]> git.ipfire.org Git - thirdparty/curl.git/commitdiff
projects / thirdparty / curl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: cc5eb4a)
GHA: pin containers to hash (where missing)
authorViktor Szakats <commit@vsz.me>
Thu, 14 May 2026 22:50:18 +0000 (00:50 +0200)
committerViktor Szakats <commit@vsz.me>
Thu, 14 May 2026 23:37:39 +0000 (01:37 +0200)
Fixing this with zizmor v1.25.0:
```
error[unpinned-images]: unpinned image references
  --> .github/workflows/linux-old.yml:59:5
59 |     container: 'debian:stretch'
   |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^ container image is not pinned to a SHA256 hash
   = help: audit documentation -> https://docs.zizmor.sh/audits/#unpinned-images
[...]
```
Ref: https://github.com/curl/curl/actions/runs/25890035949/job/76090925291?pr=21618

Sadly there is no automatic mechanism to bump them..

Also:
- replace `debian-stretch` with its slim variant.
- bump one of the two Alpine jobs from 3.20 to 3.23.4.

Closes #21619

.github/workflows/linux-old.yml patch | blob | blame | history
.github/workflows/linux.yml patch | blob | blame | history

diff --git a/.github/workflows/linux-old.yml b/.github/workflows/linux-old.yml
index 11644174623b23de1dae8d19c0895c58be1165b2..f0513646fbac7225bb30a37b7efcf2cc058ecdfa 100644 (file)
--- a/.github/workflows/linux-old.yml
+++ b/.github/workflows/linux-old.yml
@@ -56,7 +56,7 @@ jobs:
   cmake-autotools:
     name: 'autotools & cmake'
     runs-on: ubuntu-latest
-    container: 'debian:stretch'
+    container: debian:stretch-20220622-slim@sha256:c5cd3ffceeb25b683bf5111ea89bf8049a177e00fb237235d48076a19cc80097
 
     steps:
       - name: 'install prereqs'
diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
index 6486c2f28b66c603f8492eff92a18368acde394c..5fbe2eb11305b9759b360f64fa997b0eab1fd5b8 100644 (file)
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -440,15 +440,15 @@ jobs:
             # https://ftpmirror.infania.net/slackware/slackware64-current/source/n/curl/curl.SlackBuild
             configure: --enable-debug --without-ssl --with-libssh2 --with-gssapi --enable-ares --without-ca-bundle --with-ca-path=/etc/ssl/certs
             # Docker Hub image that `container-job` executes in
-            container: 'andy5995/slackware-build-essential:15.0'
+            container: andy5995/slackware-build-essential:15.0@sha256:f4f2242999038a2c2deb4e5727187caaae92502a7daf8353068932621e1ec92f
 
           - name: 'Alpine MUSL https-rr'
             configure: --enable-debug --with-ssl --with-libssh2 --with-libidn2 --with-gssapi --enable-ldap --with-libpsl --enable-httpsrr --enable-ares --enable-threaded-resolver
-            container: 'alpine:3.20'
+            container: alpine:3.23@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11 # 3.23.4
 
           - name: 'Alpine MUSL https-rr c-ares'
             configure: --enable-debug --with-ssl --with-libssh2 --with-libidn2 --with-gssapi --enable-ldap --with-libpsl --enable-httpsrr --enable-ares --disable-threaded-resolver
-            container: 'alpine:3.20'
+            container: alpine:3.20@sha256:d9e853e87e55526f6b2917df91a2115c36dd7c696a35be12163d44e6e2a4b6bc # 3.20.10
 
     steps:
       - name: 'install prereqs'
Mirror of https://github.com/curl/curl.git