tests: add script to update FIPS image in test-fips workflow
#4736
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
🤖 GitHub commentsExpand to view the GitHub comments
Just comment with:
|
trentm
previously approved these changes
Sep 2, 2025
v1v
previously approved these changes
Sep 2, 2025
v1v
reviewed
Sep 2, 2025
.github/dependabot.yml
Outdated
| directory: "/" | ||
| directories: | ||
| - "/" | ||
| - ".github/workflows" |
There was a problem hiding this comment.
I'm not sure if the package-ecosystem: 'docker' supports github workflows:
There was a problem hiding this comment.
I was naive. Thanks for the info. I'll revert this then
There was a problem hiding this comment.
I've created a script to update the sha value in the workflow file. For now I'll run it manually.
david-luna
dismissed stale reviews from v1v, trentm, and fr4nc1sc0-r4m0n
via
e006d1e
david-luna
changed the title
test-fips workflow
trentm
approved these changes
Sep 8, 2025
| const imageRef = 'docker.elastic.co/wolfi/chainguard-base-fips:latest'; | ||
|
|
||
| // Get the latest and extract the SHA | ||
| const out = execSync(`docker image pull ${imageRef}`, { encoding: 'utf-8' }); |
There was a problem hiding this comment.
Could perhaps use this command to resolve the digest without installing:
% docker buildx imagetools inspect docker.elastic.co/wolfi/chainguard-base-fips:latest
Name: docker.elastic.co/wolfi/chainguard-base-fips:latest
MediaType: application/vnd.oci.image.index.v1+json
Digest: sha256:b30d05c61d6a318e15113d8542a745acb605941a5cb8b1321228ff671fc4a3c9
Manifests:
Name: docker.elastic.co/wolfi/chainguard-base-fips:latest@sha256:f36b3fc08b2759b07a6a9c907f9b2b327abd393ed56bbc1569fbbdbc0d49bc1b
MediaType: application/vnd.oci.image.manifest.v1+json
Platform: linux/amd64
Name: docker.elastic.co/wolfi/chainguard-base-fips:latest@sha256:29ba15059f84be168cdd1785583a93cf7c01c6d84f441927e691e36bd441b61e
MediaType: application/vnd.oci.image.manifest.v1+json
Platform: linux/arm64
There was a problem hiding this comment.
I think it's a good idea. I merged this PR to get an updated sha and stop the failures of the. test-fips.yml workflow. But I'll do a follow up PR to change use this command and run it periodically with a cron expression.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
test-fipsworkflow does use a wolfi image to perform the tests. This image hasn't been updated in months being the follwing PR the last update #4525Docker scans were added in #4465 but
it seems it stopped from workingactually they never worked.This PR adds:
an update in dependabot to scan in root and also workflow folders for docker image updates.test-fips.ymlworkflowChecklist