From ff6fd1af11e800670ab9521325da0da104c7633d Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Mon, 21 Aug 2023 09:32:49 -0700 Subject: [PATCH] chore: pin dockerfile & limit CI perms (#732) --- .github/workflows/smoke-test.yml | 3 +++ Dockerfile | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/smoke-test.yml b/.github/workflows/smoke-test.yml index 6535a3c8..22e55460 100644 --- a/.github/workflows/smoke-test.yml +++ b/.github/workflows/smoke-test.yml @@ -11,6 +11,9 @@ on: schedule: - cron: "0 0 * * *" # every day at midnight +permissions: + contents: read + jobs: smoke-test: runs-on: ["self-hosted", "1ES.Pool=1ES-OSE-GH-Pool"] diff --git a/Dockerfile b/Dockerfile index 478c6782..459d9361 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM mcr.microsoft.com/dotnet/sdk:6.0-cbl-mariner2.0 AS build +FROM mcr.microsoft.com/dotnet/sdk:6.0-cbl-mariner2.0@sha256:0a55184c1bea8da25a6b9ff0333f5e72aca18a4e76c85e8bcec3ebcf789f1bed AS build WORKDIR /app COPY . . RUN dotnet publish -c Release -o out \ @@ -10,7 +10,7 @@ RUN dotnet publish -c Release -o out \ -p:PublishSingleFile=true \ ./src/Microsoft.ComponentDetection -FROM mcr.microsoft.com/dotnet/runtime-deps:6.0-cbl-mariner2.0 AS runtime +FROM mcr.microsoft.com/dotnet/runtime-deps:6.0-cbl-mariner2.0@sha256:3eb4347c76c6765bf7f7a7e1e483fefeba5f4a1271524465e18283dd2a2b9611 AS runtime WORKDIR /app COPY --from=build /app/out ./