diff --git a/.github/workflows/build-world.yaml b/.github/workflows/build-world.yaml index 5be0ffcd33d..b64e7ddf009 100644 --- a/.github/workflows/build-world.yaml +++ b/.github/workflows/build-world.yaml @@ -20,7 +20,7 @@ jobs: fail-fast: false container: - image: ghcr.io/wolfi-dev/sdk:latest@sha256:2a939e7a239af196648d2a27add88c3375dd83d0b59d31c7928411011fb022f8 + image: ghcr.io/wolfi-dev/sdk:latest@sha256:8a4c6c54d3cbdd3fd0207f629facc9df8b080605a6d30bd6474be5455633994e options: | --cap-add NET_ADMIN --cap-add SYS_ADMIN --security-opt seccomp=unconfined --security-opt apparmor:unconfined diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 30fbf316066..90bece4c0cc 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -29,7 +29,7 @@ jobs: # permissions: container: - image: ghcr.io/wolfi-dev/sdk:latest@sha256:2a939e7a239af196648d2a27add88c3375dd83d0b59d31c7928411011fb022f8 + image: ghcr.io/wolfi-dev/sdk:latest@sha256:8a4c6c54d3cbdd3fd0207f629facc9df8b080605a6d30bd6474be5455633994e # TODO: Deprivilege options: | --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined @@ -102,7 +102,7 @@ jobs: container: # NOTE: This step only signs and uploads, so it doesn't need any privileges - image: ghcr.io/wolfi-dev/sdk:latest@sha256:2a939e7a239af196648d2a27add88c3375dd83d0b59d31c7928411011fb022f8 + image: ghcr.io/wolfi-dev/sdk:latest@sha256:8a4c6c54d3cbdd3fd0207f629facc9df8b080605a6d30bd6474be5455633994e steps: - uses: actions/checkout@v3 diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml index 58a2694082a..982a2814c54 100644 --- a/.github/workflows/ci-build.yaml +++ b/.github/workflows/ci-build.yaml @@ -27,7 +27,7 @@ jobs: run: | # Copy wolfictl out of the wolfictl image and onto PATH TMP=$(mktemp -d) - docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:2a939e7a239af196648d2a27add88c3375dd83d0b59d31c7928411011fb022f8 -c "cp /usr/bin/wolfictl /out" + docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:8a4c6c54d3cbdd3fd0207f629facc9df8b080605a6d30bd6474be5455633994e -c "cp /usr/bin/wolfictl /out" echo "$TMP" >> $GITHUB_PATH # Assuming that we have a list of changed files such as `foo.yaml` and `bar.yaml`, this @@ -55,7 +55,7 @@ jobs: runs-on: wolfi-builder-spot-${{ matrix.arch }} needs: changes container: - image: ghcr.io/wolfi-dev/sdk:latest@sha256:2a939e7a239af196648d2a27add88c3375dd83d0b59d31c7928411011fb022f8 + image: ghcr.io/wolfi-dev/sdk:latest@sha256:8a4c6c54d3cbdd3fd0207f629facc9df8b080605a6d30bd6474be5455633994e options: | --cap-add NET_ADMIN --cap-add SYS_ADMIN --security-opt seccomp=unconfined --security-opt apparmor:unconfined diff --git a/.github/workflows/push-production.yaml b/.github/workflows/push-production.yaml index 19ee87ad65c..c0fad2f0ddf 100644 --- a/.github/workflows/push-production.yaml +++ b/.github/workflows/push-production.yaml @@ -68,7 +68,7 @@ jobs: run: | # Copy wolfictl out of the wolfictl image and onto PATH TMP=$(mktemp -d) - docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:2a939e7a239af196648d2a27add88c3375dd83d0b59d31c7928411011fb022f8 -c "cp /usr/bin/wolfictl /out" + docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:8a4c6c54d3cbdd3fd0207f629facc9df8b080605a6d30bd6474be5455633994e -c "cp /usr/bin/wolfictl /out" echo "$TMP" >> $GITHUB_PATH - name: 'Build Wolfi' diff --git a/Makefile b/Makefile index 76637015724..c1bd6808ab7 100644 --- a/Makefile +++ b/Makefile @@ -77,7 +77,7 @@ dev-container: -v "${PWD}:${PWD}" \ -w "${PWD}" \ -e SOURCE_DATE_EPOCH=0 \ - ghcr.io/wolfi-dev/sdk:latest@sha256:a55fdbc2778d43134309dfdacb6dcd7d2ae44bff14f1a20a215308faf11dc200 + ghcr.io/wolfi-dev/sdk:latest@sha256:8a4c6c54d3cbdd3fd0207f629facc9df8b080605a6d30bd6474be5455633994e PACKAGES_CONTAINER_FOLDER ?= /work/packages TMP_REPOSITORIES_DIR := $(shell mktemp -d)