diff --git a/Dockerfile b/Dockerfile
index aa1f041..15ea05c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-# syntax=docker/dockerfile:1
+# syntax=docker/dockerfile:1.24.0@sha256:87999aa3d42bdc6bea60565083ee17e86d1f3339802f543c0d03998580f9cb89
 # =============================================================================
 # Multi-architecture build
 # =============================================================================
@@ -19,7 +19,7 @@
 # =============================================================================
 # Stage 1: Build Tailscale combined binary (cross-compiled, runs natively)
 # =============================================================================
-FROM --platform=$BUILDPLATFORM golang:1.26-alpine@sha256:91eda9776261207ea25fd06b5b7fed8d397dd2c0a283e77f2ab6e91bfa71079d AS builder
+FROM --platform=$BUILDPLATFORM golang:1.26.3-alpine@sha256:91eda9776261207ea25fd06b5b7fed8d397dd2c0a283e77f2ab6e91bfa71079d AS builder
 
 # renovate: datasource=github-releases depName=tailscale packageName=tailscale/tailscale
 ARG TAILSCALE_VERSION=v1.98.3
@@ -138,7 +138,7 @@ RUN upx --lzma --best /out/tailscale.combined
 # This stage runs on the TARGET platform (no --platform override): gcc then
 # produces native target-arch binaries directly. Under buildx this is
 # transparently emulated via binfmt/QEMU for non-native targets.
-FROM alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d AS busybox
+FROM alpine:3.21.7@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d AS busybox
 
 # renovate: datasource=docker depName=busybox versioning=docker
 ARG BUSYBOX_VERSION=1.37.0
diff --git a/README.md b/README.md
index 57004a0..6efa78e 100644
--- a/README.md
+++ b/README.md
@@ -289,13 +289,15 @@ docker buildx build --platform linux/arm64 \
 
 All upstream dependencies are version-pinned for reproducible builds:
 
+All versions are fully qualified (no floating `major.minor` tags):
+
 | Dependency | Where | Pinned form |
 |---|---|---|
-| Go toolchain | `Dockerfile` `FROM golang:…` | tag + `@sha256` digest |
-| Alpine (busybox build base) | `Dockerfile` `FROM alpine:…` | tag + `@sha256` digest |
-| Tailscale | `Dockerfile` `ARG TAILSCALE_VERSION` | git release tag |
-| busybox | `Dockerfile` `ARG BUSYBOX_VERSION` | release version |
-| Renovate runner | `.woodpecker/renovate.yaml` `image:` | tag |
+| Go toolchain | `Dockerfile` `FROM golang:…` | full version tag + `@sha256` digest |
+| Alpine (busybox build base) | `Dockerfile` `FROM alpine:…` | full version tag + `@sha256` digest |
+| Tailscale | `Dockerfile` `ARG TAILSCALE_VERSION` | full git release tag |
+| busybox | `Dockerfile` `ARG BUSYBOX_VERSION` | full release version |
+| Renovate / OpenBao | `.woodpecker/renovate.yaml` `image:` | full version tag |
 
 Updates are proposed automatically by [Renovate](https://docs.renovatebot.com/),
 run **self-hosted** from a Woodpecker cron pipeline (Woodpecker has no native