Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pin Dockerfile FROMs to digests #396

Open
escapewindow opened this issue Sep 8, 2021 · 0 comments
Open

pin Dockerfile FROMs to digests #396

escapewindow opened this issue Sep 8, 2021 · 0 comments
Assignees
@gbrownmozilla

Comments

@escapewindow
Copy link
Contributor

We point our Dockerfiles at docker hub tags, but those tags can move at any point, and we may hit unexpected bustage. Recently, the python:3.8 docker tag moved to an image with an incompatible osslsigncode, which busted signingscript.

Ben suggested we pin our Dockerfiles to digests and explicitly bump them. Renovatebot can bump these (though we may have to do so manually if we specify the digest in an env var). This way we can explicitly decide when to roll out a new base image, after we've tested it for bustage.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gbrownmozilla gbrownmozilla

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

replace docker tags with corresponding digests gbrownmozilla/scriptworker-scripts
2 participants
@escapewindow @gbrownmozilla