Lock tonistiigi/xx by digest (immutable)

Signed-off-by: Marco Franssen <[email protected]>

Author: marcofranssen

Dockerfile.scratch

@@ -10,7 +10,10 @@ RUN --mount=type=cache,target=/go/pkg/mod go mod download
 COPY . .
 
 # xx is a helper for cross-compilation
-FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.1.2 AS xx
+# when bumping to a new version analyze the new version for security issues
+# then use crane to lookup the digest of that version so we are immutable
+# crane digest tonistiigi/xx:1.1.2
+FROM --platform=$BUILDPLATFORM tonistiigi/xx@sha256:9dde7edeb9e4a957ce78be9f8c0fbabe0129bf5126933cd3574888f443731cda AS xx
 
 FROM --platform=${BUILDPLATFORM} base as builder
 ARG TARGETPLATFORM