From 3e038e93cb2b6f1cf951990b5b5e06a8c0988035 Mon Sep 17 00:00:00 2001
From: Nadia Santalla <nadia@santalla.io>
Date: Fri, 16 Aug 2024 12:56:57 +0200
Subject: [PATCH] Dockerfile: pin hash of debian:stable-slim image

Renovate (and hopefully dependabot) understand this syntax and will
raise PRs when this image is retagged. This should help us stay on top
of package updates and CVEs.
---
 Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 56a8af3f..5b4f6aaa 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
 # First stage obtains the list of certificates.
-FROM --platform=$BUILDPLATFORM debian:stable-slim AS build
+FROM --platform=$BUILDPLATFORM debian:stable-slim@sha256:382967fd7c35a0899ca3146b0b73d0791478fba2f71020c7aa8c27e3a4f26672 AS build
 RUN apt-get update && apt-get -y install ca-certificates
 
 # Second stage copies the binaries, configuration and also the
@@ -7,7 +7,7 @@ RUN apt-get update && apt-get -y install ca-certificates
 
 ARG TARGETPLATFORM
 
-FROM --platform=$TARGETPLATFORM debian:stable-slim as release
+FROM --platform=$TARGETPLATFORM debian:stable-slim@sha256:382967fd7c35a0899ca3146b0b73d0791478fba2f71020c7aa8c27e3a4f26672 as release
 ARG TARGETOS
 ARG TARGETARCH
 ARG HOST_DIST=$TARGETOS-$TARGETARCH