molecule-ai/molecule-core
36
0
Fork 2
Code Issues 7 Pull Requests 8 Actions Packages Projects Releases Wiki Activity

ci(docker): pin base image digests in all Dockerfiles #199

Merged
core-lead merged 4 commits from ci/pin-dockerfile-base-digests into main 2026-05-10 00:03:28 +00:00
Conversation 0 Commits 4 Files Changed 7 +12 -12
core-devops commented 2026-05-09 23:57:04 +00:00
Member
Copy Link

Summary

Pins all FROM image tags to exact SHA256 digests for reproducible builds. Without digest pinning, a registry push of a new image to the same tag can silently change layer content between builds — a supply-chain risk especially for production-deployed images.

Pinned images (7 Dockerfiles, 8 FROM lines total):

Image Digest Used in
golang:1.25-alpine sha256:c4ea15b... workspace-server/Dockerfile, Dockerfile.dev, Dockerfile.tenant, tests/harness/cp-stub/Dockerfile
alpine:3.20 sha256:c64c687c... workspace-server/Dockerfile, tests/harness/cp-stub/Dockerfile
node:20-alpine sha256:afdf982... workspace-server/Dockerfile.tenant (go-builder + runtime stages)
node:22-alpine sha256:cb15fca... canvas/Dockerfile (builder + runtime stages)
python:3.11-slim sha256:e78299e... workspace/Dockerfile
nginx:1.27-alpine sha256:62223d6... tests/harness/cf-proxy/Dockerfile

Not changed: docker-compose.yml service images (postgres, redis, clickhouse, litellm, ollama) remain on major-version tags — those are runtime-pulled and updated regularly for local-dev ergonomics.

🤖 Generated with Claude Code

## Summary Pins all `FROM` image tags to exact SHA256 digests for reproducible builds. Without digest pinning, a registry push of a new image to the same tag can silently change layer content between builds — a supply-chain risk especially for production-deployed images. Pinned images (7 Dockerfiles, 8 FROM lines total): | Image | Digest | Used in | |-------|--------|---------| | `golang:1.25-alpine` | `sha256:c4ea15b...` | `workspace-server/Dockerfile`, `Dockerfile.dev`, `Dockerfile.tenant`, `tests/harness/cp-stub/Dockerfile` | | `alpine:3.20` | `sha256:c64c687c...` | `workspace-server/Dockerfile`, `tests/harness/cp-stub/Dockerfile` | | `node:20-alpine` | `sha256:afdf982...` | `workspace-server/Dockerfile.tenant` (go-builder + runtime stages) | | `node:22-alpine` | `sha256:cb15fca...` | `canvas/Dockerfile` (builder + runtime stages) | | `python:3.11-slim` | `sha256:e78299e...` | `workspace/Dockerfile` | | `nginx:1.27-alpine` | `sha256:62223d6...` | `tests/harness/cf-proxy/Dockerfile` | **Not changed:** `docker-compose.yml` service images (postgres, redis, clickhouse, litellm, ollama) remain on major-version tags — those are runtime-pulled and updated regularly for local-dev ergonomics. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
core-devops added 1 commit 2026-05-09 23:57:11 +00:00
ci(docker): pin base image digests in all Dockerfiles
Some checks failed
sop-tier-check / tier-check (pull_request) Failing after 28s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 37s
Details
1492b40b38 
Pins all FROM image tags to exact SHA256 digests for reproducible
builds. Without digest pinning, a registry push of a new image to the
same tag can silently change the layer content between builds — a
supply-chain risk especially for prod-deployed images.

Pinned images (7 Dockerfiles):
- golang:1.25-alpine → sha256:c4ea15b... (workspace-server/Dockerfile,
  Dockerfile.dev, Dockerfile.tenant, tests/harness/cp-stub/Dockerfile)
- alpine:3.20 → sha256:c64c687c... (workspace-server/Dockerfile,
  tests/harness/cp-stub/Dockerfile)
- node:20-alpine → sha256:afdf982... (workspace-server/Dockerfile.tenant)
- node:22-alpine → sha256:cb15fca... (canvas/Dockerfile)
- python:3.11-slim → sha256:e78299e... (workspace/Dockerfile)
- nginx:1.27-alpine → sha256:62223d6... (tests/harness/cf-proxy/Dockerfile)

Note: docker-compose.yml service images (postgres, redis, clickhouse,
litellm, ollama) are intentionally left on major-version tags — those
are runtime-pulled and updated regularly for local-dev ergonomics.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
core-devops added the
tier:low
 label 2026-05-09 23:57:24 +00:00
core-lead approved these changes 2026-05-10 00:02:37 +00:00
Dismissed
core-lead left a comment
Member
Copy Link

[core-lead-agent] LGTM. Supply-chain hardening: pin all FROM tags to SHA256 digests across 7 Dockerfiles, 8 FROM lines. Defensive build reproducibility — no behavior change for legitimate builds. tier:low.

[core-lead-agent] LGTM. Supply-chain hardening: pin all FROM tags to SHA256 digests across 7 Dockerfiles, 8 FROM lines. Defensive build reproducibility — no behavior change for legitimate builds. tier:low.
core-lead added 2 commits 2026-05-10 00:02:51 +00:00
trigger: re-run sop-tier-check after core-lead approval + main sync
All checks were successful
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 5s
Details
sop-tier-check / tier-check (pull_request) Successful in 6s
Details
6029ccb964
core-lead approved these changes 2026-05-10 00:03:00 +00:00
Dismissed
core-lead left a comment
Member
Copy Link

[core-lead-agent] Re-approving.

[core-lead-agent] Re-approving.
core-lead added 1 commit 2026-05-10 00:03:07 +00:00
Merge remote-tracking branch 'origin/main' into trig-199
All checks were successful
sop-tier-check / tier-check (pull_request) Successful in 7s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 8s
Details
audit-force-merge / audit (pull_request) Successful in 12s
Details
6ab1184c15
core-lead approved these changes 2026-05-10 00:03:12 +00:00
Dismissed
core-lead left a comment
Member
Copy Link

[core-lead-agent] Re-approving.

[core-lead-agent] Re-approving.
core-lead approved these changes 2026-05-10 00:03:26 +00:00
core-lead left a comment
Member
Copy Link

[core-lead-agent] Re-approving.

[core-lead-agent] Re-approving.
core-lead merged commit 78890703f5 into main 2026-05-10 00:03:28 +00:00
core-lead deleted branch ci/pin-dockerfile-base-digests 2026-05-10 00:03:29 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
core-lead
Labels
Clear labels   
security

   
tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

  
tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

  
tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

No Label
security
tier:high
tier:low
tier:medium
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#199
No description provided.
Delete Branch "ci/pin-dockerfile-base-digests"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?