pin to a debian:latest image for casource base image (#4250) (#4310)

The debian 'stable' images configure apt to install from the rolling 'stable' repository, rather than a specific Debian release. Thus even though we pin to a specific Docker image digest, the packages installed by 'apt-get' can change when a new Debian release is promoted to stable. Instead, pin to an image where apt is configured to install from repositories for a specific Debian release (in this case, bullseye).
2025-06-10 06:42:45 +02:00 · 2023-06-16 14:20:09 -07:00 · 2023-06-16 14:20:09 -07:00 · d8d59ddded
commit d8d59ddded
parent cd833fcf00
5 changed files with 10 additions and 10 deletions
--- a/.github/Dockerfile-release
+++ b/.github/Dockerfile-release
@ -1,6 +1,6 @@
 # build our own root trust store from current stable
-FROM debian:stable@sha256:1c3446475ac28a9f42a4627d8945d7bed88b8128b5850b61c5890ff47f317681 as casource
-RUN apt-get update && apt-get install -y ca-certificates
+FROM debian:latest@sha256:432f545c6ba13b79e2681f4cc4858788b0ab099fc1cca799cc0fae4687c69070 as casource
+RUN apt-get update && apt-get install -y ca-certificates=20210119
 # Remove expired root (https://github.com/pomerium/pomerium/issues/2653)
 RUN rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt && update-ca-certificates

--- a/.github/Dockerfile-release-debug
+++ b/.github/Dockerfile-release-debug
@ -1,6 +1,6 @@
 # build our own root trust store from current stable
-FROM debian:stable@sha256:1c3446475ac28a9f42a4627d8945d7bed88b8128b5850b61c5890ff47f317681 as casource
-RUN apt-get update && apt-get install -y ca-certificates
+FROM debian:latest@sha256:432f545c6ba13b79e2681f4cc4858788b0ab099fc1cca799cc0fae4687c69070 as casource
+RUN apt-get update && apt-get install -y ca-certificates=20210119
 # Remove expired root (https://github.com/pomerium/pomerium/issues/2653)
 RUN rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt && update-ca-certificates

--- a/.github/Dockerfile-release-debug-nonroot
+++ b/.github/Dockerfile-release-debug-nonroot
@ -1,6 +1,6 @@
 # build our own root trust store from current stable
-FROM debian:stable@sha256:1c3446475ac28a9f42a4627d8945d7bed88b8128b5850b61c5890ff47f317681 as casource
-RUN apt-get update && apt-get install -y ca-certificates
+FROM debian:latest@sha256:432f545c6ba13b79e2681f4cc4858788b0ab099fc1cca799cc0fae4687c69070 as casource
+RUN apt-get update && apt-get install -y ca-certificates=20210119
 # Remove expired root (https://github.com/pomerium/pomerium/issues/2653)
 RUN rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt && update-ca-certificates

--- a/.github/Dockerfile-release-nonroot
+++ b/.github/Dockerfile-release-nonroot
@ -1,6 +1,6 @@
 # build our own root trust store from current stable
-FROM debian:stable@sha256:1c3446475ac28a9f42a4627d8945d7bed88b8128b5850b61c5890ff47f317681 as casource
-RUN apt-get update && apt-get install -y ca-certificates
+FROM debian:latest@sha256:432f545c6ba13b79e2681f4cc4858788b0ab099fc1cca799cc0fae4687c69070 as casource
+RUN apt-get update && apt-get install -y ca-certificates=20210119
 # Remove expired root (https://github.com/pomerium/pomerium/issues/2653)
 RUN rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt && update-ca-certificates

--- a/4
+++ b/4
@ -30,8 +30,8 @@ RUN make build-go NAME=pomerium
 RUN touch /config.yaml

 # build our own root trust store from current stable
-FROM debian:stable@sha256:1fbdbcfb07b174d245e5f26191aa0401294ae5612a406cdb407f1f6fa6e29e23 as casource
-RUN apt-get update && apt-get install -y ca-certificates
+FROM debian:latest@sha256:432f545c6ba13b79e2681f4cc4858788b0ab099fc1cca799cc0fae4687c69070 as casource
+RUN apt-get update && apt-get install -y ca-certificates=20210119
 # Remove expired root (https://github.com/pomerium/pomerium/issues/2653)
 RUN rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt && update-ca-certificates