TUN-10612: Add renovate to cloudflared to update distroless images explicitely

2026-06-23 04:10:20 +00:00 · 2026-06-15 11:25:14 +01:00
parent 68620efbce
commit 3a60f8ac0f
3 changed files with 38 additions and 2 deletions
@@ -15,7 +15,7 @@ COPY . .
 RUN GOOS=linux GOARCH=amd64 make cloudflared
 # use a distroless base image with glibc
-FROM gcr.io/distroless/base-debian13:nonroot
+FROM gcr.io/distroless/base-debian13:nonroot-amd64@sha256:ced0a2b1936b14d5bddc2ee02a807b1586ca6576a967f5b043f4a3301c8a8f6b
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
@@ -15,7 +15,7 @@ COPY . .
 RUN GOOS=linux GOARCH=arm64 make cloudflared
 # use a distroless base image with glibc
-FROM gcr.io/distroless/base-debian13:nonroot-arm64
+FROM gcr.io/distroless/base-debian13:nonroot-arm64@sha256:9c1ab6a3dbf9e22827b0be4a314d7cfbe008f922b7ca833ed0e5a63318c6169e
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
@@ -0,0 +1,36 @@
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:recommended",
    "schedule:nonOfficeHours"
  ],
  "enabledManagers": [
    "dockerfile"
  ],
  "dockerfile": {
    "managerFilePatterns": [
      "/(^|/)Dockerfile\\.amd64$/",
      "/(^|/)Dockerfile\\.arm64$/"
    ]
  },
  "packageRules": [
    {
      "description": "Disable updates for everything by default; only the distroless base image is managed for now",
      "matchPackageNames": [
        "*"
      ],
      "enabled": false
    },
    {
      "description": "Keep any distroless base image up to date by pinning and updating its digest, since tags like :nonroot are rolling tags without a semver version",
      "matchManagers": [
        "dockerfile"
      ],
      "matchPackageNames": [
        "gcr.io/distroless/**"
      ],
      "enabled": true,
      "pinDigests": true
    }
  ]
 }