From f7c148f7ed57cd42c650be55a1a434dbabffd91c Mon Sep 17 00:00:00 2001
From: Andrew Pollock <andrewpollock@users.noreply.github.com>
Date: Fri, 16 Aug 2024 15:35:10 +1000
Subject: [PATCH] fix(build): pin all usage of cloud-sdk image (#2484)

A recent apparent GCS performance regression in the Cloud SDK
highlighted uncontrolled upgrading of the Cloud SDK Docker image. Pin
everything to what #2480 pinned to for stability.
---
 docker/terraform/Dockerfile                      | 2 +-
 vulnfeeds/cmd/alpine/Dockerfile                  | 2 +-
 vulnfeeds/cmd/cpe-repo-gen/Dockerfile            | 2 +-
 vulnfeeds/cmd/debian-copyright-mirror/Dockerfile | 2 +-
 vulnfeeds/cmd/debian/Dockerfile                  | 2 +-
 vulnfeeds/cmd/download-cves/Dockerfile           | 2 +-
 vulnfeeds/cmd/nvd-cve-osv/Dockerfile             | 2 +-
 vulnfeeds/tools/debian/Dockerfile                | 2 +-
 8 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/docker/terraform/Dockerfile b/docker/terraform/Dockerfile
index 2152188e0cf..a7609717d8c 100644
--- a/docker/terraform/Dockerfile
+++ b/docker/terraform/Dockerfile
@@ -6,7 +6,7 @@ ARG TERRAFORM_VERSION
 WORKDIR /build/
 RUN GOBIN=$(pwd) go install github.com/hashicorp/terraform@v${TERRAFORM_VERSION}
 
-FROM gcr.io/google.com/cloudsdktool/cloud-sdk:alpine
+FROM gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine@sha256:d5da0344b23d03a6f2728657732c7a60300a91acaad9b8076c6fd30b1dfe1ff4
 
 COPY --from=GO_BUILD /build/terraform /usr/bin/terraform
 COPY entrypoint.bash /builder/entrypoint.bash
diff --git a/vulnfeeds/cmd/alpine/Dockerfile b/vulnfeeds/cmd/alpine/Dockerfile
index e998e40bc7c..db2c1048546 100644
--- a/vulnfeeds/cmd/alpine/Dockerfile
+++ b/vulnfeeds/cmd/alpine/Dockerfile
@@ -25,7 +25,7 @@ COPY ./ /src/
 RUN go build -o alpine-osv ./cmd/alpine/
 
 
-FROM gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine
+FROM gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine@sha256:d5da0344b23d03a6f2728657732c7a60300a91acaad9b8076c6fd30b1dfe1ff4
 
 WORKDIR /root/
 COPY --from=GO_BUILD /src/alpine-osv ./
diff --git a/vulnfeeds/cmd/cpe-repo-gen/Dockerfile b/vulnfeeds/cmd/cpe-repo-gen/Dockerfile
index f3cebc34a00..7ea5800afff 100644
--- a/vulnfeeds/cmd/cpe-repo-gen/Dockerfile
+++ b/vulnfeeds/cmd/cpe-repo-gen/Dockerfile
@@ -24,7 +24,7 @@ RUN go mod download
 COPY ./ /src/
 RUN CGO_ENABLED=0 go build -o cpe-repo-gen ./cmd/cpe-repo-gen
 
-FROM gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine
+FROM gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine@sha256:d5da0344b23d03a6f2728657732c7a60300a91acaad9b8076c6fd30b1dfe1ff4
 
 COPY --from=GO_BUILD /src/cpe-repo-gen ./
 COPY ./cmd/cpe-repo-gen/cpe-repo-gen_map.sh ./
diff --git a/vulnfeeds/cmd/debian-copyright-mirror/Dockerfile b/vulnfeeds/cmd/debian-copyright-mirror/Dockerfile
index c927287b1c8..ad9292c11fb 100644
--- a/vulnfeeds/cmd/debian-copyright-mirror/Dockerfile
+++ b/vulnfeeds/cmd/debian-copyright-mirror/Dockerfile
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine
+FROM gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine@sha256:d5da0344b23d03a6f2728657732c7a60300a91acaad9b8076c6fd30b1dfe1ff4
 
 RUN apk add wget
 
diff --git a/vulnfeeds/cmd/debian/Dockerfile b/vulnfeeds/cmd/debian/Dockerfile
index 743389b5352..057c9846fc7 100644
--- a/vulnfeeds/cmd/debian/Dockerfile
+++ b/vulnfeeds/cmd/debian/Dockerfile
@@ -25,7 +25,7 @@ COPY ./ /src/
 RUN go build -o debian-osv ./cmd/debian/
 
 
-FROM gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine
+FROM gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine@sha256:d5da0344b23d03a6f2728657732c7a60300a91acaad9b8076c6fd30b1dfe1ff4
 
 WORKDIR /root/
 COPY --from=GO_BUILD /src/debian-osv ./
diff --git a/vulnfeeds/cmd/download-cves/Dockerfile b/vulnfeeds/cmd/download-cves/Dockerfile
index a027ab3baa2..67001a9d74c 100644
--- a/vulnfeeds/cmd/download-cves/Dockerfile
+++ b/vulnfeeds/cmd/download-cves/Dockerfile
@@ -24,7 +24,7 @@ RUN go mod download
 COPY ./ /src/
 RUN go build -o download-cves ./cmd/download-cves/
 
-FROM gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine
+FROM gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine@sha256:d5da0344b23d03a6f2728657732c7a60300a91acaad9b8076c6fd30b1dfe1ff4
 RUN apk --no-cache add jq
 
 WORKDIR /usr/local/bin
diff --git a/vulnfeeds/cmd/nvd-cve-osv/Dockerfile b/vulnfeeds/cmd/nvd-cve-osv/Dockerfile
index 6b77afdd8d2..b6a35e9f7c6 100644
--- a/vulnfeeds/cmd/nvd-cve-osv/Dockerfile
+++ b/vulnfeeds/cmd/nvd-cve-osv/Dockerfile
@@ -22,7 +22,7 @@ RUN go mod download && go mod verify
 COPY . .
 RUN CGO_ENABLED=0 go build -v -o /usr/local/bin ./cmd/nvd-cve-osv ./cmd/download-cves
 
-FROM gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine AS runtime
+FROM gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine@sha256:d5da0344b23d03a6f2728657732c7a60300a91acaad9b8076c6fd30b1dfe1ff4 AS runtime
 RUN apk --no-cache add jq
 
 COPY --from=GO_BUILD /usr/local/bin/ ./usr/local/bin/
diff --git a/vulnfeeds/tools/debian/Dockerfile b/vulnfeeds/tools/debian/Dockerfile
index a2a0d6f665d..30097961506 100644
--- a/vulnfeeds/tools/debian/Dockerfile
+++ b/vulnfeeds/tools/debian/Dockerfile
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM google/cloud-sdk:449.0.0-alpine
+FROM gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine@sha256:d5da0344b23d03a6f2728657732c7a60300a91acaad9b8076c6fd30b1dfe1ff4
 
 # Keep the virtualenv directly in the project directory. This isn't strictly neccesary for
 # this project as it runs on kubernetes, but it keeps it consistent with other cloud run images