Coy Geek 8ae2d5110f fix(docker): pin base images to SHA256 digests (#7734) ...

* fix(docker): pin base images to SHA256 digests for supply chain security

Pin all 9 Dockerfiles to immutable SHA256 digests to prevent supply chain
attacks where a compromised upstream image could be silently pulled into
production builds.

Also add Docker ecosystem to Dependabot configuration for automated
digest updates.

Images pinned:
- node:22-bookworm@sha256:cd7bcd2e7a1e6f72052feb023c7f6b722205d3fcab7bbcbd2d1bfdab10b1e935
- node:22-bookworm-slim@sha256:3cfe526ec8dd62013b8843e8e5d4877e297b886e5aace4a59fec25dc20736e45
- debian:bookworm-slim@sha256:98f4b71de414932439ac6ac690d7060df1f27161073c5036a7553723881bffbe
- ubuntu:24.04@sha256:cd1dba651b3080c3686ecf4e3c4220f026b521fb76978881737d24f200828b2b

Fixes #7731

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* test(docker): add digest pinning regression coverage

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

2026-02-19 12:42:07 -08:00

..

actions

ci: harden workflow action input handling

2026-02-19 15:27:48 +01:00

instructions

Centralize date/time formatting utilities (#11831)

2026-02-08 04:53:31 -08:00

ISSUE_TEMPLATE

Docs: move submission guidance to GitHub templates (#16232)

2026-02-14 08:27:01 -06:00

workflows

ci: move workflows to blacksmith 16vcpu runners

2026-02-19 17:25:15 +01:00

actionlint.yaml

fix(ci): restore actionlint rules and add blacksmith 16 ignore

2026-02-19 17:29:51 +01:00

dependabot.yml

fix(docker): pin base images to SHA256 digests (#7734)

2026-02-19 12:42:07 -08:00

FUNDING.yml

chore: Run pnpm format:fix.

2026-01-31 21:13:13 +09:00

labeler.yml

feat: IRC — add first-class channel support

2026-02-10 17:33:57 -06:00

pull_request_template.md

Docs: move submission guidance to GitHub templates (#16232)

2026-02-14 08:27:01 -06:00