don't use floating tags

2026-05-28 23:46:17 +02:00
parent dca233f9f2
commit d5a32d13dd
2 changed files with 10 additions and 8 deletions
@@ -1,4 +1,4 @@
-# syntax=docker/dockerfile:1
+# syntax=docker/dockerfile:1.24.0@sha256:87999aa3d42bdc6bea60565083ee17e86d1f3339802f543c0d03998580f9cb89
 # =============================================================================
 # Multi-architecture build
 # =============================================================================
@@ -19,7 +19,7 @@
 # =============================================================================
 # Stage 1: Build Tailscale combined binary (cross-compiled, runs natively)
 # =============================================================================
-FROM --platform=$BUILDPLATFORM golang:1.26-alpine@sha256:91eda9776261207ea25fd06b5b7fed8d397dd2c0a283e77f2ab6e91bfa71079d AS builder
+FROM --platform=$BUILDPLATFORM golang:1.26.3-alpine@sha256:91eda9776261207ea25fd06b5b7fed8d397dd2c0a283e77f2ab6e91bfa71079d AS builder
 # renovate: datasource=github-releases depName=tailscale packageName=tailscale/tailscale
 ARG TAILSCALE_VERSION=v1.98.3
@@ -138,7 +138,7 @@ RUN upx --lzma --best /out/tailscale.combined
 # This stage runs on the TARGET platform (no --platform override): gcc then
 # produces native target-arch binaries directly. Under buildx this is
 # transparently emulated via binfmt/QEMU for non-native targets.
-FROM alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d AS busybox
+FROM alpine:3.21.7@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d AS busybox
 # renovate: datasource=docker depName=busybox versioning=docker
 ARG BUSYBOX_VERSION=1.37.0
@@ -289,13 +289,15 @@ docker buildx build --platform linux/arm64 \
 All upstream dependencies are version-pinned for reproducible builds:
 All versions are fully qualified (no floating `major.minor` tags):
 | Dependency | Where | Pinned form |
 |---|---|---|
-| Go toolchain | `Dockerfile` `FROM golang:…` | tag + `@sha256` digest |
+| Go toolchain | `Dockerfile` `FROM golang:…` | full version tag + `@sha256` digest |
-| Alpine (busybox build base) | `Dockerfile` `FROM alpine:…` | tag + `@sha256` digest |
+| Alpine (busybox build base) | `Dockerfile` `FROM alpine:…` | full version tag + `@sha256` digest |
-| Tailscale | `Dockerfile` `ARG TAILSCALE_VERSION` | git release tag |
+| Tailscale | `Dockerfile` `ARG TAILSCALE_VERSION` | full git release tag |
-| busybox | `Dockerfile` `ARG BUSYBOX_VERSION` | release version |
+| busybox | `Dockerfile` `ARG BUSYBOX_VERSION` | full release version |
-| Renovate runner | `.woodpecker/renovate.yaml` `image:` | tag |
+| Renovate / OpenBao | `.woodpecker/renovate.yaml` `image:` | full version tag |
 Updates are proposed automatically by [Renovate](https://docs.renovatebot.com/),
 run **self-hosted** from a Woodpecker cron pipeline (Woodpecker has no native