ci: pin Docker base images to SHA256 digests
Pin all FROM images in Dockerfile and dev/ci/Dockerfile to their current SHA256 manifest digests for reproducible builds. - rust:1.93-slim-trixie → @sha256:9663b80a... - busybox:latest → busybox:1.37@sha256:b3255e7d... - debian:trixie-slim → @sha256:f6e2cfac... - gcr.io/distroless/cc-debian13:nonroot → @sha256:84fcd3c2... - rust:1.92-slim → @sha256:bf3368a9... Closes #359 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
fettpl
parent
639032c952
commit
38f6339a83
2 changed files with 5 additions and 5 deletions
|
|
@ -1,7 +1,7 @@
|
||||||
# syntax=docker/dockerfile:1
|
# syntax=docker/dockerfile:1
|
||||||
|
|
||||||
# ── Stage 1: Build ────────────────────────────────────────────
|
# ── Stage 1: Build ────────────────────────────────────────────
|
||||||
FROM rust:1.93-slim-trixie AS builder
|
FROM rust:1.93-slim-trixie@sha256:9663b80a1621253d30b146454f903de48f0af925c967be48c84745537cd35d8b AS builder
|
||||||
|
|
||||||
WORKDIR /app
|
WORKDIR /app
|
||||||
|
|
||||||
|
|
@ -29,7 +29,7 @@ RUN --mount=type=cache,target=/usr/local/cargo/registry \
|
||||||
strip target/release/zeroclaw
|
strip target/release/zeroclaw
|
||||||
|
|
||||||
# ── Stage 2: Permissions & Config Prep ───────────────────────
|
# ── Stage 2: Permissions & Config Prep ───────────────────────
|
||||||
FROM busybox:latest AS permissions
|
FROM busybox:1.37@sha256:b3255e7dfbcd10cb367af0d409747d511aeb66dfac98cf30e97e87e4207dd76f AS permissions
|
||||||
# Create directory structure (simplified workspace path)
|
# Create directory structure (simplified workspace path)
|
||||||
RUN mkdir -p /zeroclaw-data/.zeroclaw /zeroclaw-data/workspace
|
RUN mkdir -p /zeroclaw-data/.zeroclaw /zeroclaw-data/workspace
|
||||||
|
|
||||||
|
|
@ -52,7 +52,7 @@ EOF
|
||||||
RUN chown -R 65534:65534 /zeroclaw-data
|
RUN chown -R 65534:65534 /zeroclaw-data
|
||||||
|
|
||||||
# ── Stage 3: Development Runtime (Debian) ────────────────────
|
# ── Stage 3: Development Runtime (Debian) ────────────────────
|
||||||
FROM debian:trixie-slim AS dev
|
FROM debian:trixie-slim@sha256:f6e2cfac5cf956ea044b4bd75e6397b4372ad88fe00908045e9a0d21712ae3ba AS dev
|
||||||
|
|
||||||
# Install runtime dependencies + basic debug tools
|
# Install runtime dependencies + basic debug tools
|
||||||
RUN apt-get update && apt-get install -y \
|
RUN apt-get update && apt-get install -y \
|
||||||
|
|
@ -90,7 +90,7 @@ ENTRYPOINT ["zeroclaw"]
|
||||||
CMD ["gateway", "--port", "3000", "--host", "[::]"]
|
CMD ["gateway", "--port", "3000", "--host", "[::]"]
|
||||||
|
|
||||||
# ── Stage 4: Production Runtime (Distroless) ─────────────────
|
# ── Stage 4: Production Runtime (Distroless) ─────────────────
|
||||||
FROM gcr.io/distroless/cc-debian13:nonroot AS release
|
FROM gcr.io/distroless/cc-debian13:nonroot@sha256:84fcd3c223b144b0cb6edc5ecc75641819842a9679a3a58fd6294bec47532bf7 AS release
|
||||||
|
|
||||||
COPY --from=builder /app/target/release/zeroclaw /usr/local/bin/zeroclaw
|
COPY --from=builder /app/target/release/zeroclaw /usr/local/bin/zeroclaw
|
||||||
COPY --from=permissions /zeroclaw-data /zeroclaw-data
|
COPY --from=permissions /zeroclaw-data /zeroclaw-data
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
# syntax=docker/dockerfile:1.7
|
# syntax=docker/dockerfile:1.7
|
||||||
|
|
||||||
FROM rust:1.92-slim
|
FROM rust:1.92-slim@sha256:bf3368a992915f128293ac76917ab6e561e4dda883273c8f5c9f6f8ea37a378e
|
||||||
|
|
||||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||||
ca-certificates \
|
ca-certificates \
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue