From cfce9bbe811705667b2cff36a57fe485190c3631 Mon Sep 17 00:00:00 2001
From: Alan Greene <github.com@alangreene.net>
Date: Thu, 26 Sep 2024 14:13:30 +0100
Subject: [PATCH] Pin images used in the release pipeline

---
 release/publish.yaml          | 8 ++++----
 release/release-pipeline.yaml | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/release/publish.yaml b/release/publish.yaml
index 58a0f153a8..e0dbd39ef5 100644
--- a/release/publish.yaml
+++ b/release/publish.yaml
@@ -76,7 +76,7 @@ spec:
   steps:
 
   - name: container-registy-auth
-    image: gcr.io/go-containerregistry/crane:debug
+    image: gcr.io/go-containerregistry/crane:debug@sha256:ff0e08eeae8097d28b2381c7f7123bf542757abc68d11bff58fb882b72843785
     script: |
       #!/busybox/sh
       set -ex
@@ -95,7 +95,7 @@ spec:
       cp ${DOCKER_CONFIG} /workspace/docker-config.json
 
   - name: run-ko
-    image: gcr.io/tekton-releases/dogfooding/ko:latest
+    image: gcr.io/tekton-releases/dogfooding/ko:v20240926-3daa55a03e@sha256:393155dbdd7c8d920925b202c88e4846f46a70c1e1dc218b0ea5e2d7e388b576
     env:
     - name: KO_DOCKER_REPO
       value: $(params.imageRegistry)/$(params.imageRegistryPath)
@@ -145,7 +145,7 @@ spec:
 
 
   - name: koparse
-    image: gcr.io/tekton-releases/dogfooding/koparse:latest
+    image: gcr.io/tekton-releases/dogfooding/koparse:v20240910-ec3cf3c749@sha256:5e8a522fc1e587fc00b69a6d73e0bfdf7a29ca143537a5542eb224680d2dbf2f
     script: |
       set -ex
 
@@ -162,7 +162,7 @@ spec:
         --base ${IMAGES_PATH} --images ${IMAGES} > /workspace/built_images
 
   - name: tag-images
-    image: gcr.io/go-containerregistry/crane:debug
+    image: gcr.io/go-containerregistry/crane:debug@sha256:ff0e08eeae8097d28b2381c7f7123bf542757abc68d11bff58fb882b72843785
     script: |
       #!/busybox/sh
       set -ex
diff --git a/release/release-pipeline.yaml b/release/release-pipeline.yaml
index f00cab36d4..9f3e3ab8b3 100644
--- a/release/release-pipeline.yaml
+++ b/release/release-pipeline.yaml
@@ -203,7 +203,7 @@ spec:
         description: The full URL of the main release file (no tag) in the bucket
       steps:
       - name: create-results
-        image: alpine
+        image: docker.io/library/alpine:3.20.3@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d
         script: |
           BASE_URL=$(echo "$(params.releaseBucket)/previous/$(params.versionTag)")
           # If the bucket is in the gs:// return the corresponding public https URL