diff --git a/apps/bird/Dockerfile b/apps/bird/Dockerfile index 303107ba3..6532fc81d 100644 --- a/apps/bird/Dockerfile +++ b/apps/bird/Dockerfile @@ -1,6 +1,6 @@ ARG VERSION -FROM public.ecr.aws/docker/library/alpine:3.20 +FROM public.ecr.aws/docker/library/alpine:3.20@sha256:31687a2fdd021f85955bf2d0c2682e9c0949827560e1db546358ea094f740f12 ARG VERSION RUN apk add bird=${VERSION} RUN apk add catatonit diff --git a/apps/davical/Dockerfile b/apps/davical/Dockerfile index 7659511bf..d517dd13a 100644 --- a/apps/davical/Dockerfile +++ b/apps/davical/Dockerfile @@ -1,4 +1,4 @@ -FROM public.ecr.aws/docker/library/debian:12.2-slim +FROM public.ecr.aws/docker/library/debian:12.2-slim@sha256:2bc5c236e9b262645a323e9088dfa3bb1ecb16cc75811daf40a23a824d665be9 ARG VERSION USER 0:0 RUN apt update && apt install -y --no-install-recommends davical=${VERSION} php-ldap php-curl apache2 catatonit && apt clean && rm -rf /var/lib/apt/lists && rm -rf /var/cache /etc/systemd /lib/systemd && cd /etc/apache2/sites-enabled && ln -s ../sites-available/davical.conf ./davical.conf && cd /etc/apache2/mods-enabled && ln -s ../mods-available/headers.load ./headers.load && unlink /etc/apache2/sites-enabled/000-default.conf && echo 'Listen 8080' > /etc/apache2/ports.conf && echo 'ServerName ${APACHE_SERVERNAME}' >> /etc/apache2/apache2.conf diff --git a/apps/elk/Dockerfile b/apps/elk/Dockerfile index 6be662e87..3f0dc45dc 100644 --- a/apps/elk/Dockerfile +++ b/apps/elk/Dockerfile @@ -1,7 +1,7 @@ # Define build-time variables ARG VERSION -FROM docker.io/library/node:lts-alpine AS base +FROM docker.io/library/node:lts-alpine@sha256:187e9d7e49a5670a3adea14b6041e0d24c005956d7a771d6f406e3a5b6269bcc AS base # Stage 1: clone Elk repo FROM base AS git RUN apk update diff --git a/apps/findmydeviceserver/Dockerfile b/apps/findmydeviceserver/Dockerfile index e25752975..379c27ac3 100644 --- a/apps/findmydeviceserver/Dockerfile +++ b/apps/findmydeviceserver/Dockerfile @@ -3,7 +3,7 @@ ARG VERSION # for GoToSocial, the image we are copying from already has multi-arch support, so no need to specify TARGETPLATFORM or ARCH here # Stage 1: Build FindMyDeviceServer (pulled from upstream Dockerfile https://gitlab.com/Nulide/findmydeviceserver/-/blob/6bfd5c8ed285474aa225a56da96b51f9d0bddb58/Dockerfile#L1-L16) -FROM docker.io/library/golang:1.21.6-bookworm AS builder +FROM docker.io/library/golang:1.21.6-bookworm@sha256:3efef61ff1d99c8a90845100e2a7e934b4a5d11b639075dc605ff53c141044fc AS builder ARG VERSION ADD https://gitlab.com/Nulide/findmydeviceserver/-/archive/${VERSION}/findmydeviceserver-${VERSION}.tar.gz /source.tar.gz @@ -21,7 +21,7 @@ RUN go build -o /fmd cmd/fmdserver.go # Stage 2: Working app image #FROM gcr.io/distroless/cc-debian12:nonroot@sha256:6cf8f0fafa8b4b911eefa9be9e2fe40fcf380f56de25d203dd9a3782c255d1f3 -FROM debian:12 +FROM debian:12@sha256:b877a1a3fdf02469440f1768cf69c9771338a875b7add5e80c45b756c92ac20a ARG VERSION WORKDIR /fmd diff --git a/apps/goatcounter/Dockerfile b/apps/goatcounter/Dockerfile index 5d8dd3c54..5d32e76bb 100644 --- a/apps/goatcounter/Dockerfile +++ b/apps/goatcounter/Dockerfile @@ -2,7 +2,7 @@ ARG VERSION # Stage 1: Build (pulled from upstream Dockerfile https://github.com/botlabs-gg/yagpdb/blob/7e6d553bd203680a0a1d68afd94f815478538611/yagpdb_docker/Dockerfile) -FROM public.ecr.aws/docker/library/alpine:3.19.0 AS builder +FROM public.ecr.aws/docker/library/alpine:3.19.0@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48 AS builder ARG VERSION ARG TARGETARCH diff --git a/apps/joplin/Dockerfile b/apps/joplin/Dockerfile index 68bff09c7..765c5027c 100644 --- a/apps/joplin/Dockerfile +++ b/apps/joplin/Dockerfile @@ -1,5 +1,5 @@ # Stage 1: Define upstream GoToSocial image to copy from -FROM docker.io/joplin/server:2.14.2-beta AS upstream +FROM docker.io/joplin/server:2.14.2-beta@sha256:b87564ef34e9ed0513e9b925b617cb8a1371eddfc8476f1fbd3fa85341d51508 AS upstream # Stage 2: Working app image ## check node version from https://github.com/laurent22/joplin/blob/80c2a87da20dbf7a7fc34b451d4234805a3d51a0/Dockerfile.server#L56 diff --git a/apps/k8s-crd-extractor/Dockerfile b/apps/k8s-crd-extractor/Dockerfile index 43f1c6474..d08997702 100644 --- a/apps/k8s-crd-extractor/Dockerfile +++ b/apps/k8s-crd-extractor/Dockerfile @@ -1,4 +1,4 @@ -FROM public.ecr.aws/docker/library/alpine:3.19.1 +FROM public.ecr.aws/docker/library/alpine:3.19.1@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b USER 0:0 RUN apk add bash diff --git a/apps/radicale/Dockerfile b/apps/radicale/Dockerfile index 6b0ceb998..a5374a9f2 100644 --- a/apps/radicale/Dockerfile +++ b/apps/radicale/Dockerfile @@ -11,7 +11,7 @@ RUN python3 -m venv . && /app/bin/pip install --upgrade --no-cache-dir radicale= # above plugin hash is from "3" branch # Stage 2: Install Jujutsu -FROM docker.io/library/alpine:3.20.1 AS jj +FROM docker.io/library/alpine:3.20.1@sha256:b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0 AS jj RUN busybox wget -O- https://github.com/martinvonz/jj/releases/download/v0.19.0/jj-v0.19.0-x86_64-unknown-linux-musl.tar.gz | busybox tar -xvf - # Stage 3: Working app image diff --git a/apps/redbot/Dockerfile b/apps/redbot/Dockerfile index de06c509d..2b3350386 100644 --- a/apps/redbot/Dockerfile +++ b/apps/redbot/Dockerfile @@ -2,7 +2,7 @@ ARG VERSION # Stage 1: Build (pulled from upstream Dockerfile https://github.com/botlabs-gg/yagpdb/blob/7e6d553bd203680a0a1d68afd94f815478538611/yagpdb_docker/Dockerfile) -FROM docker.io/library/python:3.11.7-slim-bookworm +FROM docker.io/library/python:3.11.7-slim-bookworm@sha256:53d6284a40eae6b625f22870f5faba6c54f2a28db9027408f4dee111f1e885a2 ARG VERSION # why openjdk? its required for the Audio cog, specifically to run lavalink. We don't need to install lavalink ourselves, due to it automagically being installed by the audio cog diff --git a/apps/samba-debian/Dockerfile b/apps/samba-debian/Dockerfile index 12bfb0dd6..8f4b5ceb4 100644 --- a/apps/samba-debian/Dockerfile +++ b/apps/samba-debian/Dockerfile @@ -1,4 +1,4 @@ -FROM public.ecr.aws/docker/library/debian:12.2-slim +FROM public.ecr.aws/docker/library/debian:12.2-slim@sha256:2bc5c236e9b262645a323e9088dfa3bb1ecb16cc75811daf40a23a824d665be9 ARG PKGVER RUN apt update && apt install -y samba=${PKGVER} ctdb=${PKGVER} winbind=${PKGVER} samba-vfs-modules=${PKGVER} catatonit && apt clean && rm -rf /var/lib/apt/lists && rm -rf /var/cache # TODO: if CephFS kernel mount (PVC) not working as expected, switch to Debian unstable and install libcephfs2 for vfs_ceph, all other Debian versions are wildly out of date