From d96aa6506a38d396b1c85021ef31a94ba9457d8b Mon Sep 17 00:00:00 2001
From: Andrea Frittoli <andrea.frittoli@uk.ibm.com>
Date: Tue, 14 Nov 2023 13:56:19 +0000
Subject: [PATCH] Pin the distroless base image to a stable alpine

The "latest" tag in the distroless image we use as base image is based
on and alpha release of Alpine 3.19_alpha20230901.

Pin the image instead to the latest available version that is based on
Alpine 3.18.0 instead.

Fixes: #6456

Signed-off-by: Andrea Frittoli <andrea.frittoli@uk.ibm.com>
---
 tekton/publish.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tekton/publish.yaml b/tekton/publish.yaml
index 294209c3ff6..ad0b43bf060 100644
--- a/tekton/publish.yaml
+++ b/tekton/publish.yaml
@@ -94,8 +94,9 @@ spec:
       cd ${PROJECT_ROOT}
 
       # Combine Distroless with a Windows base image, used for the entrypoint image.
+      # Distroless is pinned to the last version based on Alpine 3.18. Newer versions are based on Alpine 3.19_alpha20230901.
       COMBINED_BASE_IMAGE=$(go run ./vendor/github.com/tektoncd/plumbing/cmd/combine/main.go \
-        cgr.dev/chainguard/static \
+        cgr.dev/chainguard/static@sha256:67a1b00e0134e2b3a614c7198a26f7deed9d11b7acad4d52c79c0cfd47a2eae7 \
         mcr.microsoft.com/windows/nanoserver:ltsc2019 \
         mcr.microsoft.com/windows/nanoserver:ltsc2022 \
         ${CONTAINER_REGISTRY}/$(params.package)/combined-base-image:latest)