From cdc5ca9626a2083223e34ad8a291019a77115174 Mon Sep 17 00:00:00 2001
From: "Jonas Brand (8R0WNI3)" <j.brand@sap.com>
Date: Tue, 23 Jun 2026 13:43:25 +0200
Subject: [PATCH] fix(packages): Pin `odg-core-libs` version during image build

Since the package is also published to PyPI, it must be ensured that the
version of the current build (e.g. a hotfix version) is used instead of
the greatest available version (e.g. from PyPI).

Signed-off-by: Jonas Brand (8R0WNI3) <j.brand@sap.com>
---
 .github/workflows/build.yaml | 6 ++++++
 Dockerfile                   | 4 +++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index ce3bd5dc..f3d476a3 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -26,6 +26,8 @@ jobs:
       - prepare
     permissions:
       contents: read
+    outputs:
+      version: ${{ steps.packages.outputs.version }}
     steps:
       - name: install setuptools
         run: |
@@ -34,6 +36,7 @@ jobs:
       - uses: gardener/cc-utils/.github/actions/trusted-checkout@v1
       - uses: gardener/cc-utils/.github/actions/install-gardener-gha-libs@v1
       - name: create distribution packages
+        id: packages
         run: |
           set -eu
 
@@ -44,6 +47,7 @@ jobs:
           fi
 
           echo "version: ${version}"
+          echo "version=${version}" >> "${GITHUB_OUTPUT}"
 
           # pass finalised version to setup
           export ODG_CORE_LIBS_VERSION=${version}
@@ -276,6 +280,8 @@ jobs:
       oci-platforms: linux/arm64,linux/amd64
       build-ctx-artefact: distribution-packages
       untar-build-ctx-artefact: distribution-packages.tar.gz
+      build-args: |
+        ODG_CORE_LIBS_VERSION=${{ needs.packages.outputs.version }}
       ocm-labels: |
         name: gardener.cloud/cve-categorisation
         value:
diff --git a/Dockerfile b/Dockerfile
index 85c01c7f..994a0fae 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -14,6 +14,8 @@ COPY src/malware/clamav_entrypoint.sh /
 COPY src/malware/clamd.conf /etc/clamav/clamd.conf
 COPY --from=cbomkit-theia-builder /cbomkit-theia/cbomkit-theia /usr/bin/cbomkit-theia
 
+ARG ODG_CORE_LIBS_VERSION
+
 RUN --mount=type=bind,source=/dist,target=/dist \
     apk add --no-cache \
     bash \
@@ -40,7 +42,7 @@ RUN --mount=type=bind,source=/dist,target=/dist \
 && update-ca-certificates \
 && mkdir -p $HOME/.config/pip \
 && echo -e "[global]\nbreak-system-packages = true" >> $HOME/.config/pip/pip.conf \
-&& pip3 install --upgrade --no-cache-dir --find-links ./dist odg-core-libs \
+&& pip3 install --upgrade --no-cache-dir --find-links ./dist odg-core-libs==${ODG_CORE_LIBS_VERSION} \
 && apk del --no-cache \
     libc-dev \
     libffi-dev \