diff --git a/canvas/Dockerfile b/canvas/Dockerfile index 6aa8f446..3730ba3f 100644 --- a/canvas/Dockerfile +++ b/canvas/Dockerfile @@ -1,4 +1,4 @@ -FROM node:22-alpine AS builder +FROM node:22-alpine@sha256:cb15fca92530d7ac113467696cf1001208dac49c3c64355fd1348c11a88ddf8f AS builder WORKDIR /app COPY package.json package-lock.json* ./ # `npm ci` (not `install`) for lockfile-exact reproducibility. @@ -15,7 +15,7 @@ ENV NEXT_PUBLIC_WS_URL=$NEXT_PUBLIC_WS_URL ENV NEXT_PUBLIC_ADMIN_TOKEN=$NEXT_PUBLIC_ADMIN_TOKEN RUN npm run build -FROM node:22-alpine +FROM node:22-alpine@sha256:cb15fca92530d7ac113467696cf1001208dac49c3c64355fd1348c11a88ddf8f WORKDIR /app COPY --from=builder /app/.next/standalone ./ COPY --from=builder /app/.next/static ./.next/static diff --git a/tests/harness/cf-proxy/Dockerfile b/tests/harness/cf-proxy/Dockerfile index d443f243..d90ce547 100644 --- a/tests/harness/cf-proxy/Dockerfile +++ b/tests/harness/cf-proxy/Dockerfile @@ -9,6 +9,6 @@ # not active, so it hits the same gap. A build-time COPY uploads the file # as part of the docker build context — the daemon receives the tarball # directly and never bind-mounts. See issue #88 item 2. -FROM nginx:1.27-alpine +FROM nginx:1.27-alpine@sha256:62223d644fa234c3a1cc785ee14242ec47a77364226f1c811d2f669f96dc2ac8 COPY nginx.conf /etc/nginx/nginx.conf diff --git a/tests/harness/cp-stub/Dockerfile b/tests/harness/cp-stub/Dockerfile index 471029a6..3df1d9e3 100644 --- a/tests/harness/cp-stub/Dockerfile +++ b/tests/harness/cp-stub/Dockerfile @@ -1,13 +1,13 @@ # cp-stub — minimal CP stand-in for the local production-shape harness. # See main.go for the rationale. Self-contained build, no module deps. -FROM golang:1.25-alpine AS builder +FROM golang:1.25-alpine@sha256:c4ea15b4a7912716eb362a022e2b12317762eca387423760bc59c0f9ae69423c AS builder WORKDIR /src COPY go.mod ./ COPY main.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /cp-stub . -FROM alpine:3.20 +FROM alpine:3.20@sha256:c64c687cbea9300178b30c95835354e34c4e4febc4badfe27102879de0483b5e RUN apk add --no-cache ca-certificates COPY --from=builder /cp-stub /cp-stub EXPOSE 9090 diff --git a/workspace-server/Dockerfile b/workspace-server/Dockerfile index 3209e78a..b1606e00 100644 --- a/workspace-server/Dockerfile +++ b/workspace-server/Dockerfile @@ -11,7 +11,7 @@ # Build context: repo root, with `.tenant-bundle-deps/` populated by the # workflow's "Pre-clone manifest deps" step (Task #173). -FROM golang:1.25-alpine AS builder +FROM golang:1.25-alpine@sha256:c4ea15b4a7912716eb362a022e2b12317762eca387423760bc59c0f9ae69423c AS builder WORKDIR /app COPY workspace-server/go.mod workspace-server/go.sum ./ # github-app-auth plugin removed 2026-05-07 (#157): per-agent Gitea @@ -34,7 +34,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build \ -ldflags "-X github.com/Molecule-AI/molecule-monorepo/platform/internal/buildinfo.GitSHA=${GIT_SHA}" \ -o /memory-plugin ./cmd/memory-plugin-postgres -FROM alpine:3.20 +FROM alpine:3.20@sha256:c64c687cbea9300178b30c95835354e34c4e4febc4badfe27102879de0483b5e RUN apk add --no-cache ca-certificates git tzdata wget COPY --from=builder /platform /platform COPY --from=builder /memory-plugin /memory-plugin diff --git a/workspace-server/Dockerfile.dev b/workspace-server/Dockerfile.dev index a1efe00b..c83e264d 100644 --- a/workspace-server/Dockerfile.dev +++ b/workspace-server/Dockerfile.dev @@ -13,7 +13,7 @@ # developer's filesystem has the workspace-configs-templates/ + plugins/ # dirs available, mounted at runtime via docker-compose.dev.yml. -FROM golang:1.25-alpine +FROM golang:1.25-alpine@sha256:c4ea15b4a7912716eb362a022e2b12317762eca387423760bc59c0f9ae69423c # air + git (for go mod) + ca-certs (for TLS) + tzdata (for time-zone DB) # + docker-cli + docker-cli-buildx so the platform binary can shell out to diff --git a/workspace-server/Dockerfile.tenant b/workspace-server/Dockerfile.tenant index 5c9fda55..c7e039e0 100644 --- a/workspace-server/Dockerfile.tenant +++ b/workspace-server/Dockerfile.tenant @@ -34,7 +34,7 @@ # --push . # ── Stage 1: Go platform binary ────────────────────────────────────── -FROM golang:1.25-alpine AS go-builder +FROM golang:1.25-alpine@sha256:c4ea15b4a7912716eb362a022e2b12317762eca387423760bc59c0f9ae69423c AS go-builder WORKDIR /app COPY workspace-server/go.mod workspace-server/go.sum ./ # github-app-auth plugin removed 2026-05-07 (#157): per-agent Gitea @@ -64,7 +64,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build \ -o /memory-plugin ./cmd/memory-plugin-postgres # ── Stage 2: Canvas Next.js standalone ──────────────────────────────── -FROM node:20-alpine AS canvas-builder +FROM node:20-alpine@sha256:afdf98210b07b586eb71fa22ba2e432e058e4cd1304d31ed60888755b8c865fb AS canvas-builder WORKDIR /canvas COPY canvas/package.json canvas/package-lock.json* ./ RUN npm install @@ -76,7 +76,7 @@ ENV NEXT_PUBLIC_WS_URL=$NEXT_PUBLIC_WS_URL RUN npm run build # ── Stage 3: Runtime ────────────────────────────────────────────────── -FROM node:20-alpine +FROM node:20-alpine@sha256:afdf98210b07b586eb71fa22ba2e432e058e4cd1304d31ed60888755b8c865fb RUN apk add --no-cache ca-certificates git tzdata openssh-client aws-cli # Non-root runtime for the Node.js canvas process. diff --git a/workspace/Dockerfile b/workspace/Dockerfile index 8b1fc795..716d0125 100644 --- a/workspace/Dockerfile +++ b/workspace/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.11-slim +FROM python:3.11-slim@sha256:e78299e55776ca065dcb769f80161f48465ad352014240eb5fe4712e22505e9b WORKDIR /app