From c16154176c7be9bf3cf3e7627b7368698e25a02e Mon Sep 17 00:00:00 2001 From: Teodor Calin Date: Thu, 28 May 2026 23:05:59 -0700 Subject: [PATCH] fix(docker): pin alpine base + apk package versions (PILOT-154) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The runtime stage was using `FROM alpine:3.20` and an unpinned `apk add --no-cache ca-certificates tzdata`. Both make the produced image content non-deterministic across rebuilds — Alpine's :3.20 tag moves with patch releases, and apk pulls whatever the cdn currently offers. Pinned to alpine:3.20.6 + the current apk versions on that base: ca-certificates=20260413-r0 tzdata=2026b-r0 Bump-together comment in the Dockerfile so the next person updating knows to bump base + packages in lockstep + verify versions exist on dl-cdn before merging. Verified: `docker build .` clean (smoke test). Closes PILOT-154 --- Dockerfile | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 5405164..c6d7714 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,8 +14,15 @@ RUN CGO_ENABLED=0 GOOS=linux \ # Stage 2: minimal runtime. Alpine carries ca-certs for outbound HTTPS # (OpenAI/Cohere/embedding sidecars). -FROM alpine:3.20 -RUN apk add --no-cache ca-certificates tzdata && \ +# +# PILOT-154: pin both the base image patch level AND apk packages so +# rebuilds are deterministic. Bump these together when the Alpine 3.20.x +# branch picks up a security update — verify the new versions are still +# available in dl-cdn.alpinelinux.org/alpine/v3.20/main before merging. +FROM alpine:3.20.6 +RUN apk add --no-cache \ + ca-certificates=20260413-r0 \ + tzdata=2026b-r0 && \ addgroup -S cosift && adduser -S -G cosift cosift && \ mkdir -p /var/lib/cosift && chown -R cosift:cosift /var/lib/cosift