Bump chainguard static base image to latest sha

[ltwongaa]

Manually bump ko build base image to latest image in chainguard static image repo
https://images.chainguard.dev/directory/image/static/versions
This fixes the os image out of support issue
#9163

Changes

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

• Has Docs if any changes are user facing, including updates to minimum requirements e.g. Kubernetes version bumps
• Has Tests included if any functionality added or changed
• pre-commit Passed
• Follows the commit message standard
• Meets the Tekton contributor standards (including functionality, content, code)
• Has a kind label. You can add one by adding a comment on this PR that contains /kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tep
• Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings). See some examples of good release notes.
• Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

NONE

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: ltwongaa / name: ltwongaa (191cc71, 1ed078d, 5b6922b, 802ae72)

[waveywaves]

/kind bug

[waveywaves]

/retest

[waveywaves]

confirmed the digest resolves to a current image: cgr.dev/chainguard/static@sha256:7c353129... was built on 2026-03-02 via apko (Chainguard's distroless builder). It's the latest static image, not Alpine-based. Looks good on that front.

[waveywaves]

/retest

[waveywaves]

/retest

[ltwongaa]

confirmed the digest resolves to a current image: cgr.dev/chainguard/static@sha256:7c353129... was built on 2026-03-02 via apko (Chainguard's distroless builder). It's the latest static image, not Alpine-based. Looks good on that front.

Seems E2E failed expecting an arm image, I changed to the image sha to the arm image one

[ltwongaa]

/retest

[ltwongaa]

/retest

[afrittoli]

If this sha corresponds to a tag, could you mention the tag in a comment please?

[ltwongaa]

Hi @afrittoli ,
chainguard now only provides the tag latest there,
all the others are with the sha.
This is the current sha of the latest tag.

FYI, if you view from the official repository, they hide all the other images except the latest.
https://images.chainguard.dev/directory/image/static/versions#/

[afrittoli]

/approve

[tekton-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: afrittoli

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [afrittoli]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[vdemeester]

The new digest is a valid manifest list (OCI image index), but it significantly reduces architecture coverage compared to the old one.

Old digest (67a1b00e...) — 7 architectures:

Arch	OS
386	linux
amd64	linux
arm/v6	linux
arm/v7	linux
arm64	linux
ppc64le	linux
s390x	linux

New digest (d6a97eb4...) — 2 architectures:

Arch	OS
amd64	linux
arm64	linux

This drops 386, arm/v6, arm/v7, ppc64le, and s390x. We do ship ppc64le and s390x so this would be a problem.

/hold

[vdemeester]

For context, Chainguard announced this change in May 2024 and applied it on July 15, 2024. They moved the free/Developer tier static image from an Alpine base to a Wolfi base, which only supports amd64 and arm64.

From their blog post:

If you use an architecture that isn't supported by Wolfi, these changes will impact you. Wolfi-base images are only built for arm64/aarch64 and x86_64/amd64.

The old digest (67a1b00e...) was the pre-Wolfi Alpine-based image with all 7 architectures. The new digest (d6a97eb4...) is the current Wolfi-based image with only 2. This is by design — Wolfi doesn't support ppc64le or s390x.

Since we need those architectures, options include:

1. Stay on the old digest (but it won't get security updates)
2. Switch to a different base image (e.g. gcr.io/distroless/static-debian12)

[ltwongaa]

emmm, I wonder who would able to make the decision on the approaches
my concern is that the base image is not being updated for a long time,
which is with an out of support os

[vdemeester]

emmm, I wonder who would able to make the decision on the approaches my concern is that the base image is not being updated for a long time, which is with an out of support os

I agree with you on the image not being up-to-date, we need to take a decision rather soon than later.

[waveywaves]

Agree with the /hold. #9557 is the right path forward here.

[waveywaves]

@ltwongaa can you please rebase this PR ? Thank you.

[vdemeester]

I think we can close this as we are working towards owning the base image, see tektoncd/plumbing#3221 and #9576.

Thank you for the contribution @ltwongaa 🤗