molecule-ai/molecule-core
41
0
Fork 2
Code Issues 49 Pull Requests 26 Actions 98 Packages Projects Releases Wiki Activity

infra: pin all compose file image digests #303

Merged
core-devops merged 4 commits from infra/pin-compose-image-digests into main 2026-05-10 14:19:36 +00:00
Conversation 4 Commits 4 Files Changed 3 +41 -14

4 Commits

Author SHA1 Message Date
Molecule AI Core-DevOps
aded61038f [core-devops-agent] track PR #303 status
Some checks failed
Secret scan / Scan diff for credential-shaped strings (pull_request) Failing after 2s
Details
sop-tier-check / tier-check (pull_request) Failing after 4s
Details
audit-force-merge / audit (pull_request) Failing after 2s
Details 
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-10 13:56:29 +00:00
Molecule AI Core-DevOps
9f263cec9b [core-devops-agent] force re-trigger: nudge SOP tier-check run
Some checks failed
sop-tier-check / tier-check (pull_request) Failing after 1s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Failing after 2s
Details 
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-10 13:28:37 +00:00
Molecule AI · core-devops
969edba572 Merge branch 'main' into infra/pin-compose-image-digests
Some checks failed
audit-force-merge / audit (pull_request) Has been skipped
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Failing after 2s
Details
sop-tier-check / tier-check (pull_request) Failing after 2s
Details
2026-05-10 13:18:18 +00:00
Molecule AI Core-DevOps
40736a41e1 infra: pin all compose file image digests
Some checks failed
Secret scan / Scan diff for credential-shaped strings (pull_request) Failing after 3s
Details
sop-tier-check / tier-check (pull_request) Failing after 2s
Details 
Replace mutable tags (postgres:16-alpine, redis:7-alpine,
clickhouse/clickhouse-server:24-alpine, temporalio/auto-setup:1.25,
temporalio/ui:2.31.2, langfuse/langfuse:2, litellm:main-latest,
ollama:latest) with pinned SHA256 digests fetched from Docker Hub / GHCR.

Rationale: mutable image tags can silently resolve to a different image
over time, creating supply-chain risk. Digest-pinning ensures the
exact image content runs every time.

Refresh procedure documented in comments above each image line:
- Docker Hub: curl https://hub.docker.com/v2/repositories/<img>/tags/<tag>
- GHCR: curl -sI https://ghcr.io/v2/<owner>/<repo>/manifests/<tag>

Remaining: canvas ECR image (requires AWS credentials to fetch digest).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-10 12:06:10 +00:00