Stop hash pinning docker images#421
Merged
Merged
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
EthanHeilman
force-pushed
the
move-to-stable
branch
from
b3e668e to
76ad5ce
Compare
EthanHeilman
force-pushed
the
move-to-stable
branch
from
76ad5ce to
89b4189
Compare
renovate Bot
added a commit
to sdwilsh/ansible-playbooks
that referenced
this pull request
Jan 5, 2026
##### [\`v0.11.0\`](https://github.com/openpubkey/opkssh/releases/tag/v0.11.0) ##### 🚀 Features - Add support for custom group claims [@mvanderlee](https://github.com/mvanderlee) ([#133](openpubkey/opkssh#133)) - feat: Flag to print SSH cert and private key rather than FS [@EthanHeilman](https://github.com/EthanHeilman) ([#437](openpubkey/opkssh#437)) - feat: Process extra arguments to the verify command [@justincmoy](https://github.com/justincmoy) ([#436](openpubkey/opkssh#436)) - Add warning message when email claim is missing from ID token @[copilot-swe-agent\[bot\]](https://github.com/apps/copilot-swe-agent) ([#374](openpubkey/opkssh#374)) - \[feat] Add new "inspect" subcommand [@stmcginnis](https://github.com/stmcginnis) ([#349](openpubkey/opkssh#349)) - Add CLI reference documentation [@stmcginnis](https://github.com/stmcginnis) ([#365](openpubkey/opkssh#365)) - Include signature JSON in `inspect` output [@stmcginnis](https://github.com/stmcginnis) ([#358](openpubkey/opkssh#358)) - - docs: Add Amazon Cognito as tested provider [@Foorack](https://github.com/Foorack) ([#414](openpubkey/opkssh#414)) - docs: Add documentation for opkssh and sssd integration [@vigneshmanick](https://github.com/vigneshmanick) ([#409](openpubkey/opkssh#409)) - Added SELinux support for sudo logging [@descensus](https://github.com/descensus) ([#376](openpubkey/opkssh#376)) - Update CLI documentation @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#368](openpubkey/opkssh#368)) ##### 🐛 Bug Fixes - Fix race condition in ReadHome [@gcorrall](https://github.com/gcorrall) ([#391](openpubkey/opkssh#391)) - \[fix] Use lowercase for positional argument placeholders [@t38miwa](https://github.com/t38miwa) ([#361](openpubkey/opkssh#361)) - fix typo in commands/verify.go [@DevRockstarZ](https://github.com/DevRockstarZ) ([#336](openpubkey/opkssh#336)) - Doc: fix small errors in policy plugin doc [@PotatoesMaster](https://github.com/PotatoesMaster) ([#344](openpubkey/opkssh#344)) - Correct macOS name [@stmcginnis](https://github.com/stmcginnis) ([#341](openpubkey/opkssh#341)) ##### 🧰 Maintenance - chore: document upstream nix usage & remove nix flake [@datosh](https://github.com/datosh) ([#383](openpubkey/opkssh#383)) - Update CLI documentation @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#438](openpubkey/opkssh#438)) - Stop hash pinning docker images [@EthanHeilman](https://github.com/EthanHeilman) ([#421](openpubkey/opkssh#421)) - \[fix] Fix ssh version integration test [@EthanHeilman](https://github.com/EthanHeilman) ([#362](openpubkey/opkssh#362)) - Fix integration tests failing due to pacman keys [@EthanHeilman](https://github.com/EthanHeilman) ([#432](openpubkey/opkssh#432)) - fix(deps): Update docker/setup-buildx-action action to v3.12.0 @[renovate\[bot\]](https://github.com/apps/renovate) ([#426](openpubkey/opkssh#426)) - fix(deps): Update zizmorcore/zizmor-action action to v0.3.0 @[renovate\[bot\]](https://github.com/apps/renovate) ([#413](openpubkey/opkssh#413)) - fix(deps): Update peter-evans/create-pull-request action to v8 @[renovate\[bot\]](https://github.com/apps/renovate) ([#418](openpubkey/opkssh#418)) - fix(deps): Update zizmorcore/zizmor-action action to v0.2.0 @[renovate\[bot\]](https://github.com/apps/renovate) ([#335](openpubkey/opkssh#335)) - fix(deps): Update peter-evans/create-pull-request action to v7.0.9 @[renovate\[bot\]](https://github.com/apps/renovate) ([#407](openpubkey/opkssh#407))
sdwilsh
pushed a commit
to sdwilsh/ansible-playbooks
that referenced
this pull request
Jan 13, 2026
##### [\`v0.11.0\`](https://github.com/openpubkey/opkssh/releases/tag/v0.11.0) ##### 🚀 Features - Add support for custom group claims [@mvanderlee](https://github.com/mvanderlee) ([#133](openpubkey/opkssh#133)) - feat: Flag to print SSH cert and private key rather than FS [@EthanHeilman](https://github.com/EthanHeilman) ([#437](openpubkey/opkssh#437)) - feat: Process extra arguments to the verify command [@justincmoy](https://github.com/justincmoy) ([#436](openpubkey/opkssh#436)) - Add warning message when email claim is missing from ID token @[copilot-swe-agent\[bot\]](https://github.com/apps/copilot-swe-agent) ([#374](openpubkey/opkssh#374)) - \[feat] Add new "inspect" subcommand [@stmcginnis](https://github.com/stmcginnis) ([#349](openpubkey/opkssh#349)) - Add CLI reference documentation [@stmcginnis](https://github.com/stmcginnis) ([#365](openpubkey/opkssh#365)) - Include signature JSON in `inspect` output [@stmcginnis](https://github.com/stmcginnis) ([#358](openpubkey/opkssh#358)) - - docs: Add Amazon Cognito as tested provider [@Foorack](https://github.com/Foorack) ([#414](openpubkey/opkssh#414)) - docs: Add documentation for opkssh and sssd integration [@vigneshmanick](https://github.com/vigneshmanick) ([#409](openpubkey/opkssh#409)) - Added SELinux support for sudo logging [@descensus](https://github.com/descensus) ([#376](openpubkey/opkssh#376)) - Update CLI documentation @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#368](openpubkey/opkssh#368)) ##### 🐛 Bug Fixes - Fix race condition in ReadHome [@gcorrall](https://github.com/gcorrall) ([#391](openpubkey/opkssh#391)) - \[fix] Use lowercase for positional argument placeholders [@t38miwa](https://github.com/t38miwa) ([#361](openpubkey/opkssh#361)) - fix typo in commands/verify.go [@DevRockstarZ](https://github.com/DevRockstarZ) ([#336](openpubkey/opkssh#336)) - Doc: fix small errors in policy plugin doc [@PotatoesMaster](https://github.com/PotatoesMaster) ([#344](openpubkey/opkssh#344)) - Correct macOS name [@stmcginnis](https://github.com/stmcginnis) ([#341](openpubkey/opkssh#341)) ##### 🧰 Maintenance - chore: document upstream nix usage & remove nix flake [@datosh](https://github.com/datosh) ([#383](openpubkey/opkssh#383)) - Update CLI documentation @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#438](openpubkey/opkssh#438)) - Stop hash pinning docker images [@EthanHeilman](https://github.com/EthanHeilman) ([#421](openpubkey/opkssh#421)) - \[fix] Fix ssh version integration test [@EthanHeilman](https://github.com/EthanHeilman) ([#362](openpubkey/opkssh#362)) - Fix integration tests failing due to pacman keys [@EthanHeilman](https://github.com/EthanHeilman) ([#432](openpubkey/opkssh#432)) - fix(deps): Update docker/setup-buildx-action action to v3.12.0 @[renovate\[bot\]](https://github.com/apps/renovate) ([#426](openpubkey/opkssh#426)) - fix(deps): Update zizmorcore/zizmor-action action to v0.3.0 @[renovate\[bot\]](https://github.com/apps/renovate) ([#413](openpubkey/opkssh#413)) - fix(deps): Update peter-evans/create-pull-request action to v8 @[renovate\[bot\]](https://github.com/apps/renovate) ([#418](openpubkey/opkssh#418)) - fix(deps): Update zizmorcore/zizmor-action action to v0.2.0 @[renovate\[bot\]](https://github.com/apps/renovate) ([#335](openpubkey/opkssh#335)) - fix(deps): Update peter-evans/create-pull-request action to v7.0.9 @[renovate\[bot\]](https://github.com/apps/renovate) ([#407](openpubkey/opkssh#407))
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updating the docker image hashes 5 times a week was too much work, especially as it often broke tests when image could not be found. This PR removes the docker image hash pinning.
The main dependency I can't remove the pinning is in the
Shell Scripts Lint & Testas moving to opensuse leap 16.0 breaks the bash tests since opensuse leap 16.0 does not support python313-bashate. When I installed bashate via pip, this version of bashate didn't work well with the existing bash unittests.