker.io/library/alpine:3.20.3@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d
             script: |
               echo "$(params.releaseBucket)/previous/$(params.versionTag)/release.yaml" > $(results.release.path)
               echo "$(params.releaseBucket)/previous/$(params.versionTag)/release.notag.yaml" > $(results.release-no-tag.path)
diff --git a/tekton/publish-customtask.yaml b/tekton/publish-customtask.yaml
index 9119ae964..8cd74abf9 100644
--- a/tekton/publish-customtask.yaml
+++ b/tekton/publish-customtask.yaml
@@ -48,7 +48,7 @@ spec:
   steps:
 
   - name: create-ko-yaml
-    image: busybox
+    image: docker.io/library/busybox@sha256:c230832bd3b0be59a6c47ed64294f9ce71e91b327957920b6929a0caa8353140
     script: |
       #!/bin/sh
       set -ex
@@ -64,7 +64,7 @@ spec:
       cat ${PROJECT_ROOT}/.ko.yaml
 
   - name: container-registry-auth
-    image: gcr.io/go-containerregistry/crane:debug
+    image: gcr.io/go-containerregistry/crane:debug@sha256:ff0e08eeae8097d28b2381c7f7123bf542757abc68d11bff58fb882b72843785
     script: |
       #!/busybox/sh
       set -ex
@@ -83,7 +83,7 @@ spec:
       cp ${DOCKER_CONFIG} /workspace/docker-config.json
 
   - name: run-ko
-    image: gcr.io/tekton-releases/dogfooding/ko:latest
+    image: gcr.io/tekton-releases/dogfooding/ko:v20240926-3daa55a03e@sha256:393155dbdd7c8d920925b202c88e4846f46a70c1e1dc218b0ea5e2d7e388b576
     env:
     - name: KO_DOCKER_REPO
       value: $(params.imageRegistry)/$(params.imageRegistryPath)
@@ -132,7 +132,7 @@ spec:
       ko resolve --platform=$(params.platforms) --preserve-import-paths -f ${PROJECT_ROOT}/config/ > $OUTPUT_RELEASE_DIR/release.notags.yaml
 
   - name: koparse
-    image: gcr.io/tekton-releases/dogfooding/koparse:latest
+    image: gcr.io/tekton-releases/dogfooding/koparse:v20240910-ec3cf3c749@sha256:5e8a522fc1e587fc00b69a6d73e0bfdf7a29ca143537a5542eb224680d2dbf2f
     script: |
       set -ex
 
@@ -151,7 +151,7 @@ spec:
         --base ${IMAGES_PATH} --images ${IMAGES} > /workspace/built_images
 
   - name: tag-images
-    image: gcr.io/go-containerregistry/crane:debug
+    image: gcr.io/go-containerregistry/crane:debug@sha256:ff0e08eeae8097d28b2381c7f7123bf542757abc68d11bff58fb882b72843785
     script: |
       #!/busybox/sh
       set -ex