Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CI: pin docker images to sha #1301

Merged
merged 9 commits into from
Mar 6, 2025
Merged

CI: pin docker images to sha #1301

merged 9 commits into from
Mar 6, 2025

Conversation

bayandin
Copy link
Member

@bayandin bayandin commented Mar 5, 2025
edited
Loading

This PR pins all docker images to their SHA checksums to prevent unintentional updates, improve build reproducibility, and improve their "cachability".

SHAs are generated using the following command:

docker buildx imagetools inspect --raw ${DOCKER_IMAGE} | openssl dgst -sha256

For example

$ docker buildx imagetools inspect --raw alpine:3.19 | openssl dgst -sha256
SHA2-256(stdin)= e5d0aea7f7d2954678a9a6269ca2d06e06591881161961ea59e974dff3f12377

# And to double check that the value is correct:
$ docker buildx imagetools inspect --raw alpine:3.19@sha256:e5d0aea7f7d2954678a9a6269ca2d06e06591881161961ea59e974dff3f12377 | openssl dgst -sha256
SHA2-256(stdin)= e5d0aea7f7d2954678a9a6269ca2d06e06591881161961ea59e974dff3f12377

All changes are noop. Where possible, I've added a patch version to image tags.

@bayandin bayandin force-pushed the bayandin/pin-base-images-to-sha branch 2 times, most recently from 638c37b to 3d667dc Compare March 5, 2025 18:51
sharnoff
sharnoff approved these changes Mar 5, 2025
View reviewed changes
Copy link
Member

@sharnoff sharnoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, thanks!

@bayandin bayandin force-pushed the bayandin/pin-base-images-to-sha branch from 3d667dc to 31c6cf1 Compare March 6, 2025 10:32
@bayandin bayandin enabled auto-merge (squash) March 6, 2025 10:32
@bayandin bayandin merged commit e3b2b76 into main Mar 6, 2025
35 checks passed
@bayandin bayandin deleted the bayandin/pin-base-images-to-sha branch March 6, 2025 10:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sharnoff sharnoff sharnoff approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bayandin @sharnoff