From 8e20568b9f5d8bd6dcdbe7550805f68f6852266f Mon Sep 17 00:00:00 2001 From: Wes Morgan Date: Tue, 16 Jun 2026 12:04:33 -0600 Subject: [PATCH 1/2] Pin expected commit when building Leiningen from source docker-library/official-images asked that we verify the clone's checked-out commit matches the expected SHA, in case an upstream tag is ever moved (belt-and-suspenders with git verify-tag). Record the expected HEAD commit per Leiningen release in lein/release-commits and assert it after cloning. --- resources/templates/lein.tmpl | 5 +++-- src/docker_clojure/dockerfile/lein.clj | 14 ++++++++++++++ 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/resources/templates/lein.tmpl b/resources/templates/lein.tmpl index ec64fe5f..e67fe478 100644 --- a/resources/templates/lein.tmpl +++ b/resources/templates/lein.tmpl @@ -4,8 +4,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ {% for dep in install-deps %}{{dep}} && \ {% endfor %}export GNUPGHOME="$(mktemp -d)" && \ @@ -15,6 +15,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys {{gpg-key}} && \ git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "{{lein-commit}}" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/src/docker_clojure/dockerfile/lein.clj b/src/docker_clojure/dockerfile/lein.clj index 49a68a4c..51fa4996 100644 --- a/src/docker_clojure/dockerfile/lein.clj +++ b/src/docker_clojure/dockerfile/lein.clj @@ -30,10 +30,24 @@ ;; Leiningen release tags are signed with this key (Phil Hagelberg). (def ^:const signing-key "9D13D9426A0814B3373CF5E3D8A8243577A7859F") +;; The commit each release tag is expected to point at. After cloning we assert +;; HEAD matches, so a moved or re-pointed upstream tag can't slip a different +;; commit past us (belt-and-suspenders with `git verify-tag`). Requested by the +;; docker-library/official-images maintainers. +(def release-commits + {"2.13.0" "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030"}) + +(defn release-commit [version] + (or (get release-commits version) + (throw (ex-info (str "No known Git commit for Leiningen " version + "; add it to lein/release-commits before building.") + {:lein-version version})))) + (defn install [_installer-hashes {:keys [build-tool-version] :as variant}] (render-template "templates/lein.tmpl" {:lein-version build-tool-version + :lein-commit (release-commit build-tool-version) :clojure-version bundled-clojure-version :gpg-key signing-key :install-deps (install-deps variant) From d963a6e262cf2e9da98f416f6419addb01b69e21 Mon Sep 17 00:00:00 2001 From: Wes Morgan Date: Tue, 16 Jun 2026 12:04:33 -0600 Subject: [PATCH 2/2] Regenerate lein Dockerfiles with commit pin --- target/debian-bookworm-11/lein/Dockerfile | 5 +++-- target/debian-bookworm-17/lein/Dockerfile | 5 +++-- target/debian-bookworm-21/lein/Dockerfile | 5 +++-- target/debian-bookworm-25/latest/Dockerfile | 5 +++-- target/debian-bookworm-25/lein/Dockerfile | 5 +++-- target/debian-bookworm-26/lein/Dockerfile | 5 +++-- target/debian-bookworm-slim-11/lein/Dockerfile | 5 +++-- target/debian-bookworm-slim-17/lein/Dockerfile | 5 +++-- target/debian-bookworm-slim-21/lein/Dockerfile | 5 +++-- target/debian-bookworm-slim-25/lein/Dockerfile | 5 +++-- target/debian-bookworm-slim-26/lein/Dockerfile | 5 +++-- target/debian-bullseye-11/lein/Dockerfile | 5 +++-- target/debian-bullseye-17/lein/Dockerfile | 5 +++-- target/debian-bullseye-21/lein/Dockerfile | 5 +++-- target/debian-bullseye-25/lein/Dockerfile | 5 +++-- target/debian-bullseye-26/lein/Dockerfile | 5 +++-- target/debian-bullseye-slim-11/lein/Dockerfile | 5 +++-- target/debian-bullseye-slim-17/lein/Dockerfile | 5 +++-- target/debian-bullseye-slim-21/lein/Dockerfile | 5 +++-- target/debian-bullseye-slim-25/lein/Dockerfile | 5 +++-- target/debian-bullseye-slim-26/lein/Dockerfile | 5 +++-- target/debian-trixie-11/lein/Dockerfile | 5 +++-- target/debian-trixie-17/lein/Dockerfile | 5 +++-- target/debian-trixie-21/lein/Dockerfile | 5 +++-- target/debian-trixie-25/lein/Dockerfile | 5 +++-- target/debian-trixie-26/lein/Dockerfile | 5 +++-- target/debian-trixie-slim-11/lein/Dockerfile | 5 +++-- target/debian-trixie-slim-17/lein/Dockerfile | 5 +++-- target/debian-trixie-slim-21/lein/Dockerfile | 5 +++-- target/debian-trixie-slim-25/lein/Dockerfile | 5 +++-- target/debian-trixie-slim-26/lein/Dockerfile | 5 +++-- target/eclipse-temurin-11-jdk-alpine/lein/Dockerfile | 5 +++-- target/eclipse-temurin-11-jdk-jammy/lein/Dockerfile | 5 +++-- target/eclipse-temurin-11-jdk-noble/lein/Dockerfile | 5 +++-- target/eclipse-temurin-17-jdk-alpine/lein/Dockerfile | 5 +++-- target/eclipse-temurin-17-jdk-jammy/lein/Dockerfile | 5 +++-- target/eclipse-temurin-17-jdk-noble/lein/Dockerfile | 5 +++-- target/eclipse-temurin-21-jdk-alpine/lein/Dockerfile | 5 +++-- target/eclipse-temurin-21-jdk-jammy/lein/Dockerfile | 5 +++-- target/eclipse-temurin-21-jdk-noble/lein/Dockerfile | 5 +++-- target/eclipse-temurin-25-jdk-alpine/lein/Dockerfile | 5 +++-- target/eclipse-temurin-25-jdk-noble/lein/Dockerfile | 5 +++-- target/eclipse-temurin-26-jdk-alpine/lein/Dockerfile | 5 +++-- target/eclipse-temurin-26-jdk-noble/lein/Dockerfile | 5 +++-- 44 files changed, 132 insertions(+), 88 deletions(-) diff --git a/target/debian-bookworm-11/lein/Dockerfile b/target/debian-bookworm-11/lein/Dockerfile index 7f790324..783b2c9a 100644 --- a/target/debian-bookworm-11/lein/Dockerfile +++ b/target/debian-bookworm-11/lein/Dockerfile @@ -10,8 +10,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y make maven git gnupg && \ @@ -23,6 +23,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/debian-bookworm-17/lein/Dockerfile b/target/debian-bookworm-17/lein/Dockerfile index 5ce2af39..b843adb1 100644 --- a/target/debian-bookworm-17/lein/Dockerfile +++ b/target/debian-bookworm-17/lein/Dockerfile @@ -10,8 +10,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y make maven git gnupg && \ @@ -23,6 +23,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/debian-bookworm-21/lein/Dockerfile b/target/debian-bookworm-21/lein/Dockerfile index bd9b075e..8484d446 100644 --- a/target/debian-bookworm-21/lein/Dockerfile +++ b/target/debian-bookworm-21/lein/Dockerfile @@ -10,8 +10,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y make maven git gnupg && \ @@ -23,6 +23,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/debian-bookworm-25/latest/Dockerfile b/target/debian-bookworm-25/latest/Dockerfile index d64aaad4..f7f849a6 100644 --- a/target/debian-bookworm-25/latest/Dockerfile +++ b/target/debian-bookworm-25/latest/Dockerfile @@ -12,8 +12,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y make maven git gnupg && \ @@ -25,6 +25,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/debian-bookworm-25/lein/Dockerfile b/target/debian-bookworm-25/lein/Dockerfile index 10bbf769..9dcd08b8 100644 --- a/target/debian-bookworm-25/lein/Dockerfile +++ b/target/debian-bookworm-25/lein/Dockerfile @@ -10,8 +10,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y make maven git gnupg && \ @@ -23,6 +23,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/debian-bookworm-26/lein/Dockerfile b/target/debian-bookworm-26/lein/Dockerfile index 751489fa..8ff31214 100644 --- a/target/debian-bookworm-26/lein/Dockerfile +++ b/target/debian-bookworm-26/lein/Dockerfile @@ -10,8 +10,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y make maven git gnupg && \ @@ -23,6 +23,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/debian-bookworm-slim-11/lein/Dockerfile b/target/debian-bookworm-slim-11/lein/Dockerfile index dbb42022..3db70d81 100644 --- a/target/debian-bookworm-slim-11/lein/Dockerfile +++ b/target/debian-bookworm-slim-11/lein/Dockerfile @@ -10,8 +10,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y maven git gnupg && \ @@ -23,6 +23,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/debian-bookworm-slim-17/lein/Dockerfile b/target/debian-bookworm-slim-17/lein/Dockerfile index f0ad141c..bd12b81c 100644 --- a/target/debian-bookworm-slim-17/lein/Dockerfile +++ b/target/debian-bookworm-slim-17/lein/Dockerfile @@ -10,8 +10,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y maven git gnupg && \ @@ -23,6 +23,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/debian-bookworm-slim-21/lein/Dockerfile b/target/debian-bookworm-slim-21/lein/Dockerfile index 62ad9284..31f36d8f 100644 --- a/target/debian-bookworm-slim-21/lein/Dockerfile +++ b/target/debian-bookworm-slim-21/lein/Dockerfile @@ -10,8 +10,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y maven git gnupg && \ @@ -23,6 +23,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/debian-bookworm-slim-25/lein/Dockerfile b/target/debian-bookworm-slim-25/lein/Dockerfile index df51df81..852c8182 100644 --- a/target/debian-bookworm-slim-25/lein/Dockerfile +++ b/target/debian-bookworm-slim-25/lein/Dockerfile @@ -10,8 +10,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y maven git gnupg && \ @@ -23,6 +23,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/debian-bookworm-slim-26/lein/Dockerfile b/target/debian-bookworm-slim-26/lein/Dockerfile index 3d95c3c9..f536304c 100644 --- a/target/debian-bookworm-slim-26/lein/Dockerfile +++ b/target/debian-bookworm-slim-26/lein/Dockerfile @@ -10,8 +10,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y maven git gnupg && \ @@ -23,6 +23,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/debian-bullseye-11/lein/Dockerfile b/target/debian-bullseye-11/lein/Dockerfile index e7d9eafb..3841c9ab 100644 --- a/target/debian-bullseye-11/lein/Dockerfile +++ b/target/debian-bullseye-11/lein/Dockerfile @@ -10,8 +10,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y make maven git gnupg && \ @@ -23,6 +23,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/debian-bullseye-17/lein/Dockerfile b/target/debian-bullseye-17/lein/Dockerfile index 3b06b4f5..7e999119 100644 --- a/target/debian-bullseye-17/lein/Dockerfile +++ b/target/debian-bullseye-17/lein/Dockerfile @@ -10,8 +10,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y make maven git gnupg && \ @@ -23,6 +23,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/debian-bullseye-21/lein/Dockerfile b/target/debian-bullseye-21/lein/Dockerfile index 4a8a87ee..4eb94329 100644 --- a/target/debian-bullseye-21/lein/Dockerfile +++ b/target/debian-bullseye-21/lein/Dockerfile @@ -10,8 +10,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y make maven git gnupg && \ @@ -23,6 +23,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/debian-bullseye-25/lein/Dockerfile b/target/debian-bullseye-25/lein/Dockerfile index 9ab962df..dfa5c2e7 100644 --- a/target/debian-bullseye-25/lein/Dockerfile +++ b/target/debian-bullseye-25/lein/Dockerfile @@ -10,8 +10,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y make maven git gnupg && \ @@ -23,6 +23,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/debian-bullseye-26/lein/Dockerfile b/target/debian-bullseye-26/lein/Dockerfile index 7802b8e2..a7930cee 100644 --- a/target/debian-bullseye-26/lein/Dockerfile +++ b/target/debian-bullseye-26/lein/Dockerfile @@ -10,8 +10,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y make maven git gnupg && \ @@ -23,6 +23,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/debian-bullseye-slim-11/lein/Dockerfile b/target/debian-bullseye-slim-11/lein/Dockerfile index 6b5f98ec..0184e2e1 100644 --- a/target/debian-bullseye-slim-11/lein/Dockerfile +++ b/target/debian-bullseye-slim-11/lein/Dockerfile @@ -10,8 +10,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y maven git gnupg && \ @@ -23,6 +23,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/debian-bullseye-slim-17/lein/Dockerfile b/target/debian-bullseye-slim-17/lein/Dockerfile index c21b6374..c03f57d1 100644 --- a/target/debian-bullseye-slim-17/lein/Dockerfile +++ b/target/debian-bullseye-slim-17/lein/Dockerfile @@ -10,8 +10,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y maven git gnupg && \ @@ -23,6 +23,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/debian-bullseye-slim-21/lein/Dockerfile b/target/debian-bullseye-slim-21/lein/Dockerfile index 5c9513f1..7164d311 100644 --- a/target/debian-bullseye-slim-21/lein/Dockerfile +++ b/target/debian-bullseye-slim-21/lein/Dockerfile @@ -10,8 +10,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y maven git gnupg && \ @@ -23,6 +23,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/debian-bullseye-slim-25/lein/Dockerfile b/target/debian-bullseye-slim-25/lein/Dockerfile index 67bafde6..f4d229b2 100644 --- a/target/debian-bullseye-slim-25/lein/Dockerfile +++ b/target/debian-bullseye-slim-25/lein/Dockerfile @@ -10,8 +10,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y maven git gnupg && \ @@ -23,6 +23,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/debian-bullseye-slim-26/lein/Dockerfile b/target/debian-bullseye-slim-26/lein/Dockerfile index 2f736e39..5cfce4f8 100644 --- a/target/debian-bullseye-slim-26/lein/Dockerfile +++ b/target/debian-bullseye-slim-26/lein/Dockerfile @@ -10,8 +10,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y maven git gnupg && \ @@ -23,6 +23,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/debian-trixie-11/lein/Dockerfile b/target/debian-trixie-11/lein/Dockerfile index dde3f2f4..1d2de0fa 100644 --- a/target/debian-trixie-11/lein/Dockerfile +++ b/target/debian-trixie-11/lein/Dockerfile @@ -10,8 +10,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y make maven git gnupg && \ @@ -23,6 +23,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/debian-trixie-17/lein/Dockerfile b/target/debian-trixie-17/lein/Dockerfile index 092872d4..7989af88 100644 --- a/target/debian-trixie-17/lein/Dockerfile +++ b/target/debian-trixie-17/lein/Dockerfile @@ -10,8 +10,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y make maven git gnupg && \ @@ -23,6 +23,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/debian-trixie-21/lein/Dockerfile b/target/debian-trixie-21/lein/Dockerfile index bd82ee8e..e4785479 100644 --- a/target/debian-trixie-21/lein/Dockerfile +++ b/target/debian-trixie-21/lein/Dockerfile @@ -10,8 +10,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y make maven git gnupg && \ @@ -23,6 +23,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/debian-trixie-25/lein/Dockerfile b/target/debian-trixie-25/lein/Dockerfile index fa1f090e..e0cf9c62 100644 --- a/target/debian-trixie-25/lein/Dockerfile +++ b/target/debian-trixie-25/lein/Dockerfile @@ -10,8 +10,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y make maven git gnupg && \ @@ -23,6 +23,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/debian-trixie-26/lein/Dockerfile b/target/debian-trixie-26/lein/Dockerfile index c4d43592..e7bc73a3 100644 --- a/target/debian-trixie-26/lein/Dockerfile +++ b/target/debian-trixie-26/lein/Dockerfile @@ -10,8 +10,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y make maven git gnupg && \ @@ -23,6 +23,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/debian-trixie-slim-11/lein/Dockerfile b/target/debian-trixie-slim-11/lein/Dockerfile index b54defe3..cfa4a9e2 100644 --- a/target/debian-trixie-slim-11/lein/Dockerfile +++ b/target/debian-trixie-slim-11/lein/Dockerfile @@ -10,8 +10,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y maven git gnupg && \ @@ -23,6 +23,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/debian-trixie-slim-17/lein/Dockerfile b/target/debian-trixie-slim-17/lein/Dockerfile index b51b6a54..e056c421 100644 --- a/target/debian-trixie-slim-17/lein/Dockerfile +++ b/target/debian-trixie-slim-17/lein/Dockerfile @@ -10,8 +10,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y maven git gnupg && \ @@ -23,6 +23,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/debian-trixie-slim-21/lein/Dockerfile b/target/debian-trixie-slim-21/lein/Dockerfile index 0b70a57d..923af1bf 100644 --- a/target/debian-trixie-slim-21/lein/Dockerfile +++ b/target/debian-trixie-slim-21/lein/Dockerfile @@ -10,8 +10,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y maven git gnupg && \ @@ -23,6 +23,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/debian-trixie-slim-25/lein/Dockerfile b/target/debian-trixie-slim-25/lein/Dockerfile index 86af9227..da3f5f4d 100644 --- a/target/debian-trixie-slim-25/lein/Dockerfile +++ b/target/debian-trixie-slim-25/lein/Dockerfile @@ -10,8 +10,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y maven git gnupg && \ @@ -23,6 +23,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/debian-trixie-slim-26/lein/Dockerfile b/target/debian-trixie-slim-26/lein/Dockerfile index d6c4fc66..a34b85bd 100644 --- a/target/debian-trixie-slim-26/lein/Dockerfile +++ b/target/debian-trixie-slim-26/lein/Dockerfile @@ -10,8 +10,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y maven git gnupg && \ @@ -23,6 +23,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/eclipse-temurin-11-jdk-alpine/lein/Dockerfile b/target/eclipse-temurin-11-jdk-alpine/lein/Dockerfile index 2adc0675..67a7b103 100644 --- a/target/eclipse-temurin-11-jdk-alpine/lein/Dockerfile +++ b/target/eclipse-temurin-11-jdk-alpine/lein/Dockerfile @@ -6,8 +6,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apk add --no-cache ca-certificates bash maven git gnupg && \ export GNUPGHOME="$(mktemp -d)" && \ @@ -17,6 +17,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/eclipse-temurin-11-jdk-jammy/lein/Dockerfile b/target/eclipse-temurin-11-jdk-jammy/lein/Dockerfile index 996e070b..c515512c 100644 --- a/target/eclipse-temurin-11-jdk-jammy/lein/Dockerfile +++ b/target/eclipse-temurin-11-jdk-jammy/lein/Dockerfile @@ -6,8 +6,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y make maven git gnupg && \ @@ -19,6 +19,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/eclipse-temurin-11-jdk-noble/lein/Dockerfile b/target/eclipse-temurin-11-jdk-noble/lein/Dockerfile index bd4943cb..1c146ccb 100644 --- a/target/eclipse-temurin-11-jdk-noble/lein/Dockerfile +++ b/target/eclipse-temurin-11-jdk-noble/lein/Dockerfile @@ -6,8 +6,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y make maven git gnupg && \ @@ -19,6 +19,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/eclipse-temurin-17-jdk-alpine/lein/Dockerfile b/target/eclipse-temurin-17-jdk-alpine/lein/Dockerfile index 19769415..62e31001 100644 --- a/target/eclipse-temurin-17-jdk-alpine/lein/Dockerfile +++ b/target/eclipse-temurin-17-jdk-alpine/lein/Dockerfile @@ -6,8 +6,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apk add --no-cache ca-certificates bash maven git gnupg && \ export GNUPGHOME="$(mktemp -d)" && \ @@ -17,6 +17,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/eclipse-temurin-17-jdk-jammy/lein/Dockerfile b/target/eclipse-temurin-17-jdk-jammy/lein/Dockerfile index bc34ec76..bae26ed2 100644 --- a/target/eclipse-temurin-17-jdk-jammy/lein/Dockerfile +++ b/target/eclipse-temurin-17-jdk-jammy/lein/Dockerfile @@ -6,8 +6,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y make maven git gnupg && \ @@ -19,6 +19,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/eclipse-temurin-17-jdk-noble/lein/Dockerfile b/target/eclipse-temurin-17-jdk-noble/lein/Dockerfile index 3b1889e2..1fc1982b 100644 --- a/target/eclipse-temurin-17-jdk-noble/lein/Dockerfile +++ b/target/eclipse-temurin-17-jdk-noble/lein/Dockerfile @@ -6,8 +6,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y make maven git gnupg && \ @@ -19,6 +19,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/eclipse-temurin-21-jdk-alpine/lein/Dockerfile b/target/eclipse-temurin-21-jdk-alpine/lein/Dockerfile index 54a21e2a..e0084b8a 100644 --- a/target/eclipse-temurin-21-jdk-alpine/lein/Dockerfile +++ b/target/eclipse-temurin-21-jdk-alpine/lein/Dockerfile @@ -6,8 +6,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apk add --no-cache ca-certificates bash maven git gnupg && \ export GNUPGHOME="$(mktemp -d)" && \ @@ -17,6 +17,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/eclipse-temurin-21-jdk-jammy/lein/Dockerfile b/target/eclipse-temurin-21-jdk-jammy/lein/Dockerfile index 25981aa1..ccae958e 100644 --- a/target/eclipse-temurin-21-jdk-jammy/lein/Dockerfile +++ b/target/eclipse-temurin-21-jdk-jammy/lein/Dockerfile @@ -6,8 +6,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y make maven git gnupg && \ @@ -19,6 +19,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/eclipse-temurin-21-jdk-noble/lein/Dockerfile b/target/eclipse-temurin-21-jdk-noble/lein/Dockerfile index 9d5cbadc..35d187c6 100644 --- a/target/eclipse-temurin-21-jdk-noble/lein/Dockerfile +++ b/target/eclipse-temurin-21-jdk-noble/lein/Dockerfile @@ -6,8 +6,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y make maven git gnupg && \ @@ -19,6 +19,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/eclipse-temurin-25-jdk-alpine/lein/Dockerfile b/target/eclipse-temurin-25-jdk-alpine/lein/Dockerfile index dee9394e..ea262514 100644 --- a/target/eclipse-temurin-25-jdk-alpine/lein/Dockerfile +++ b/target/eclipse-temurin-25-jdk-alpine/lein/Dockerfile @@ -6,8 +6,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apk add --no-cache ca-certificates bash maven git gnupg && \ export GNUPGHOME="$(mktemp -d)" && \ @@ -17,6 +17,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/eclipse-temurin-25-jdk-noble/lein/Dockerfile b/target/eclipse-temurin-25-jdk-noble/lein/Dockerfile index e3fd92ac..30795858 100644 --- a/target/eclipse-temurin-25-jdk-noble/lein/Dockerfile +++ b/target/eclipse-temurin-25-jdk-noble/lein/Dockerfile @@ -6,8 +6,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y make maven git gnupg && \ @@ -19,6 +19,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/eclipse-temurin-26-jdk-alpine/lein/Dockerfile b/target/eclipse-temurin-26-jdk-alpine/lein/Dockerfile index fd65701e..7ebc2823 100644 --- a/target/eclipse-temurin-26-jdk-alpine/lein/Dockerfile +++ b/target/eclipse-temurin-26-jdk-alpine/lein/Dockerfile @@ -6,8 +6,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apk add --no-cache ca-certificates bash maven git gnupg && \ export GNUPGHOME="$(mktemp -d)" && \ @@ -17,6 +17,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \ diff --git a/target/eclipse-temurin-26-jdk-noble/lein/Dockerfile b/target/eclipse-temurin-26-jdk-noble/lein/Dockerfile index e30ff463..0ccd867c 100644 --- a/target/eclipse-temurin-26-jdk-noble/lein/Dockerfile +++ b/target/eclipse-temurin-26-jdk-noble/lein/Dockerfile @@ -6,8 +6,8 @@ ENV LEIN_INSTALL=/usr/local/bin/ WORKDIR /tmp # No standalone uberjar is published for this version, so build it from source. -# Verify Leiningen's GPG-signed release tag, then bootstrap leiningen-core's -# dependencies with Maven and run `lein uberjar`. +# Verify Leiningen's GPG-signed release tag and pin the expected commit, then +# bootstrap leiningen-core's dependencies with Maven and run `lein uberjar`. RUN set -eux; \ apt-get update && \ apt-get install -y make maven git gnupg && \ @@ -19,6 +19,7 @@ gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 9D13D9426A0814B3 git clone --depth 1 --branch $LEIN_VERSION https://codeberg.org/leiningen/leiningen.git && \ cd leiningen && \ git verify-tag $LEIN_VERSION && \ +[ "$(git rev-parse HEAD)" = "d703e4802feb3e5c3fa9ae9f1874fb7a3a3e3030" ] && \ ( cd leiningen-core && mvn -B -q -DskipTests install && mvn -B -q dependency:build-classpath -Dmdep.outputFile=.lein-bootstrap ) && \ bin/lein uberjar && \ install -m 0644 target/leiningen-$LEIN_VERSION-standalone.jar /usr/share/java/leiningen-$LEIN_VERSION-standalone.jar && \