build: pin and dedupe build image sha (#42488)

.github/workflows/build.yml

@@ -2,6 +2,12 @@ name: Build
 
 on:
   workflow_dispatch:
+    inputs:
+      build-image-sha:
+        type: string
+        description: 'SHA for electron/build image'
+        default: 'cf814a4d2501e8e843caea071a6b70a48e78b855'
+        required: true
   # push
   # pull_request:
 
@@ -10,7 +16,7 @@ jobs:
   checkout-macos:
     runs-on: aks-linux-large
     container:
-      image: ghcr.io/electron/build:latest
+      image: ghcr.io/electron/build:${{ inputs.build-image-sha }}
       options: --user root
       volumes:
         - /mnt/cross-instance-cache:/mnt/cross-instance-cache
@@ -30,7 +36,7 @@ jobs:
   checkout-linux:
     runs-on: aks-linux-large
     container:
-      image: ghcr.io/electron/build:latest
+      image: ghcr.io/electron/build:${{ inputs.build-image-sha }}
       options: --user root
       volumes:
         - /mnt/cross-instance-cache:/mnt/cross-instance-cache
@@ -80,7 +86,7 @@ jobs:
     with:
       build-runs-on: aks-linux-large
       test-runs-on: aks-linux-medium
-      build-container: '{"image":"ghcr.io/electron/build:latest","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
+      build-container: '{"image":"ghcr.io/electron/build:${{ inputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
       target-platform: linux
       target-arch: x64
       is-release: false
@@ -95,7 +101,7 @@ jobs:
     with:
       build-runs-on: aks-linux-large
       test-runs-on: aks-linux-medium
-      build-container: '{"image":"ghcr.io/electron/build:latest","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
+      build-container: '{"image":"ghcr.io/electron/build:${{ inputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
       target-platform: linux
       target-arch: arm
       is-release: false
@@ -110,7 +116,7 @@ jobs:
     with:
       build-runs-on: aks-linux-large
       test-runs-on: aks-linux-medium
-      build-container: '{"image":"ghcr.io/electron/build:latest","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
+      build-container: '{"image":"ghcr.io/electron/build:${{ inputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
       target-platform: linux
       target-arch: arm64
       is-release: false

.github/workflows/linux-publish.yml

@@ -3,6 +3,10 @@ name: Publish Linux
 on:
   workflow_dispatch:
     inputs:
+      build-image-sha:
+        type: string
+        description: 'SHA for electron/build image'
+        default: 'cf814a4d2501e8e843caea071a6b70a48e78b855'
       upload-to-storage:
         description: 'Uploads to Azure storage'
         required: false
@@ -17,7 +21,7 @@ jobs:
   checkout-linux:
     runs-on: aks-linux-large
     container:
-      image: ghcr.io/electron/build:latest
+      image: ghcr.io/electron/build:${{ inputs.build-image-sha }}
       options: --user root
       volumes:
         - /mnt/cross-instance-cache:/mnt/cross-instance-cache
@@ -40,7 +44,7 @@ jobs:
     needs: checkout-linux
     with:
       build-runs-on: aks-linux-large
-      build-container: '{"image":"ghcr.io/electron/build:latest","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
+      build-container: '{"image":"ghcr.io/electron/build:${{ inputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
       target-platform: linux
       target-arch: x64
       is-release: true
@@ -54,7 +58,7 @@ jobs:
     needs: checkout-linux
     with:
       build-runs-on: aks-linux-large
-      build-container: '{"image":"ghcr.io/electron/build:latest","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
+      build-container: '{"image":"ghcr.io/electron/build:${{ inputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
       target-platform: linux
       target-arch: arm
       is-release: true
@@ -68,7 +72,7 @@ jobs:
     needs: checkout-linux
     with:
       build-runs-on: aks-linux-large
-      build-container: '{"image":"ghcr.io/electron/build:latest","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
+      build-container: '{"image":"ghcr.io/electron/build:${{ inputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
       target-platform: linux
       target-arch: arm64
       is-release: true

.github/workflows/macos-publish.yml

@@ -3,6 +3,11 @@ name: Publish MacOS
 on:
   workflow_dispatch:
     inputs:
+      build-image-sha:
+        type: string
+        description: 'SHA for electron/build image'
+        default: 'cf814a4d2501e8e843caea071a6b70a48e78b855'
+        required: true
       upload-to-storage:
         description: 'Uploads to Azure storage'
         required: false
@@ -17,7 +22,7 @@ jobs:
   checkout-macos:
     runs-on: aks-linux-large
     container:
-      image: ghcr.io/electron/build:latest
+      image: ghcr.io/electron/build:${{ inputs.build-image-sha }}
       options: --user root
       volumes:
         - /mnt/cross-instance-cache:/mnt/cross-instance-cache

.github/workflows/pipeline-segment-node-nan-test.yml

@@ -41,9 +41,7 @@ jobs:
     timeout-minutes: 20
     env: 
       TARGET_ARCH: ${{ inputs.target-arch }}
-    container:
-      image: ghcr.io/electron/build:latest
-      options: --user root
+    container: ${{ fromJSON(inputs.test-container) }}
     steps:
     - name: Load Build Tools
       run: |
@@ -105,9 +103,7 @@ jobs:
     timeout-minutes: 20
     env: 
       TARGET_ARCH: ${{ inputs.target-arch }}
-    container:
-      image: ghcr.io/electron/build:latest
-      options: --user root
+    container: ${{ fromJSON(inputs.test-container) }}
     steps:
     - name: Load Build Tools
       run: |