From 12654976b6694f06aed40946a9f0dd6b6bded3fd Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Wed, 3 Jun 2026 01:54:07 +0000 Subject: [PATCH] chore(oscap): re-pin CA bundle hash and fixture base-image digests Atomically updates the CA bundle SHA in the OSCAP datastream and the digest-pinned FROM lines in tests/e2e/fixtures/*/Dockerfile so the two values can never drift out of sync (which would flake the CertificateAudit E2E assertions). Image: cgr.dev/chainguard/wolfi-base:latest Digest: sha256:cb2fc9d795bf874e660dbc25958cfa699b55e789235896ec7c354c57d3e3a704 CA SHA: 61efbd6d3f829f71039c57b29dd37d15ac7f33c4ece861aaef8c7d7a519cd1d9 Signed-off-by: github-actions[bot] --- tests/e2e/fixtures/baseline-clean/Dockerfile | 2 +- tests/e2e/fixtures/cabundle-tampered/Dockerfile | 2 +- tests/e2e/fixtures/non-https-repo/Dockerfile | 2 +- tests/e2e/fixtures/remote-access-violation/Dockerfile | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/e2e/fixtures/baseline-clean/Dockerfile b/tests/e2e/fixtures/baseline-clean/Dockerfile index 3d4e68e..02ef84c 100644 --- a/tests/e2e/fixtures/baseline-clean/Dockerfile +++ b/tests/e2e/fixtures/baseline-clean/Dockerfile @@ -12,7 +12,7 @@ # - CertificateAudit: /etc/ssl/certs/ca-certificates.crt matches the pinned SHA-256 # # Expected result: a clean scan with no failures attributable to these rules. -FROM cgr.dev/chainguard/wolfi-base:latest@sha256:315732e5ca8b9f9285ed36ce9a5bb2a99f700ca8f0570d7061f9a4987fcf6688 +FROM cgr.dev/chainguard/wolfi-base:latest@sha256:cb2fc9d795bf874e660dbc25958cfa699b55e789235896ec7c354c57d3e3a704 # Suppress OrbStack's automatic root-CA injection so the baked CA bundle in # the image is identical to the upstream wolfi-base bundle. Without this, the diff --git a/tests/e2e/fixtures/cabundle-tampered/Dockerfile b/tests/e2e/fixtures/cabundle-tampered/Dockerfile index 75c2b7d..6c1c2ac 100644 --- a/tests/e2e/fixtures/cabundle-tampered/Dockerfile +++ b/tests/e2e/fixtures/cabundle-tampered/Dockerfile @@ -6,7 +6,7 @@ # Appends a bogus trust anchor to /etc/ssl/certs/ca-certificates.crt so # the SHA-256 of the baked bundle diverges from the pinned value the # CertificateAudit OVAL check expects. The rule must FAIL. -FROM cgr.dev/chainguard/wolfi-base:latest@sha256:315732e5ca8b9f9285ed36ce9a5bb2a99f700ca8f0570d7061f9a4987fcf6688 +FROM cgr.dev/chainguard/wolfi-base:latest@sha256:cb2fc9d795bf874e660dbc25958cfa699b55e789235896ec7c354c57d3e3a704 LABEL dev.orbstack.add-ca-certificates=false diff --git a/tests/e2e/fixtures/non-https-repo/Dockerfile b/tests/e2e/fixtures/non-https-repo/Dockerfile index 0d1411d..c758f5a 100644 --- a/tests/e2e/fixtures/non-https-repo/Dockerfile +++ b/tests/e2e/fixtures/non-https-repo/Dockerfile @@ -6,7 +6,7 @@ # Injects a non-https repository URL into /etc/apk/repositories so the # textfilecontent54 pattern ^(?!\s*#)(?!.*https://).+$ must match at # least one line and the rule must FAIL. -FROM cgr.dev/chainguard/wolfi-base:latest@sha256:315732e5ca8b9f9285ed36ce9a5bb2a99f700ca8f0570d7061f9a4987fcf6688 +FROM cgr.dev/chainguard/wolfi-base:latest@sha256:cb2fc9d795bf874e660dbc25958cfa699b55e789235896ec7c354c57d3e3a704 LABEL dev.orbstack.add-ca-certificates=false diff --git a/tests/e2e/fixtures/remote-access-violation/Dockerfile b/tests/e2e/fixtures/remote-access-violation/Dockerfile index 519b1a3..2bcc57d 100644 --- a/tests/e2e/fixtures/remote-access-violation/Dockerfile +++ b/tests/e2e/fixtures/remote-access-violation/Dockerfile @@ -7,7 +7,7 @@ # RemoteAccessServices OVAL check must detect the package record under # /usr/lib/apk/db/installed and every RemoteAccessServices-backed rule # must FAIL. -FROM cgr.dev/chainguard/wolfi-base:latest@sha256:315732e5ca8b9f9285ed36ce9a5bb2a99f700ca8f0570d7061f9a4987fcf6688 +FROM cgr.dev/chainguard/wolfi-base:latest@sha256:cb2fc9d795bf874e660dbc25958cfa699b55e789235896ec7c354c57d3e3a704 LABEL dev.orbstack.add-ca-certificates=false