From 926459f08a7e8c5988ab1bec06c9ec18a6e7097b Mon Sep 17 00:00:00 2001 From: Bane Sullivan <22067021+banesullivan@users.noreply.github.com> Date: Sat, 23 May 2026 11:46:31 -0700 Subject: [PATCH 1/2] Pin peribolos image by digest --- scripts/run-peribolos.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scripts/run-peribolos.sh b/scripts/run-peribolos.sh index bec0ea7..97aae87 100755 --- a/scripts/run-peribolos.sh +++ b/scripts/run-peribolos.sh @@ -26,7 +26,9 @@ if [[ $MODE == "apply" && ${GITHUB_ACTIONS:-} == "true" && ${GITHUB_REF:-} != "r exit 1 fi -PERIBOLOS_IMAGE="us-docker.pkg.dev/k8s-infra-prow/images/peribolos:latest" +# Pinned by digest for reproducibility and supply-chain integrity. Bump +# manually after verifying a new digest from the upstream registry. +PERIBOLOS_IMAGE="us-docker.pkg.dev/k8s-infra-prow/images/peribolos@sha256:6978d5adbb75487cbdb9088eef1437acd8a93a6e75f01abe76c5d0fca853bba8" if [[ -z ${GITHUB_TOKEN:-} ]]; then echo "ERROR: GITHUB_TOKEN environment variable is required." >&2 From a27017a658820ff0ab63b692893c3e9b983d5420 Mon Sep 17 00:00:00 2001 From: Bane Sullivan <22067021+banesullivan@users.noreply.github.com> Date: Sat, 23 May 2026 11:48:55 -0700 Subject: [PATCH 2/2] Track peribolos image digest with Dependabot --- .github/dependabot.yml | 9 +++++++++ docker/peribolos/Dockerfile | 6 ++++++ scripts/run-peribolos.sh | 14 +++++++++++--- 3 files changed, 26 insertions(+), 3 deletions(-) create mode 100644 docker/peribolos/Dockerfile diff --git a/.github/dependabot.yml b/.github/dependabot.yml index f159282..408b55b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -12,3 +12,12 @@ updates: - "*" commit-message: prefix: "ci" + + - package-ecosystem: docker + directory: /docker/peribolos + schedule: + interval: monthly + cooldown: + default-days: 7 + commit-message: + prefix: "ci" diff --git a/docker/peribolos/Dockerfile b/docker/peribolos/Dockerfile new file mode 100644 index 0000000..a4907b4 --- /dev/null +++ b/docker/peribolos/Dockerfile @@ -0,0 +1,6 @@ +# Pin of the peribolos image consumed by scripts/run-peribolos.sh. +# +# This Dockerfile exists solely to give Dependabot's `docker` ecosystem a +# file to watch — see .github/dependabot.yml. The script parses the FROM +# line below; it does not run `docker build`. +FROM us-docker.pkg.dev/k8s-infra-prow/images/peribolos@sha256:6978d5adbb75487cbdb9088eef1437acd8a93a6e75f01abe76c5d0fca853bba8 diff --git a/scripts/run-peribolos.sh b/scripts/run-peribolos.sh index 97aae87..7aa264b 100755 --- a/scripts/run-peribolos.sh +++ b/scripts/run-peribolos.sh @@ -26,9 +26,17 @@ if [[ $MODE == "apply" && ${GITHUB_ACTIONS:-} == "true" && ${GITHUB_REF:-} != "r exit 1 fi -# Pinned by digest for reproducibility and supply-chain integrity. Bump -# manually after verifying a new digest from the upstream registry. -PERIBOLOS_IMAGE="us-docker.pkg.dev/k8s-infra-prow/images/peribolos@sha256:6978d5adbb75487cbdb9088eef1437acd8a93a6e75f01abe76c5d0fca853bba8" +# Peribolos image is pinned by digest in docker/peribolos/Dockerfile so +# Dependabot's `docker` ecosystem (see .github/dependabot.yml) can open PRs +# when a new digest is available. Parse the FROM line so the digest lives +# in exactly one place. +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +PERIBOLOS_DOCKERFILE="$SCRIPT_DIR/../docker/peribolos/Dockerfile" +PERIBOLOS_IMAGE="$(awk '/^FROM / {print $2; exit}' "$PERIBOLOS_DOCKERFILE")" +if [[ -z $PERIBOLOS_IMAGE ]]; then + echo "ERROR: failed to parse FROM line from $PERIBOLOS_DOCKERFILE" >&2 + exit 1 +fi if [[ -z ${GITHUB_TOKEN:-} ]]; then echo "ERROR: GITHUB_TOKEN environment variable is required." >&2