Pin the distroless base image to a stable alpine

afrittoli · tekton-robot · commit d96aa6506a38 · 2023-11-15T09:26:26.000Z
The "latest" tag in the distroless image we use as base image is based on and alpha release of Alpine 3.19_alpha20230901. Pin the image instead to the latest available version that is based on Alpine 3.18.0 instead. Fixes: #6456 Signed-off-by: Andrea Frittoli <andrea.frittoli@uk.ibm.com>
diff --git a/tekton/publish.yaml b/tekton/publish.yaml
@@ -94,8 +94,9 @@ spec:
       cd ${PROJECT_ROOT}
 
       # Combine Distroless with a Windows base image, used for the entrypoint image.
+      # Distroless is pinned to the last version based on Alpine 3.18. Newer versions are based on Alpine 3.19_alpha20230901.
       COMBINED_BASE_IMAGE=$(go run ./vendor/github.com/tektoncd/plumbing/cmd/combine/main.go \
-        cgr.dev/chainguard/static \
+        cgr.dev/chainguard/static@sha256:67a1b00e0134e2b3a614c7198a26f7deed9d11b7acad4d52c79c0cfd47a2eae7 \
         mcr.microsoft.com/windows/nanoserver:ltsc2019 \
         mcr.microsoft.com/windows/nanoserver:ltsc2022 \
         ${CONTAINER_REGISTRY}/$(params.package)/combined-base-image:latest)
