Skip to content

Resolve pinned dependencies #1551

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Akshay2191 wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Resolve pinned dependencies #1551

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6339244
added SHA
Akshay2191 Mar 2, 2026
bd5cdf6
Added a way to run scorecard scan on any branch
Akshay2191 Mar 4, 2026
aa137bd
added scorecard yml to ignore test docker files
Akshay2191 Mar 9, 2026
8f2ab52
Merge remote-tracking branch 'origin/main' into resolve-pinned-depend…
Akshay2191 Mar 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions .github/scorecard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
annotations:
# Ignore test Dockerfiles that use dynamic base images (ARG BASE_IMAGE)
# These are intentionally unpinned for test flexibility across multiple OS versions
- checks:
- pinned-dependencies
reasons:
- reason: test-data
annotation: "Test Dockerfiles use dynamic ARG BASE_IMAGE for multi-platform/multi-OS testing"
path:
- "test/docker/nginx-official-image/apk/Dockerfile"
- "test/docker/nginx-official-image/deb/Dockerfile"
- "test/docker/nginx-oss/apk/Dockerfile"
- "test/docker/nginx-oss/deb/Dockerfile"
- "test/docker/nginx-oss/rpm/Dockerfile"
- "test/docker/nginx-plus/deb/Dockerfile"
- "test/docker/nginx-plus-and-nap/deb/Dockerfile"

6 changes: 3 additions & 3 deletions .github/workflows/sbom-source.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ jobs:
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-tags: 'true'

- name: Get Secrets from Azure Key Vault
uses: ./.github/actions/az-sync
with:
Expand All @@ -35,10 +35,10 @@ jobs:
az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }}
secrets-filter: 'artifactory'

- name: Generate SBOM Document
id: sbom-src
uses: nginxinc/compliance-rules/.github/actions/sbom-source@main
uses: nginxinc/compliance-rules/.github/actions/sbom-source@361e2ac0a4f333150a3773a815aac632d32ffde9 # main
with:
product-name: ${{ github.event.repository.name }}
release-version: ${{ github.ref_name }}
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/scorecards.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@ on:
branches:
- main
- dev-v2
pull_request:
branches:
- main
workflow_dispatch:

# Declare default permissions as read only.
permissions: read-all
Expand Down
6 changes: 3 additions & 3 deletions dependencies.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,11 @@
# Dependabot can keep this file up to date with latest containers.

# Weaver is used to generate markdown docs, and enforce policies on the model.
FROM otel/weaver:v0.13.2 AS weaver
FROM otel/weaver:v0.13.2@sha256:ae7346b992e477f629ea327e0979e8a416a97f7956ab1f7e95ac1f44edf1a893 AS weaver

# OPA is used to test policies enforced by weaver.
FROM openpolicyagent/opa:1.2.0 AS opa
FROM openpolicyagent/opa:1.2.0@sha256:96f7ee5dbcc634853c55e0fc6090fe421d8c853da967ee0246f98bd186e2083f AS opa

# Semconv gen is used for backwards compatibility checks.
# TODO(jsuereth): Remove this when no longer used.
FROM otel/semconvgen:0.25.0 AS semconvgen
FROM otel/semconvgen:0.25.0@sha256:9df7b8cbaa732277d64d0c0a8604d96bb6f5a36d0e96338cba5dced720c16485 AS semconvgen
Loading