ci: pin fedora:43 base image to digest
Pin registry.fedoraproject.org/fedora:43 to its current manifest digest so a malicious or accidental tag-rewrite upstream cannot silently change the base layer of every CI build. Digest was captured via `skopeo inspect --raw` on 2026-05-06. Refresh procedure documented inline.
This commit is contained in:
veilor-org
parent
25b8d30f35
commit
08f16bb2ee
1 changed files with 3 additions and 1 deletions
4
.github/workflows/build-iso.yml
vendored
4
.github/workflows/build-iso.yml
vendored
|
|
@ -43,7 +43,9 @@ jobs:
|
||||||
- name: Run build inside Fedora 43 container
|
- name: Run build inside Fedora 43 container
|
||||||
uses: addnab/docker-run-action@v3
|
uses: addnab/docker-run-action@v3
|
||||||
with:
|
with:
|
||||||
image: registry.fedoraproject.org/fedora:43
|
# Pinned to digest from `skopeo inspect --raw` on 2026-05-06.
|
||||||
|
# Refresh by re-running skopeo against fedora:43 and bumping.
|
||||||
|
image: registry.fedoraproject.org/fedora:43@sha256:72e874e771b953c6357c7a5823c6fc1e3e3253b90121e795febe01380e32269b
|
||||||
options: |
|
options: |
|
||||||
--privileged
|
--privileged
|
||||||
-v ${{ github.workspace }}:/work
|
-v ${{ github.workspace }}:/work
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue