Fix scorecard pinning issues (#15351)

trask · web-flow · commit 6cdc4499af02 · 2025-11-17T17:34:07.000-08:00
diff --git a/smoke-tests/images/servlet/build.gradle.kts b/smoke-tests/images/servlet/build.gradle.kts
@@ -203,6 +203,10 @@ fun configureImage(
     throw GradleException("Unexpected vm: $vm")
   }
 
+  val jdkImageParts = jdkImage.split("@")
+  val jdkImageName = jdkImageParts[0]
+  val jdkImageHash = if (jdkImageParts.size > 1) jdkImageParts[1].removePrefix("sha256:") else ""
+
   val extraArgs = args.toMutableMap()
   if (server == "wildfly") {
     // wildfly url without .zip or .tar.gz suffix
@@ -229,7 +233,7 @@ fun configureImage(
     inputDir.set(dockerWorkingDir)
     images.add(image)
     dockerFile.set(File(dockerWorkingDir.get().asFile, dockerFileName))
-    buildArgs.set(extraArgs + mapOf("jdk" to jdk, "vm" to vm, "version" to version, "jdkImage" to jdkImage))
+    buildArgs.set(extraArgs + mapOf("jdk" to jdk, "vm" to vm, "version" to version, "jdkImageName" to jdkImageName, "jdkImageHash" to jdkImageHash))
     doLast {
       matrix.add(image)
     }
diff --git a/smoke-tests/images/servlet/src/jetty.dockerfile b/smoke-tests/images/servlet/src/jetty.dockerfile
@@ -1,13 +1,14 @@
-ARG jdkImage
+ARG jdkImageName
+ARG jdkImageHash
 
 # Unzip in a separate container so that zip file layer is not part of final image
-FROM ${jdkImage} as builder
+FROM ${jdkImageName}@sha256:${jdkImageHash} as builder
 ARG sourceVersion
 
 ADD https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-home/${sourceVersion}/jetty-home-${sourceVersion}.tar.gz /server.tgz
 RUN tar xf server.tgz && mv jetty-home-${sourceVersion} /server
 
-FROM ${jdkImage}
+FROM ${jdkImageName}@sha256:${jdkImageHash}
 COPY --from=builder /server /server
 ENV JETTY_HOME=/server
 ENV JETTY_BASE=/base
diff --git a/smoke-tests/images/servlet/src/jetty.windows.dockerfile b/smoke-tests/images/servlet/src/jetty.windows.dockerfile
@@ -1,4 +1,5 @@
-ARG jdkImage
+ARG jdkImageName
+ARG jdkImageHash
 
 # Unzip in a separate container so that zip file layer is not part of final image
 FROM mcr.microsoft.com/windows/servercore:ltsc2022@sha256:3a2a2fdfbae2f720f6fe26f2d7680146712ce330f605b02a61d624889735c72e as builder
@@ -7,7 +8,7 @@ ARG sourceVersion
 ADD https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-home/${sourceVersion}/jetty-home-${sourceVersion}.zip /server.zip
 RUN ["powershell", "-Command", "expand-archive -Path /server.zip -DestinationPath /server"]
 
-FROM ${jdkImage}
+FROM ${jdkImageName}@sha256:${jdkImageHash}
 ARG sourceVersion
 
 # Make /server the base directory to simplify all further paths
diff --git a/smoke-tests/images/servlet/src/liberty.dockerfile b/smoke-tests/images/servlet/src/liberty.dockerfile
@@ -1,9 +1,10 @@
-ARG jdkImage
+ARG jdkImageName
+ARG jdkImageHash
 ARG version
 
 FROM open-liberty:${version}-full-java11-openj9 as liberty
 
-FROM ${jdkImage}
+FROM ${jdkImageName}@sha256:${jdkImageHash}
 
 ENV CONFIG /config
 ENV LIBERTY /opt/ol
diff --git a/smoke-tests/images/servlet/src/liberty.windows.dockerfile b/smoke-tests/images/servlet/src/liberty.windows.dockerfile
@@ -1,4 +1,5 @@
-ARG jdkImage
+ARG jdkImageName
+ARG jdkImageHash
 
 # Unzip in a separate container so that zip file layer is not part of final image
 FROM mcr.microsoft.com/windows/servercore:ltsc2022@sha256:3a2a2fdfbae2f720f6fe26f2d7680146712ce330f605b02a61d624889735c72e as builder
@@ -8,7 +9,7 @@ ARG release
 ADD https://public.dhe.ibm.com/ibmdl/export/pub/software/openliberty/runtime/release/${release}/openliberty-${version}.zip /server.zip
 RUN ["powershell", "-Command", "expand-archive -Path /server.zip -DestinationPath /server"]
 
-FROM ${jdkImage}
+FROM ${jdkImageName}@sha256:${jdkImageHash}
 
 # Make /server the base directory to simplify all further paths
 COPY --from=builder /server/wlp /server
diff --git a/smoke-tests/images/servlet/src/payara.dockerfile b/smoke-tests/images/servlet/src/payara.dockerfile
@@ -1,9 +1,10 @@
-ARG jdkImage
+ARG jdkImageName
+ARG jdkImageHash
 ARG version
 
 FROM payara/server-full:${version} as builder
 
-FROM ${jdkImage}
+FROM ${jdkImageName}@sha256:${jdkImageHash}
 ARG domainName
 
 # These environment variables have been confirmed to work with 5.2020.6 only
diff --git a/smoke-tests/images/servlet/src/payara.windows.dockerfile b/smoke-tests/images/servlet/src/payara.windows.dockerfile
@@ -1,4 +1,5 @@
-ARG jdkImage
+ARG jdkImageName
+ARG jdkImageHash
 
 # Unzip in a separate container so that zip file layer is not part of final image
 FROM mcr.microsoft.com/windows/servercore:ltsc2022@sha256:3a2a2fdfbae2f720f6fe26f2d7680146712ce330f605b02a61d624889735c72e as builder
@@ -9,7 +10,7 @@ RUN ["powershell", "-Command", "expand-archive -Path /server.zip -DestinationPat
 RUN ["powershell", "-Command", "Get-ChildItem -Path /server/ -filter payara* | Rename-Item -NewName payara"]
 RUN ["powershell", "-Command", "remove-item -Path /server/payara/glassfish/modules/phonehome-bootstrap.jar"]
 
-FROM ${jdkImage}
+FROM ${jdkImageName}@sha256:${jdkImageHash}
 
 # Make /server the base directory to simplify all further paths
 COPY --from=builder /server/payara /server
diff --git a/smoke-tests/images/servlet/src/tomcat.dockerfile b/smoke-tests/images/servlet/src/tomcat.dockerfile
@@ -1,15 +1,16 @@
-ARG jdkImage
+ARG jdkImageName
+ARG jdkImageHash
 ARG version
 
 # Unzip in a separate container so that zip file layer is not part of final image
-FROM ${jdkImage} as builder
+FROM ${jdkImageName}@sha256:${jdkImageHash} as builder
 ARG majorVersion
 ARG version
 
 ADD https://archive.apache.org/dist/tomcat/tomcat-${majorVersion}/v${version}/bin/apache-tomcat-${version}.tar.gz /server.tgz
 RUN tar xf server.tgz && mv apache-tomcat-${version} /server && rm -rf /server/webapps && mkdir -p /server/webapps
 
-FROM ${jdkImage}
+FROM ${jdkImageName}@sha256:${jdkImageHash}
 COPY --from=builder /server /server
 
 WORKDIR /server/bin
diff --git a/smoke-tests/images/servlet/src/tomcat.windows.dockerfile b/smoke-tests/images/servlet/src/tomcat.windows.dockerfile
@@ -1,4 +1,5 @@
-ARG jdkImage
+ARG jdkImageName
+ARG jdkImageHash
 
 # Unzip in a separate container so that zip file layer is not part of final image
 FROM mcr.microsoft.com/windows/servercore:ltsc2022@sha256:3a2a2fdfbae2f720f6fe26f2d7680146712ce330f605b02a61d624889735c72e as builder
@@ -8,7 +9,7 @@ ARG version
 ADD https://archive.apache.org/dist/tomcat/tomcat-${majorVersion}/v${version}/bin/apache-tomcat-${version}-windows-x64.zip /server.zip
 RUN ["powershell", "-Command", "expand-archive -Path /server.zip -DestinationPath /server"]
 
-FROM ${jdkImage}
+FROM ${jdkImageName}@sha256:${jdkImageHash}
 ARG version
 
 # Make /server the base directory to simplify all further paths
diff --git a/smoke-tests/images/servlet/src/tomee.dockerfile b/smoke-tests/images/servlet/src/tomee.dockerfile
@@ -1,13 +1,14 @@
-ARG jdkImage
+ARG jdkImageName
+ARG jdkImageHash
 
 # Unzip in a separate container so that zip file layer is not part of final image
-FROM ${jdkImage} as builder
+FROM ${jdkImageName}@sha256:${jdkImageHash} as builder
 ARG version
 
 ADD https://archive.apache.org/dist/tomee/tomee-${version}/apache-tomee-${version}-webprofile.tar.gz /server.tgz
 RUN tar xf server.tgz && ls -al / && mv apache-tomee-webprofile-${version} /server
 
-FROM ${jdkImage}
+FROM ${jdkImageName}@sha256:${jdkImageHash}
 COPY --from=builder /server /server
 
 WORKDIR /server/bin
diff --git a/smoke-tests/images/servlet/src/tomee.windows.dockerfile b/smoke-tests/images/servlet/src/tomee.windows.dockerfile
@@ -1,4 +1,5 @@
-ARG jdkImage
+ARG jdkImageName
+ARG jdkImageHash
 
 # Unzip in a separate container so that zip file layer is not part of final image
 FROM mcr.microsoft.com/windows/servercore:ltsc2022@sha256:3a2a2fdfbae2f720f6fe26f2d7680146712ce330f605b02a61d624889735c72e as builder
@@ -7,7 +8,7 @@ ARG version
 ADD https://archive.apache.org/dist/tomee/tomee-${version}/apache-tomee-${version}-webprofile.zip /server.zip
 RUN ["powershell", "-Command", "expand-archive -Path /server.zip -DestinationPath /server"]
 
-FROM ${jdkImage}
+FROM ${jdkImageName}@sha256:${jdkImageHash}
 ARG version
 
 # Make /server the base directory to simplify all further paths
diff --git a/smoke-tests/images/servlet/src/wildfly.dockerfile b/smoke-tests/images/servlet/src/wildfly.dockerfile
@@ -1,6 +1,7 @@
-ARG jdkImage
+ARG jdkImageName
+ARG jdkImageHash
 
-FROM ${jdkImage}
+FROM ${jdkImageName}@sha256:${jdkImageHash}
 ARG version
 ARG baseDownloadUrl
 
diff --git a/smoke-tests/images/servlet/src/wildfly.windows.dockerfile b/smoke-tests/images/servlet/src/wildfly.windows.dockerfile
@@ -1,4 +1,5 @@
-ARG jdkImage
+ARG jdkImageName
+ARG jdkImageHash
 
 # Unzip in a separate container so that zip file layer is not part of final image
 FROM mcr.microsoft.com/windows/servercore:ltsc2022@sha256:3a2a2fdfbae2f720f6fe26f2d7680146712ce330f605b02a61d624889735c72e as builder
@@ -8,7 +9,7 @@ ARG baseDownloadUrl
 ADD ${baseDownloadUrl}.zip /server.zip
 RUN ["powershell", "-Command", "expand-archive -Path /server.zip -DestinationPath /server"]
 
-FROM ${jdkImage}
+FROM ${jdkImageName}@sha256:${jdkImageHash}
 ARG version
 
 # Make /server the base directory to simplify all further paths
