demo: pin base image with sha

And setup updates for the hashes via dependabot

Signed-off-by: Tuomas Katila <[email protected]>

Author: tkatila

.github/dependabot.yml

@@ -15,3 +15,10 @@ updates:
       # Check for updates to GitHub Actions every week on Sunday
       interval: "weekly"
       day: "sunday"
+
+  # Check updates to demo Dockerfiles in demo/
+  - package-ecosystem: "docker"
+    directory: "/demo/"
+    schedule:
+      # Check for updates to demo base images every month
+      interval: "monthly"

demo/accel-config-demo/Dockerfile

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM debian:unstable-slim AS builder
+FROM debian:unstable-slim@sha256:1168b5db3ac36ac7dba548f4cc9d4a2bac856d1404000a07e936d2012d2820bb AS builder
 
 RUN apt-get update && apt-get install -y --no-install-recommends libaccel-config-dev \
     gcc g++ nasm make cmake autoconf automake libtool pkg-config git ca-certificates uuid-dev
@@ -29,7 +29,7 @@ RUN cd / && git clone --recurse-submodules --depth 1 --branch v1.5.0 https://git
     cmake -DLOG_HW_INIT=ON .. && \
     make install
 
-FROM debian:unstable-slim
+FROM debian:unstable-slim@sha256:1168b5db3ac36ac7dba548f4cc9d4a2bac856d1404000a07e936d2012d2820bb
 
 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends pciutils accel-config accel-config-test kmod && rm -rf /var/lib/apt/lists/\*
 

demo/crypto-perf/Dockerfile

@@ -1,4 +1,4 @@
-FROM debian:unstable-slim as builder
+FROM debian:unstable-slim@sha256:1168b5db3ac36ac7dba548f4cc9d4a2bac856d1404000a07e936d2012d2820bb as builder
 
 ARG DIR=/dpdk-build
 WORKDIR $DIR
@@ -37,7 +37,7 @@ RUN mkdir -p /install_root/licenses/dpdk && \
     cd /install_root/licenses/dpdk && \
     apt-get source --download-only -y libatomic1 libnuma1
 
-FROM debian:unstable-slim
+FROM debian:unstable-slim@sha256:1168b5db3ac36ac7dba548f4cc9d4a2bac856d1404000a07e936d2012d2820bb
 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends libipsec-mb1 libnuma1 libatomic1 && ldconfig -v
 COPY --from=builder /install_root /
 COPY run-dpdk-test /usr/bin/

demo/dlb-dpdk-demo/Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:20.04 as builder
+FROM ubuntu:20.04@sha256:874aca52f79ae5f8258faff03e10ce99ae836f6e7d2df6ecd3da5c1cad3a912b as builder
 
 ARG DIR=/dpdk-build
 WORKDIR $DIR
@@ -24,7 +24,7 @@ RUN wget -q https://fast.dpdk.org/rel/$DPDK_TARBALL \
 RUN cd dpdk-* && patch -Np1 < $(echo ../dlb/dpdk/dpdk_dlb_*.patch) && sed -i 's/270b,2710,2714/270b,2710,2711,2714/g' ./usertools/dpdk-devbind.py && meson setup --prefix $(pwd)/installdir builddir
 RUN cd dpdk-* && ninja -C builddir install && install -D builddir/app/dpdk-test-eventdev /install_root/usr/bin/dpdk-test-eventdev
 
-FROM ubuntu:20.04
+FROM ubuntu:20.04@sha256:874aca52f79ae5f8258faff03e10ce99ae836f6e7d2df6ecd3da5c1cad3a912b
 RUN apt-get update && apt-get install -y --no-install-recommends libnuma1 libatomic1
 COPY --from=builder /install_root /
 COPY test.sh /usr/bin/

demo/dlb-libdlb-demo/Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:20.04 AS builder
+FROM ubuntu:20.04@sha256:874aca52f79ae5f8258faff03e10ce99ae836f6e7d2df6ecd3da5c1cad3a912b AS builder
 
 WORKDIR /dlb-build
 
@@ -16,7 +16,7 @@ RUN wget https://downloadmirror.intel.com/791459/$DLB_TARBALL \
 # Build libdlb
 RUN cd dlb/libdlb && make
 
-FROM ubuntu:20.04
+FROM ubuntu:20.04@sha256:874aca52f79ae5f8258faff03e10ce99ae836f6e7d2df6ecd3da5c1cad3a912b
 COPY --from=builder /dlb-build/dlb/libdlb/libdlb.so /usr/local/lib
 RUN ldconfig
 

demo/intel-opencl-icd/Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:22.04
+FROM ubuntu:22.04@sha256:a6d2b38300ce017add71440577d5b0a90460d0e57fd7aec21dd0d1b0761bbfb2
 
 ARG APT="env DEBIAN_FRONTEND=noninteractive apt"
 

demo/opae-nlb-demo/Dockerfile

@@ -1,4 +1,4 @@
-FROM debian:unstable-slim AS builder
+FROM debian:unstable-slim@sha256:1168b5db3ac36ac7dba548f4cc9d4a2bac856d1404000a07e936d2012d2820bb AS builder
 
 # Install build dependencies
 RUN apt-get update && apt-get install -y curl python3-dev git gcc g++ make cmake uuid-dev libjson-c-dev libedit-dev libudev-dev
@@ -24,7 +24,7 @@ RUN cd /usr/src/opae/opae-sdk-${OPAE_RELEASE} && \
     make -j xfpga nlb0 nlb3
 
 
-FROM debian:unstable-slim
+FROM debian:unstable-slim@sha256:1168b5db3ac36ac7dba548f4cc9d4a2bac856d1404000a07e936d2012d2820bb
 
 RUN apt-get update && apt-get upgrade -y && apt-get install --no-install-recommends -y libjson-c5
 

demo/openssl-qat-engine/Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:24.04
+FROM ubuntu:24.04@sha256:3f85b7caad41a95462cf5b787d8a04604c8262cdcdf9a472b8c52ef83375fe15
 
 RUN apt update && \
     apt install --no-install-recommends -y qatengine qatlib-examples qatzip openssl

demo/sgx-aesmd-demo/Dockerfile

@@ -1,6 +1,6 @@
 # This Dockerfile is currently provided as a reference to build aesmd with ECDSA attestation
 # but is not published along with the device plugin container images.
-FROM ubuntu:22.04
+FROM ubuntu:22.04@sha256:a6d2b38300ce017add71440577d5b0a90460d0e57fd7aec21dd0d1b0761bbfb2
 
 RUN apt update && apt install -y curl gnupg-agent \
     && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main" | \

demo/sgx-sdk-demo/Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:22.04 AS builder
+FROM ubuntu:22.04@sha256:a6d2b38300ce017add71440577d5b0a90460d0e57fd7aec21dd0d1b0761bbfb2 AS builder
 
 WORKDIR /root
 
@@ -66,7 +66,7 @@ RUN cd SGXDataCenterAttestationPrimitives/SampleCode/QuoteVerificationSample \
     && sgx_sign sign -key ../QuoteGenerationSample/Enclave/Enclave_private_sample.pem -enclave enclave.so -out enclave.signed.so -config Enclave/Enclave.config.xml \
     && cd -
 
-FROM ubuntu:22.04
+FROM ubuntu:22.04@sha256:a6d2b38300ce017add71440577d5b0a90460d0e57fd7aec21dd0d1b0761bbfb2
 
 RUN apt-get update && \
     apt-get install -y \