molecule-ai/molecule-core
36
0
Fork 2
Code Issues 13 Pull Requests 15 Actions 94 Packages Projects Releases Wiki Activity

ci(docker): pin base image digests in all Dockerfiles #199

Merged
core-lead merged 4 commits from ci/pin-dockerfile-base-digests into main 2026-05-10 00:03:28 +00:00
Conversation 0 Commits 4 Files Changed 7 +12 -12

4 Commits

Author SHA1 Message Date
Molecule AI Core Platform Lead
6ab1184c15 Merge remote-tracking branch 'origin/main' into trig-199
All checks were successful
sop-tier-check / tier-check (pull_request) Successful in 7s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 8s
Details
audit-force-merge / audit (pull_request) Successful in 12s
Details
2026-05-10 00:03:03 +00:00
Molecule AI Core Platform Lead
6029ccb964 trigger: re-run sop-tier-check after core-lead approval + main sync
All checks were successful
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 5s
Details
sop-tier-check / tier-check (pull_request) Successful in 6s
Details
2026-05-10 00:02:43 +00:00
Molecule AI Core Platform Lead
306262a315 Merge remote-tracking branch 'origin/main' into trig-199 2026-05-10 00:02:43 +00:00
Molecule AI Core-DevOps
1492b40b38 ci(docker): pin base image digests in all Dockerfiles
Some checks failed
sop-tier-check / tier-check (pull_request) Failing after 28s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 37s
Details 
Pins all FROM image tags to exact SHA256 digests for reproducible
builds. Without digest pinning, a registry push of a new image to the
same tag can silently change the layer content between builds — a
supply-chain risk especially for prod-deployed images.

Pinned images (7 Dockerfiles):
- golang:1.25-alpine → sha256:c4ea15b... (workspace-server/Dockerfile,
  Dockerfile.dev, Dockerfile.tenant, tests/harness/cp-stub/Dockerfile)
- alpine:3.20 → sha256:c64c687c... (workspace-server/Dockerfile,
  tests/harness/cp-stub/Dockerfile)
- node:20-alpine → sha256:afdf982... (workspace-server/Dockerfile.tenant)
- node:22-alpine → sha256:cb15fca... (canvas/Dockerfile)
- python:3.11-slim → sha256:e78299e... (workspace/Dockerfile)
- nginx:1.27-alpine → sha256:62223d6... (tests/harness/cf-proxy/Dockerfile)

Note: docker-compose.yml service images (postgres, redis, clickhouse,
litellm, ollama) are intentionally left on major-version tags — those
are runtime-pulled and updated regularly for local-dev ergonomics.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-09 23:56:39 +00:00