6675f2a169
- Updated Docker Compose files to use digest-pinned images for CI contexts. - Enhanced Dockerfile to pin Go tool installations and verify external downloads with SHA256 checksums. - Added Renovate configuration for tracking Go tool versions and digest updates. - Introduced a new design document outlining the architecture and data flow for dependency tracking. - Created tasks and requirements documentation to ensure compliance with the new digest pinning policy. - Updated security documentation to reflect the new digest pinning policy and exceptions.
1.4 KiB
1.4 KiB
Design - Dependency Digest Tracking Plan
Architecture Overview
This change set hardens the nightly build and CI surfaces by pinning container images to digests, pinning Go tool installs to fixed versions, and verifying external artifact downloads with SHA256 checksums.
Data Flow
- Build workflows produce an image digest via buildx and expose it as a job output.
- Downstream jobs and tests consume the digest to pull and run immutable images.
- CI compose files reference third-party images as
name:tag@sha256:digest. - Dockerfile download steps verify artifacts using SHA256 checksums before extraction.
Interfaces
- GitHub Actions job outputs:
build-and-push-nightly.outputs.digest
- Compose overrides:
CHARON_E2E_IMAGE_DIGEST(preferred, digest-pinned from workflow output)CHARON_E2E_IMAGE(tag-based local override)CHARON_IMAGE,CHARON_DEV_IMAGE(local override for tag-only usage)
Error Handling
- Dockerfile checksum verification uses
sha256sum -cto fail fast on mismatches. - CI workflows rely on digest references; failure to resolve a digest fails the job early.
Implementation Considerations
- Tag+digest pairs preserve human-readable tags while enforcing immutability.
- Renovate regex managers track pinned versions for Go tools and go.work toolchain version.
- The Go toolchain shim uses
@latestby exception and reads the pinned version from go.work.