From 08f16bb2ee2170f16d5152e2344d93122593c7a9 Mon Sep 17 00:00:00 2001
From: veilor-org <admin@veilor.org>
Date: Wed, 6 May 2026 10:41:10 +0100
Subject: [PATCH] ci: pin fedora:43 base image to digest

Pin registry.fedoraproject.org/fedora:43 to its current manifest
digest so a malicious or accidental tag-rewrite upstream cannot
silently change the base layer of every CI build. Digest was
captured via `skopeo inspect --raw` on 2026-05-06. Refresh
procedure documented inline.
---
 .github/workflows/build-iso.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build-iso.yml b/.github/workflows/build-iso.yml
index d255553..55702dc 100644
--- a/.github/workflows/build-iso.yml
+++ b/.github/workflows/build-iso.yml
@@ -43,7 +43,9 @@ jobs:
       - name: Run build inside Fedora 43 container
         uses: addnab/docker-run-action@v3
         with:
-          image: registry.fedoraproject.org/fedora:43
+          # Pinned to digest from `skopeo inspect --raw` on 2026-05-06.
+          # Refresh by re-running skopeo against fedora:43 and bumping.
+          image: registry.fedoraproject.org/fedora:43@sha256:72e874e771b953c6357c7a5823c6fc1e3e3253b90121e795febe01380e32269b
           options: |
             --privileged
             -v ${{ github.workspace }}:/work