Based on 1., do we want to have this current project not doing like the other projects?
In the Dockerfile, the base image is in an ARG, which will prevent dependabot (#21) to update any update of this base image, do we also want to change that?
In the other projects, sha is used for the go:1.20 image, not here, should we do that here too?
As per the discussion in there: https://github.com/sigstore/cosign-gatekeeper-provider/pull/24#pullrequestreview-1284605329.
Instead of using
go:1.20
as the base image in theDockerfile
, the proposal is to usecgr.dev/chainguard/go
.If there is an agreement with that, let's have a dedicated PR opened for that.
Additionally, some questions top of mind with that:
rekor
orfulcio
are usinggolang:1.20
and notDockerfile
, the base image is in anARG
, which will preventdependabot
(#21) to update any update of this base image, do we also want to change that?sha
is used for thego:1.20
image, not here, should we do that here too?