From e58a8d57847382319cdcf13431002c88c1d5b868 Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 28 Apr 2026 02:06:32 +0000 Subject: [PATCH] chore(docker): pin base images by digest (DEP-02) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace mutable tags (`rust:latest`, `rust:slim`, `nginxinc/nginx-unprivileged:alpine`) with digest-pinned references so container builds are reproducible and resistant to upstream tag re-push or registry takeover. Pinned (verified via `docker buildx imagetools inspect` 2026-04-28): - rust:1.95-slim-bookworm @sha256:caaf9ca7acd474892186860307d6f28e51fdbc1a4eada459fcff81517cf46a36 - nginxinc/nginx-unprivileged:1.27-alpine @sha256:65e3e85dbaed8ba248841d9d58a899b6197106c23cb0ff1a132b7bfe0547e4c0 Both builder and runtime stages now use the same pinned rust slim image across relay/replay/storage/web; web runtime uses the pinned nginx unprivileged variant. Each `FROM` carries an inline comment recording the version, pin date, and bump command for traceability. Considered alternative: pinning runtime stages to `debian:bookworm-slim` (closer to true minimal base). Rejected for this PR — out of scope per issue #313, which asks only to pin the existing `FROM` lines without restructuring the multi-stage layout. Switching runtime base belongs to a separate change. SBOM stage explicitly out of scope per the issue body. Refs #313 --- docker/relay.Dockerfile | 6 ++++-- docker/replay.Dockerfile | 6 ++++-- docker/storage.Dockerfile | 6 ++++-- docker/web.Dockerfile | 6 ++++-- 4 files changed, 16 insertions(+), 8 deletions(-) diff --git a/docker/relay.Dockerfile b/docker/relay.Dockerfile index c23932a3..c3996940 100644 --- a/docker/relay.Dockerfile +++ b/docker/relay.Dockerfile @@ -1,9 +1,11 @@ -FROM rust:latest AS builder +# rust:1.95-slim-bookworm pinned 2026-04-28; bump via `docker buildx imagetools inspect rust:1.95-slim-bookworm` +FROM rust:1.95-slim-bookworm@sha256:caaf9ca7acd474892186860307d6f28e51fdbc1a4eada459fcff81517cf46a36 AS builder WORKDIR /build COPY . . RUN cargo build --release -p willow-relay -FROM rust:slim +# rust:1.95-slim-bookworm pinned 2026-04-28; bump via `docker buildx imagetools inspect rust:1.95-slim-bookworm` +FROM rust:1.95-slim-bookworm@sha256:caaf9ca7acd474892186860307d6f28e51fdbc1a4eada459fcff81517cf46a36 RUN useradd -r -u 10001 -m -d /home/willow willow \ && mkdir -p /etc/willow /shared \ && chown -R willow:willow /etc/willow /shared diff --git a/docker/replay.Dockerfile b/docker/replay.Dockerfile index bb2c628d..74ed8485 100644 --- a/docker/replay.Dockerfile +++ b/docker/replay.Dockerfile @@ -1,9 +1,11 @@ -FROM rust:latest AS builder +# rust:1.95-slim-bookworm pinned 2026-04-28; bump via `docker buildx imagetools inspect rust:1.95-slim-bookworm` +FROM rust:1.95-slim-bookworm@sha256:caaf9ca7acd474892186860307d6f28e51fdbc1a4eada459fcff81517cf46a36 AS builder WORKDIR /build COPY . . RUN cargo build --release -p willow-replay -FROM rust:slim +# rust:1.95-slim-bookworm pinned 2026-04-28; bump via `docker buildx imagetools inspect rust:1.95-slim-bookworm` +FROM rust:1.95-slim-bookworm@sha256:caaf9ca7acd474892186860307d6f28e51fdbc1a4eada459fcff81517cf46a36 RUN useradd -r -u 10001 -m -d /home/willow willow \ && mkdir -p /etc/willow \ && chown -R willow:willow /etc/willow diff --git a/docker/storage.Dockerfile b/docker/storage.Dockerfile index cc6f8c03..660cc53b 100644 --- a/docker/storage.Dockerfile +++ b/docker/storage.Dockerfile @@ -1,9 +1,11 @@ -FROM rust:latest AS builder +# rust:1.95-slim-bookworm pinned 2026-04-28; bump via `docker buildx imagetools inspect rust:1.95-slim-bookworm` +FROM rust:1.95-slim-bookworm@sha256:caaf9ca7acd474892186860307d6f28e51fdbc1a4eada459fcff81517cf46a36 AS builder WORKDIR /build COPY . . RUN cargo build --release -p willow-storage -FROM rust:slim +# rust:1.95-slim-bookworm pinned 2026-04-28; bump via `docker buildx imagetools inspect rust:1.95-slim-bookworm` +FROM rust:1.95-slim-bookworm@sha256:caaf9ca7acd474892186860307d6f28e51fdbc1a4eada459fcff81517cf46a36 RUN useradd -r -u 10001 -m -d /home/willow willow \ && mkdir -p /etc/willow /var/lib/willow \ && chown -R willow:willow /etc/willow /var/lib/willow diff --git a/docker/web.Dockerfile b/docker/web.Dockerfile index 8fe1677c..fa9c3c15 100644 --- a/docker/web.Dockerfile +++ b/docker/web.Dockerfile @@ -1,11 +1,13 @@ -FROM rust:latest AS builder +# rust:1.95-slim-bookworm pinned 2026-04-28; bump via `docker buildx imagetools inspect rust:1.95-slim-bookworm` +FROM rust:1.95-slim-bookworm@sha256:caaf9ca7acd474892186860307d6f28e51fdbc1a4eada459fcff81517cf46a36 AS builder RUN rustup target add wasm32-unknown-unknown RUN cargo install trunk WORKDIR /build COPY . . RUN cd crates/web && trunk build --release -FROM nginxinc/nginx-unprivileged:alpine +# nginxinc/nginx-unprivileged:1.27-alpine pinned 2026-04-28; bump via `docker buildx imagetools inspect nginxinc/nginx-unprivileged:1.27-alpine` +FROM nginxinc/nginx-unprivileged:1.27-alpine@sha256:65e3e85dbaed8ba248841d9d58a899b6197106c23cb0ff1a132b7bfe0547e4c0 COPY --from=builder --chown=nginx:nginx /build/crates/web/dist/ /usr/share/nginx/html/ RUN chmod 644 /usr/share/nginx/html/*