From d2ed5113e91b020a84ba1037dc87341e055bce40 Mon Sep 17 00:00:00 2001
From: fettpl <38704082+fettpl@users.noreply.github.com>
Date: Tue, 17 Feb 2026 13:50:32 +0100
Subject: [PATCH] fix(ci): pin sandbox Dockerfile base image to digest (#520)

Pin ubuntu:22.04 to its current manifest digest to ensure
reproducible builds and prevent supply-chain mutations.

Closes #513

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
---
 dev/sandbox/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dev/sandbox/Dockerfile b/dev/sandbox/Dockerfile
index 59ddf05..6b81a7a 100644
--- a/dev/sandbox/Dockerfile
+++ b/dev/sandbox/Dockerfile
@@ -1,4 +1,4 @@
-FROM ubuntu:22.04
+FROM ubuntu:22.04@sha256:c7eb020043d8fc2ae0793fb35a37bff1cf33f156d4d4b12ccc7f3ef8706c38b1
 
 # Prevent interactive prompts during package installation
 ENV DEBIAN_FRONTEND=noninteractive