From 9f2f609bc12b1f633cf2c5cf69ccd3fa90d3cc54 Mon Sep 17 00:00:00 2001
From: Leo <leo@certus.one>
Date: Tue, 19 Jan 2021 16:15:54 +0100
Subject: [PATCH] Bump Go and pin all Docker images to digests

---
 DEVELOP.md                    | 2 +-
 Dockerfile.agent              | 2 +-
 bridge/Dockerfile             | 2 +-
 dev-install.sh                | 2 +-
 docs/operations.md            | 2 +-
 ethereum/Dockerfile           | 4 ++--
 solana/Dockerfile             | 2 +-
 terra/Dockerfile              | 6 +++---
 terra/devnet/Dockerfile       | 4 ++--
 third_party/abigen/Dockerfile | 2 +-
 third_party/solana/Dockerfile | 2 +-
 web/Dockerfile                | 2 +-
 12 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/DEVELOP.md b/DEVELOP.md
index e8d2a05af..757bc6a68 100644
--- a/DEVELOP.md
+++ b/DEVELOP.md
@@ -4,7 +4,7 @@
 
 The following dependencies are required for local development:
 
-- [Go](https://golang.org/dl/) >= 1.15.5
+- [Go](https://golang.org/dl/) >= 1.15.6
 - [Docker](https://docs.docker.com/engine/install/) / moby-engine >= 19.03
 - [Tilt](http://tilt.dev/) >= 0.17.10
 - Any of the local Kubernetes clusters supported by Tilt. 
diff --git a/Dockerfile.agent b/Dockerfile.agent
index c243a77bd..7abd9b31e 100644
--- a/Dockerfile.agent
+++ b/Dockerfile.agent
@@ -1,5 +1,5 @@
 # syntax=docker.io/docker/dockerfile:experimental@sha256:de85b2f3a3e8a2f7fe48e8e84a65f6fdd5cd5183afa6412fff9caa6871649c44
-FROM rust:1.48
+FROM rust:1.48@sha256:65e254fff15478af71d342706b1e73b26fd883f3432813c129665a97a74e2278
 
 RUN apt-get update && apt-get install -y libssl-dev libudev-dev pkg-config zlib1g-dev llvm clang ncat
 RUN rustup component add rustfmt
diff --git a/bridge/Dockerfile b/bridge/Dockerfile
index 4487c2aee..0e5352b52 100644
--- a/bridge/Dockerfile
+++ b/bridge/Dockerfile
@@ -1,5 +1,5 @@
 # syntax=docker.io/docker/dockerfile:experimental@sha256:de85b2f3a3e8a2f7fe48e8e84a65f6fdd5cd5183afa6412fff9caa6871649c44
-FROM golang:1.15.5
+FROM golang:1.15.6@sha256:de97bab9325c4c3904f8f7fec8eb469169a1d247bdc97dcab38c2c75cf4b4c5d
 
 WORKDIR /app
 
diff --git a/dev-install.sh b/dev-install.sh
index 98d7cebf1..8a728565c 100755
--- a/dev-install.sh
+++ b/dev-install.sh
@@ -43,7 +43,7 @@ export PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/sbin:/bin
 
 # Install Go binaries.
 ARCH=amd64
-GO=1.15.5
+GO=1.15.6
 # TODO(leo): verify checksum
 
 (
diff --git a/docs/operations.md b/docs/operations.md
index 5ddc44584..65844fa43 100644
--- a/docs/operations.md
+++ b/docs/operations.md
@@ -49,7 +49,7 @@ Wormhole binaries from source. A Git repo is much harder to tamper with than rel
 
 To build Wormhole, you need:
 
-- [Go](https://golang.org/dl/) >= 1.15.5
+- [Go](https://golang.org/dl/) >= 1.15.6
 - [Rust](https://www.rust-lang.org/learn/get-started) >= 1.47.0
 
 ...plus the same library dependencies as Solana itself:
diff --git a/ethereum/Dockerfile b/ethereum/Dockerfile
index 1055fc59e..66438b40b 100644
--- a/ethereum/Dockerfile
+++ b/ethereum/Dockerfile
@@ -1,8 +1,8 @@
 # syntax=docker.io/docker/dockerfile:experimental@sha256:de85b2f3a3e8a2f7fe48e8e84a65f6fdd5cd5183afa6412fff9caa6871649c44
-FROM node:lts-alpine
+FROM node:lts-alpine@sha256:2ae9624a39ce437e7f58931a5747fdc60224c6e40f8980db90728de58e22af7c
 
 # npm wants to clone random Git repositories - lovely.
-RUN apk add git python make
+RUN apk add git python make build-base
 
 # Run as user, otherwise, npx explodes.
 USER 1000
diff --git a/solana/Dockerfile b/solana/Dockerfile
index 5749f6f87..8f80f85c4 100644
--- a/solana/Dockerfile
+++ b/solana/Dockerfile
@@ -1,5 +1,5 @@
 # syntax=docker.io/docker/dockerfile:experimental@sha256:de85b2f3a3e8a2f7fe48e8e84a65f6fdd5cd5183afa6412fff9caa6871649c44
-FROM rust:1.48
+FROM rust:1.48@sha256:65e254fff15478af71d342706b1e73b26fd883f3432813c129665a97a74e2278
 
 RUN apt-get update && apt-get install -y libssl-dev libudev-dev pkg-config zlib1g-dev llvm clang
 RUN rustup component add rustfmt
diff --git a/terra/Dockerfile b/terra/Dockerfile
index 19a6470c4..cecafefe9 100644
--- a/terra/Dockerfile
+++ b/terra/Dockerfile
@@ -1,13 +1,13 @@
 # This is a multi-stage docker file, first stage builds contracts
 # And the second one creates node.js environment to deploy them
-FROM cosmwasm/workspace-optimizer:0.10.4 AS builder
+FROM cosmwasm/workspace-optimizer:0.10.4@sha256:a976db4ee7add887a6af26724b804bbd9e9d534554506447e72ac57e65357db9 AS builder
 ADD Cargo.lock /code/
 ADD Cargo.toml /code/
 ADD contracts /code/contracts
 RUN optimize_workspace.sh
 
 # Contract deployment stage
-FROM node:14
+FROM node:14@sha256:04a33dac55af8d3170bffc91ca31fe8000b96ae1bab1a090deb920ca2ca2a38e
 
 RUN npm update && npm i -g typescript ts-node
 
@@ -23,4 +23,4 @@ RUN npm install
 
 RUN ts-node --version
 
-ENTRYPOINT /app/tools/deploy.sh
\ No newline at end of file
+ENTRYPOINT /app/tools/deploy.sh
diff --git a/terra/devnet/Dockerfile b/terra/devnet/Dockerfile
index 427dd154f..1e4fac123 100644
--- a/terra/devnet/Dockerfile
+++ b/terra/devnet/Dockerfile
@@ -1,3 +1,3 @@
-FROM terramoney/localterra-core:0.4.5
+FROM terramoney/localterra-core:0.4.5@sha256:ff4f342325c81dc19fad216c2e3c2aa8777d9dc36bc3521a206ec321864da4e3
 
-ADD config /root/.terrad/config
\ No newline at end of file
+ADD config /root/.terrad/config
diff --git a/third_party/abigen/Dockerfile b/third_party/abigen/Dockerfile
index 3688832e9..390583b7f 100644
--- a/third_party/abigen/Dockerfile
+++ b/third_party/abigen/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.15.5-alpine
+FROM golang:1.15.6-alpine@sha256:49b4eac11640066bc72c74b70202478b7d431c7d8918e0973d6e4aeb8b3129d2
 
 RUN apk add curl git gcc libc-dev linux-headers
 
diff --git a/third_party/solana/Dockerfile b/third_party/solana/Dockerfile
index 4d16707d8..29aac29ea 100644
--- a/third_party/solana/Dockerfile
+++ b/third_party/solana/Dockerfile
@@ -3,7 +3,7 @@
 # Depend on our smart contract build - it's going to be linked directly into Solana as part the patch we carry.
 FROM solana-contract as contract
 
-FROM rust:1.48
+FROM rust:1.48@sha256:65e254fff15478af71d342706b1e73b26fd883f3432813c129665a97a74e2278
 
 RUN apt-get update && apt-get install -y libssl-dev libudev-dev pkg-config zlib1g-dev llvm clang
 RUN rustup component add rustfmt
diff --git a/web/Dockerfile b/web/Dockerfile
index f532d565f..4acc8e7d3 100644
--- a/web/Dockerfile
+++ b/web/Dockerfile
@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:experimental
 
 # Derivative of ethereum/Dockerfile, look there for an explanation on how it works.
-FROM node:lts-alpine
+FROM node:lts-alpine@sha256:2ae9624a39ce437e7f58931a5747fdc60224c6e40f8980db90728de58e22af7c
 
 USER 1000
 RUN mkdir -p /home/node/app