From 99b0252e9792cff626e51adaf7add9d90448c03d Mon Sep 17 00:00:00 2001 From: stevebeattie <1686002+stevebeattie@users.noreply.github.com> Date: Thu, 21 May 2026 16:22:32 +0000 Subject: [PATCH] chore(oscap): re-pin CA bundle hash and fixture base-image digests Atomically updates the CA bundle SHA in the OSCAP datastream and the digest-pinned FROM lines in tests/e2e/fixtures/*/Dockerfile so the two values can never drift out of sync (which would flake the CertificateAudit E2E assertions). Image: cgr.dev/chainguard/wolfi-base:latest Digest: sha256:315732e5ca8b9f9285ed36ce9a5bb2a99f700ca8f0570d7061f9a4987fcf6688 CA SHA: 61efbd6d3f829f71039c57b29dd37d15ac7f33c4ece861aaef8c7d7a519cd1d9 Signed-off-by: github-actions[bot] --- tests/e2e/fixtures/baseline-clean/Dockerfile | 2 +- tests/e2e/fixtures/cabundle-tampered/Dockerfile | 2 +- tests/e2e/fixtures/non-https-repo/Dockerfile | 2 +- tests/e2e/fixtures/remote-access-violation/Dockerfile | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/e2e/fixtures/baseline-clean/Dockerfile b/tests/e2e/fixtures/baseline-clean/Dockerfile index fd485bd..3d4e68e 100644 --- a/tests/e2e/fixtures/baseline-clean/Dockerfile +++ b/tests/e2e/fixtures/baseline-clean/Dockerfile @@ -12,7 +12,7 @@ # - CertificateAudit: /etc/ssl/certs/ca-certificates.crt matches the pinned SHA-256 # # Expected result: a clean scan with no failures attributable to these rules. -FROM cgr.dev/chainguard/wolfi-base:latest@sha256:0cff4df29a6597173dc8b813787318150141eb96ac783dc3ff4f5ff52c49a1e2 +FROM cgr.dev/chainguard/wolfi-base:latest@sha256:315732e5ca8b9f9285ed36ce9a5bb2a99f700ca8f0570d7061f9a4987fcf6688 # Suppress OrbStack's automatic root-CA injection so the baked CA bundle in # the image is identical to the upstream wolfi-base bundle. Without this, the diff --git a/tests/e2e/fixtures/cabundle-tampered/Dockerfile b/tests/e2e/fixtures/cabundle-tampered/Dockerfile index 01323e7..75c2b7d 100644 --- a/tests/e2e/fixtures/cabundle-tampered/Dockerfile +++ b/tests/e2e/fixtures/cabundle-tampered/Dockerfile @@ -6,7 +6,7 @@ # Appends a bogus trust anchor to /etc/ssl/certs/ca-certificates.crt so # the SHA-256 of the baked bundle diverges from the pinned value the # CertificateAudit OVAL check expects. The rule must FAIL. -FROM cgr.dev/chainguard/wolfi-base:latest@sha256:0cff4df29a6597173dc8b813787318150141eb96ac783dc3ff4f5ff52c49a1e2 +FROM cgr.dev/chainguard/wolfi-base:latest@sha256:315732e5ca8b9f9285ed36ce9a5bb2a99f700ca8f0570d7061f9a4987fcf6688 LABEL dev.orbstack.add-ca-certificates=false diff --git a/tests/e2e/fixtures/non-https-repo/Dockerfile b/tests/e2e/fixtures/non-https-repo/Dockerfile index 8dda79b..0d1411d 100644 --- a/tests/e2e/fixtures/non-https-repo/Dockerfile +++ b/tests/e2e/fixtures/non-https-repo/Dockerfile @@ -6,7 +6,7 @@ # Injects a non-https repository URL into /etc/apk/repositories so the # textfilecontent54 pattern ^(?!\s*#)(?!.*https://).+$ must match at # least one line and the rule must FAIL. -FROM cgr.dev/chainguard/wolfi-base:latest@sha256:0cff4df29a6597173dc8b813787318150141eb96ac783dc3ff4f5ff52c49a1e2 +FROM cgr.dev/chainguard/wolfi-base:latest@sha256:315732e5ca8b9f9285ed36ce9a5bb2a99f700ca8f0570d7061f9a4987fcf6688 LABEL dev.orbstack.add-ca-certificates=false diff --git a/tests/e2e/fixtures/remote-access-violation/Dockerfile b/tests/e2e/fixtures/remote-access-violation/Dockerfile index c6dea1f..519b1a3 100644 --- a/tests/e2e/fixtures/remote-access-violation/Dockerfile +++ b/tests/e2e/fixtures/remote-access-violation/Dockerfile @@ -7,7 +7,7 @@ # RemoteAccessServices OVAL check must detect the package record under # /usr/lib/apk/db/installed and every RemoteAccessServices-backed rule # must FAIL. -FROM cgr.dev/chainguard/wolfi-base:latest@sha256:0cff4df29a6597173dc8b813787318150141eb96ac783dc3ff4f5ff52c49a1e2 +FROM cgr.dev/chainguard/wolfi-base:latest@sha256:315732e5ca8b9f9285ed36ce9a5bb2a99f700ca8f0570d7061f9a4987fcf6688 LABEL dev.orbstack.add-ca-certificates=false