chore(infra): pin Docker base images by digest (DEBT-023)

All base images (debian:bookworm-slim, ubuntu:22.04, ubuntu:20.04, rockylinux:9-minimal, centos:7, alpine:3.19, fedora:39, kalilinux/kali-rolling, archlinux:latest, honeynet/conpot:latest) now carry their resolved sha256 digest so 'docker pull' is deterministic. :tag retained for human readability; @sha256 is what Docker actually resolves. Refresh procedure documented at the top of decnet/distros.py.
2026-05-03 04:38:39 -04:00
parent 6e19d3a25a
commit dcd558fd91
33 changed files with 74 additions and 57 deletions
--- a/decnet/templates/ssh/Dockerfile
+++ b/decnet/templates/ssh/Dockerfile
@@ -1,10 +1,10 @@
-ARG BASE_IMAGE=debian:bookworm-slim
+ARG BASE_IMAGE=debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252

 # ── Stage 1: build the static auth-helper credential-capture binary ──────────
 # Compiled against musl so the resulting binary is fully static — runs on
 # any glibc/musl Linux without a libc version match. Stripped at link
 # time via -s so `file /usr/sbin/auth-helper` reports a generic ELF.
-FROM debian:bookworm-slim AS auth-helper-build
+FROM debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 AS auth-helper-build
 RUN apt-get update && apt-get install -y --no-install-recommends musl-tools \
    && rm -rf /var/lib/apt/lists/*
 COPY auth-helper/auth-helper.c /tmp/auth-helper.c