diff --git a/Dockerfile.amd64 b/Dockerfile.amd64 index 0f727cb0..55e82ea6 100644 --- a/Dockerfile.amd64 +++ b/Dockerfile.amd64 @@ -15,7 +15,7 @@ COPY . . RUN GOOS=linux GOARCH=amd64 make cloudflared # use a distroless base image with glibc -FROM gcr.io/distroless/base-debian13:nonroot +FROM gcr.io/distroless/base-debian13:nonroot-amd64@sha256:ced0a2b1936b14d5bddc2ee02a807b1586ca6576a967f5b043f4a3301c8a8f6b LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared" diff --git a/Dockerfile.arm64 b/Dockerfile.arm64 index 5a563322..f5538a27 100644 --- a/Dockerfile.arm64 +++ b/Dockerfile.arm64 @@ -15,7 +15,7 @@ COPY . . RUN GOOS=linux GOARCH=arm64 make cloudflared # use a distroless base image with glibc -FROM gcr.io/distroless/base-debian13:nonroot-arm64 +FROM gcr.io/distroless/base-debian13:nonroot-arm64@sha256:9c1ab6a3dbf9e22827b0be4a314d7cfbe008f922b7ca833ed0e5a63318c6169e LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared" diff --git a/renovate.json b/renovate.json new file mode 100644 index 00000000..1c240ccb --- /dev/null +++ b/renovate.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:recommended", + "schedule:nonOfficeHours" + ], + "enabledManagers": [ + "dockerfile" + ], + "dockerfile": { + "managerFilePatterns": [ + "/(^|/)Dockerfile\\.amd64$/", + "/(^|/)Dockerfile\\.arm64$/" + ] + }, + "packageRules": [ + { + "description": "Disable updates for everything by default; only the distroless base image is managed for now", + "matchPackageNames": [ + "*" + ], + "enabled": false + }, + { + "description": "Keep any distroless base image up to date by pinning and updating its digest, since tags like :nonroot are rolling tags without a semver version", + "matchManagers": [ + "dockerfile" + ], + "matchPackageNames": [ + "gcr.io/distroless/**" + ], + "enabled": true, + "pinDigests": true + } + ] +}