Update Alpine container images from 3.22 to 3.21 with SHA256 pins

[Copilot]

Updates Alpine container references from version 3.22 to 3.21 with SHA256 digest pins for reproducible builds across amd64, arm32v7, and arm64v8 architectures.

Changes

• CoreCLR helix queues (eng/pipelines/coreclr/templates/helix-queues-setup.yml): Updated 6 container references for linux_musl_x64, linux_musl_arm, and linux_musl_arm64 platforms (public and internal)
• Installer helix queues (eng/pipelines/installer/helix-queues-setup.yml): Updated 2 container references for linux_musl_x64 and linux_musl_arm64 platforms
• Libraries helix queues (eng/pipelines/libraries/helix-queues-setup.yml): Updated 2 container references for linux_musl_x64 and linux_musl_arm64 platforms

Note: The linux_musl_x64_dev_innerloop container in eng/pipelines/common/templates/pipeline-with-resources.yml remains at alpine-3.22-amd64 (excluded from this update).

Container digests

• amd64: @sha256:bb83259554319753846ffd6892452c679446fee7671b61f52f1bca3b4eb23482
• arm32v7: @sha256:9def952ab6aefa9d4641b4db38c2b147f1f33fede8540c4a971f3a071d3a44de
• arm64v8: @sha256:d09ce866cd51a51f8d361b0c696175ec7e948950ad1caa811eb44ba318bc82f3

Original prompt

The yml files with references to mcr.microsoft.com/dotnet-buildtools/prereqs:alpine-3.22 containers need updated for amd64, arm32v7, and arm64v8.

amd64 entries should be updated to mcr.microsoft.com/dotnet-buildtools/prereqs:alpine-3.21-helix-amd64@sha256:bb83259554319753846ffd6892452c679446fee7671b61f52f1bca3b4eb23482

arm32v7 entries should be updated to mcr.microsoft.com/dotnet-buildtools/prereqs:alpine-3.21-helix-arm32v7@sha256:9def952ab6aefa9d4641b4db38c2b147f1f33fede8540c4a971f3a071d3a44de

arm64v8 entries should be updated to mcr.microsoft.com/dotnet-buildtools/prereqs:alpine-3.21-helix-arm64v8@sha256:d09ce866cd51a51f8d361b0c696175ec7e948950ad1caa811eb44ba318bc82f3

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[steveisok]

@copilot my prompt was a little too generic. I didn't want you to change the image for linux_musl_x64_dev_innerloop. Can you please change it back to the original?

[Copilot]

@copilot my prompt was a little too generic. I didn't want you to change the image for linux_musl_x64_dev_innerloop. Can you please change it back to the original?

Done. Reverted the linux_musl_x64_dev_innerloop image back to alpine-3.22-amd64 in commit 718376a.

[Copilot]

Pull Request Overview

This PR updates Alpine Linux Docker image references in Helix queue setup configurations, changing from Alpine 3.22 to Alpine 3.21 images and adding SHA256 digest pinning for improved security and reproducibility.

Key changes:

• Downgrade Alpine Linux container images from version 3.22 to 3.21
• Add SHA256 digest pinning to all Alpine container image references
• Update affects multiple architectures (amd64, arm32v7, arm64v8) across libraries, installer, and coreclr pipelines

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
eng/pipelines/libraries/helix-queues-setup.yml	Updated Alpine 3.22 to 3.21 with SHA256 digests for amd64 and arm64 architectures in library builds
eng/pipelines/installer/helix-queues-setup.yml	Updated Alpine 3.22 to 3.21 with SHA256 digests for amd64 and arm64 architectures in installer builds
eng/pipelines/coreclr/templates/helix-queues-setup.yml	Updated Alpine 3.22 to 3.21 with SHA256 digests for amd64, arm32, and arm64 architectures in both public and internal CoreCLR builds

[steveisok]

@chcosta recommended pinning to alpine containers to avoid pip errors for now.

[steveisok]

/ba-g Cancelled android legs dotnet/dnceng#3008. Not related to the change.