Add explicit "external-pins"

The goal of this directory is two-fold: to list the explicitly allowable external dependencies and to pin those external dependencies to a specific content-addressable digest such that we can update them in the same way we do everything else (and then trigger rebuilds properly based on them, too).

.external-pins/mcr.microsoft.com/windows/nanoserver:1809

@@ -0,0 +1 @@
+sha256:5c9da3bfe1524eab610dfd41c79a0805c080f8307d810d62bba106b5df587698

.external-pins/mcr.microsoft.com/windows/nanoserver:ltsc2022

@@ -0,0 +1 @@
+sha256:f1125cf932664b039a55afb666bdca7dc28d453a88430fe47be763e0270638b6

.external-pins/mcr.microsoft.com/windows/servercore:1809

@@ -0,0 +1 @@
+sha256:cbb8b0a709b4e0868cd2e30b1485358197b1021bb0dd4261e36b3af3ca48fd0b

.external-pins/mcr.microsoft.com/windows/servercore:ltsc2022

@@ -0,0 +1 @@
+sha256:8d862016bcfad6040cb9ae0f21b024fe71b058ddb42a077c32a24bcb5fc04628

.external-pins/redhat/ubi9-minimal:latest

@@ -0,0 +1 @@
+sha256:ecebade89b064d33e6e1405e4ec6e9b904e7c573a52b52d0f38026bb8d1db1f8

.github/workflows/.bashbrew/action.yml

@@ -10,8 +10,8 @@ runs:
 
     # these two version numbers are intentionally as close together as I could possibly get them because no matter what I tried, GitHub will not allow me to DRY them (can't have any useful variables in `uses:` and can't even have YAML references to steal it in `env:` or something)
     - shell: 'bash -Eeuo pipefail -x {0}'
-      run:    echo BASHBREW_VERSION=v0.1.5 >> "$GITHUB_ENV"
-    - uses: docker-library/[email protected].5
+      run:    echo BASHBREW_VERSION=v0.1.6 >> "$GITHUB_ENV"
+    - uses: docker-library/[email protected].6
       if: inputs.build == 'host'
 
     - run: docker build --pull --tag oisupport/bashbrew:base "https://github.com/docker-library/bashbrew.git#$BASHBREW_VERSION"

naughty-from.sh

@@ -13,49 +13,66 @@ if [ "$#" -eq 0 ]; then
 	set -- '--all'
 fi
 
+externalPinsDir="$(dirname "$BASH_SOURCE")/.external-pins"
+declare -A externalPinsArchesCache=(
+	#[img:tag]='["arch","arch",...]' # (json array of strings)
+)
 _is_naughty() {
 	local from="$1"; shift
 
-	case "$BASHBREW_ARCH=$from" in
-		# a few images that no longer exist (and are thus not permissible)
-		# https://techcommunity.microsoft.com/t5/Containers/Removing-the-latest-Tag-An-Update-on-MCR/ba-p/393045
-		*=mcr.microsoft.com/windows/*:latest) return 0 ;;
-
-
-		# https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/base-image-lifecycle
-		#*=mcr.microsoft.com/windows/*:ltsc2022) return 0 ;; # "10/13/2026"
-		#*=mcr.microsoft.com/windows/*:20H2*)    return 0 ;; # "05/10/2022" *technically*, but its use is discouraged here given the existence of ltsc2022
-		*=mcr.microsoft.com/windows/*:2004*)    return 0 ;; # "12/14/2021"
-		*=mcr.microsoft.com/windows/*:1909*)    return 0 ;; # "05/11/2021"
-		*=mcr.microsoft.com/windows/*:1903*)    return 0 ;; # "12/08/2020"
-		#*=mcr.microsoft.com/windows/*:1809*)    return 0 ;; # "01/09/2024"
-		*=mcr.microsoft.com/windows/*:1803*)    return 0 ;; # "11/12/2019"
-		*=mcr.microsoft.com/windows/*:1709*)    return 0 ;; # "04/09/2019"
-		*=mcr.microsoft.com/windows/*:ltsc2016) return 0 ;; # "01/11/2022"
-		*=mcr.microsoft.com/windows/*:sac2016)  return 0 ;; # "10/09/2018"
-		*=mcr.microsoft.com/windows/*:1607*)    return 0 ;; # "10/09/2018"
-
-		# a few explicitly permissible exceptions to Santa's naughty list
-		*=scratch \
-		| amd64=docker.elastic.co/elasticsearch/elasticsearch:* \
-		| amd64=docker.elastic.co/kibana/kibana:* \
-		| amd64=docker.elastic.co/logstash/logstash:* \
-		| arm64v8=docker.elastic.co/elasticsearch/elasticsearch:* \
-		| arm64v8=docker.elastic.co/kibana/kibana:* \
-		| arm64v8=docker.elastic.co/logstash/logstash:* \
-		| windows-*=mcr.microsoft.com/windows/nanoserver:* \
-		| windows-*=mcr.microsoft.com/windows/servercore:* \
-		) return 1 ;;
-
-		# "x/y" and not an approved exception
-		*/*) return 0 ;;
+	case "$from" in
+		# "scratch" isn't a real image and is always permissible (on non-Windows)
+		scratch)
+			case "$BASHBREW_ARCH" in
+				windows-*) return 0 ;; # can't use "FROM scratch" on Windows
+				*)         return 1 ;; # can use "FROM scratch" everywhere else
+			esac
+			;;
+
+		# https://github.com/docker-library/official-images/pull/4916#issuecomment-427437270
+		  docker.elastic.co/elasticsearch/elasticsearch:*@sha256:* \
+		| docker.elastic.co/kibana/kibana:*@sha256:* \
+		| docker.elastic.co/logstash/logstash:*@sha256:* \
+		) ;; # *technically* we should only whitelist these for "elasticsearch", "kibana", and "logstash" respectively, but the chances of other folks trying to use them in their images (*and* doing so without us noticing) seems low
+
+		*/*)
+			# must be external, let's check our pins for acceptability
+			if [ -s "$externalPinsDir/$from" ]; then
+				local digest
+				digest="$(< "$externalPinsDir/$from")"
+				from+="@$digest"
+			else
+				# not pinned, must not be acceptable
+				return 0
+			fi
+			;;
 	esac
 
-	# must be some other official image AND support our current architecture
-	local archSupported
-	if archSupported="$(bashbrew cat --format '{{ .TagEntry.HasArchitecture arch | ternary arch "" }}' "$from")" && [ -n "$archSupported" ]; then
-		return 1
-	fi
+	case "$from" in
+		*/*@sha256:*)
+			if [ -z "${externalPinsArchesCache["$from"]:-}" ]; then
+				local remoteArches
+				if remoteArches="$(bashbrew remote arches --json "$from" | jq -c '.arches | keys')"; then
+					externalPinsArchesCache["$from"]="$remoteArches"
+				else
+					echo >&2 "warning: failed to query supported architectures of '$from'"
+					externalPinsArchesCache["$from"]='[]'
+				fi
+			fi
+			if jq <<<"${externalPinsArchesCache["$from"]}" -e 'index(env.BASHBREW_ARCH)' > /dev/null; then
+				# hooray, a supported architecture!
+				return 1
+			fi
+			;;
+
+		*)
+			# must be some other official image AND support our current architecture
+			local archSupported
+			if archSupported="$(bashbrew cat --format '{{ .TagEntry.HasArchitecture arch | ternary arch "" }}' "$from")" && [ -n "$archSupported" ]; then
+				return 1
+			fi
+			;;
+	esac
 
 	return 0
 }

update-external-pins.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+dir='.external-pins'
+
+if [ "$#" -eq 0 ]; then
+	images="$(find "$dir" -type f -printf '%P\n' | sort)"
+	set -- $images
+fi
+
+for img; do
+	echo -n "$img -> "
+	digest="$(bashbrew remote arches --json "$img" | jq -r '.desc.digest')"
+
+	imgDir="$(dirname "$dir/$img")"
+	mkdir -p "$imgDir"
+	echo "$digest" | tee "$dir/$img"
+done