From 16171eee8d6bd5de2bfc723f6116378262da9576 Mon Sep 17 00:00:00 2001
From: Thomas <9749173+uhthomas@users.noreply.github.com>
Date: Fri, 16 Jun 2023 16:28:41 +0100
Subject: [PATCH] pin image digests (#2754)

Manifest list digests can be found with:

```sh
docker buildx imagetools inspect python:3.11.4-bullseye
docker buildx imagetools inspect python:3.11.4-slim-bullseye
docker buildx imagetools inspect ghcr.io/nginxinc/nginx-unprivileged:1.25.0-alpine3.17
```

The node images are pinned in #2736

Fixes #2751
Partially fixes #2752
---
 machine-learning/Dockerfile | 6 ++++--
 nginx/Dockerfile            | 2 +-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/machine-learning/Dockerfile b/machine-learning/Dockerfile
index d98ed2d655..e49b00d3a0 100644
--- a/machine-learning/Dockerfile
+++ b/machine-learning/Dockerfile
@@ -1,4 +1,5 @@
-FROM python:3.11 as builder
+FROM python:3.11.4-bullseye@sha256:bede19c9a8999a5461a01a6c0e0893eaf3e712fccb28f547ba9d3391310f378b as builder
+
 ENV PYTHONDONTWRITEBYTECODE=1 \
   PYTHONUNBUFFERED=1 \
   PIP_NO_CACHE_DIR=true
@@ -12,7 +13,8 @@ ENV VIRTUAL_ENV="/opt/venv" PATH="/opt/venv/bin:${PATH}"
 COPY poetry.lock pyproject.toml ./
 RUN poetry install --sync --no-interaction --no-ansi --no-root --only main
 
-FROM python:3.11-slim
+FROM python:3.11.4-slim-bullseye@sha256:4102cb4b15a5c0c52068d3128f87b1d43e6a3b431714f4a65e8b8e91750c7c54
+
 WORKDIR /usr/src/app
 ENV NODE_ENV=production \
   TRANSFORMERS_CACHE=/cache \
diff --git a/nginx/Dockerfile b/nginx/Dockerfile
index 78860ed7b6..3b8e6f333e 100644
--- a/nginx/Dockerfile
+++ b/nginx/Dockerfile
@@ -1,4 +1,4 @@
-FROM ghcr.io/nginxinc/nginx-unprivileged:1.23
+FROM ghcr.io/nginxinc/nginx-unprivileged:1.25.0-alpine3.17@sha256:e57300e9f60e521c5af3ec8fdc710285a371647e8033bcb8a36020c4394db3e3
 
 COPY LICENSE /licenses/LICENSE.txt
 COPY LICENSE /LICENSE