From cfdc623c4d47fa5e8a12968ee100199cfb33442a Mon Sep 17 00:00:00 2001
From: Samuel Attard <sam@electronjs.org>
Date: Thu, 13 Jun 2024 16:35:47 -0500
Subject: [PATCH] build: pin and dedupe build image sha (#42488)

---
 .github/workflows/build.yml                      | 16 +++++++++++-----
 .github/workflows/linux-publish.yml              | 12 ++++++++----
 .github/workflows/macos-publish.yml              |  7 ++++++-
 .../workflows/pipeline-segment-node-nan-test.yml |  8 ++------
 4 files changed, 27 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 23f98be5ec..c6d8cb876f 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -2,6 +2,12 @@ name: Build
 
 on:
   workflow_dispatch:
+    inputs:
+      build-image-sha:
+        type: string
+        description: 'SHA for electron/build image'
+        default: 'cf814a4d2501e8e843caea071a6b70a48e78b855'
+        required: true
   # push
   # pull_request:
 
@@ -10,7 +16,7 @@ jobs:
   checkout-macos:
     runs-on: aks-linux-large
     container:
-      image: ghcr.io/electron/build:latest
+      image: ghcr.io/electron/build:${{ inputs.build-image-sha }}
       options: --user root
       volumes:
         - /mnt/cross-instance-cache:/mnt/cross-instance-cache
@@ -30,7 +36,7 @@ jobs:
   checkout-linux:
     runs-on: aks-linux-large
     container:
-      image: ghcr.io/electron/build:latest
+      image: ghcr.io/electron/build:${{ inputs.build-image-sha }}
       options: --user root
       volumes:
         - /mnt/cross-instance-cache:/mnt/cross-instance-cache
@@ -80,7 +86,7 @@ jobs:
     with:
       build-runs-on: aks-linux-large
       test-runs-on: aks-linux-medium
-      build-container: '{"image":"ghcr.io/electron/build:latest","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
+      build-container: '{"image":"ghcr.io/electron/build:${{ inputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
       target-platform: linux
       target-arch: x64
       is-release: false
@@ -95,7 +101,7 @@ jobs:
     with:
       build-runs-on: aks-linux-large
       test-runs-on: aks-linux-medium
-      build-container: '{"image":"ghcr.io/electron/build:latest","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
+      build-container: '{"image":"ghcr.io/electron/build:${{ inputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
       target-platform: linux
       target-arch: arm
       is-release: false
@@ -110,7 +116,7 @@ jobs:
     with:
       build-runs-on: aks-linux-large
       test-runs-on: aks-linux-medium
-      build-container: '{"image":"ghcr.io/electron/build:latest","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
+      build-container: '{"image":"ghcr.io/electron/build:${{ inputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
       target-platform: linux
       target-arch: arm64
       is-release: false
diff --git a/.github/workflows/linux-publish.yml b/.github/workflows/linux-publish.yml
index 65cca48697..ccbe22123b 100644
--- a/.github/workflows/linux-publish.yml
+++ b/.github/workflows/linux-publish.yml
@@ -3,6 +3,10 @@ name: Publish Linux
 on:
   workflow_dispatch:
     inputs:
+      build-image-sha:
+        type: string
+        description: 'SHA for electron/build image'
+        default: 'cf814a4d2501e8e843caea071a6b70a48e78b855'
       upload-to-storage:
         description: 'Uploads to Azure storage'
         required: false
@@ -17,7 +21,7 @@ jobs:
   checkout-linux:
     runs-on: aks-linux-large
     container:
-      image: ghcr.io/electron/build:latest
+      image: ghcr.io/electron/build:${{ inputs.build-image-sha }}
       options: --user root
       volumes:
         - /mnt/cross-instance-cache:/mnt/cross-instance-cache
@@ -40,7 +44,7 @@ jobs:
     needs: checkout-linux
     with:
       build-runs-on: aks-linux-large
-      build-container: '{"image":"ghcr.io/electron/build:latest","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
+      build-container: '{"image":"ghcr.io/electron/build:${{ inputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
       target-platform: linux
       target-arch: x64
       is-release: true
@@ -54,7 +58,7 @@ jobs:
     needs: checkout-linux
     with:
       build-runs-on: aks-linux-large
-      build-container: '{"image":"ghcr.io/electron/build:latest","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
+      build-container: '{"image":"ghcr.io/electron/build:${{ inputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
       target-platform: linux
       target-arch: arm
       is-release: true
@@ -68,7 +72,7 @@ jobs:
     needs: checkout-linux
     with:
       build-runs-on: aks-linux-large
-      build-container: '{"image":"ghcr.io/electron/build:latest","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
+      build-container: '{"image":"ghcr.io/electron/build:${{ inputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
       target-platform: linux
       target-arch: arm64
       is-release: true
diff --git a/.github/workflows/macos-publish.yml b/.github/workflows/macos-publish.yml
index 0efc34855e..b91d96e373 100644
--- a/.github/workflows/macos-publish.yml
+++ b/.github/workflows/macos-publish.yml
@@ -3,6 +3,11 @@ name: Publish MacOS
 on:
   workflow_dispatch:
     inputs:
+      build-image-sha:
+        type: string
+        description: 'SHA for electron/build image'
+        default: 'cf814a4d2501e8e843caea071a6b70a48e78b855'
+        required: true
       upload-to-storage:
         description: 'Uploads to Azure storage'
         required: false
@@ -17,7 +22,7 @@ jobs:
   checkout-macos:
     runs-on: aks-linux-large
     container:
-      image: ghcr.io/electron/build:latest
+      image: ghcr.io/electron/build:${{ inputs.build-image-sha }}
       options: --user root
       volumes:
         - /mnt/cross-instance-cache:/mnt/cross-instance-cache
diff --git a/.github/workflows/pipeline-segment-node-nan-test.yml b/.github/workflows/pipeline-segment-node-nan-test.yml
index b9cca6fa6f..cd3002f461 100644
--- a/.github/workflows/pipeline-segment-node-nan-test.yml
+++ b/.github/workflows/pipeline-segment-node-nan-test.yml
@@ -41,9 +41,7 @@ jobs:
     timeout-minutes: 20
     env: 
       TARGET_ARCH: ${{ inputs.target-arch }}
-    container:
-      image: ghcr.io/electron/build:latest
-      options: --user root
+    container: ${{ fromJSON(inputs.test-container) }}
     steps:
     - name: Load Build Tools
       run: |
@@ -105,9 +103,7 @@ jobs:
     timeout-minutes: 20
     env: 
       TARGET_ARCH: ${{ inputs.target-arch }}
-    container:
-      image: ghcr.io/electron/build:latest
-      options: --user root
+    container: ${{ fromJSON(inputs.test-container) }}
     steps:
     - name: Load Build Tools
       run: |