chore: pin dockerfile & limit CI perms (#732)

2023-08-21 09:32:49 -07:00 · 2023-08-21 09:32:49 -07:00 · ff6fd1af11
--- a/.github/workflows/smoke-test.yml
+++ b/.github/workflows/smoke-test.yml
@ -11,6 +11,9 @@ on:
  schedule:
    - cron: "0 0 * * *" # every day at midnight

+permissions:
+  contents: read
+
 jobs:
  smoke-test:
    runs-on: ["self-hosted", "1ES.Pool=1ES-OSE-GH-Pool"]
--- a/4
+++ b/4
@ -1,4 +1,4 @@
-FROM mcr.microsoft.com/dotnet/sdk:6.0-cbl-mariner2.0 AS build
+FROM mcr.microsoft.com/dotnet/sdk:6.0-cbl-mariner2.0@sha256:0a55184c1bea8da25a6b9ff0333f5e72aca18a4e76c85e8bcec3ebcf789f1bed AS build
 WORKDIR /app
 COPY . .
 RUN dotnet publish -c Release -o out \
@ -10,7 +10,7 @@ RUN dotnet publish -c Release -o out \
    -p:PublishSingleFile=true \
    ./src/Microsoft.ComponentDetection

-FROM mcr.microsoft.com/dotnet/runtime-deps:6.0-cbl-mariner2.0 AS runtime
+FROM mcr.microsoft.com/dotnet/runtime-deps:6.0-cbl-mariner2.0@sha256:3eb4347c76c6765bf7f7a7e1e483fefeba5f4a1271524465e18283dd2a2b9611 AS runtime
 WORKDIR /app
 COPY --from=build /app/out ./