6675f2a169
- Updated Docker Compose files to use digest-pinned images for CI contexts. - Enhanced Dockerfile to pin Go tool installations and verify external downloads with SHA256 checksums. - Added Renovate configuration for tracking Go tool versions and digest updates. - Introduced a new design document outlining the architecture and data flow for dependency tracking. - Created tasks and requirements documentation to ensure compliance with the new digest pinning policy. - Updated security documentation to reflect the new digest pinning policy and exceptions.
1.3 KiB
1.3 KiB
Requirements - Dependency Digest Tracking Plan
EARS Requirements
- WHEN the nightly workflow executes, THE SYSTEM SHALL use container images pinned by digest for any external service images it runs.
- WHEN a Docker Compose file is used in CI contexts, THE SYSTEM SHALL pin all third-party images by digest or provide a checksum verification step.
- WHEN the Dockerfile downloads external artifacts, THE SYSTEM SHALL verify them with checksums.
- WHEN Go tools are installed in build stages or scripts, THE SYSTEM SHALL pin a specific semantic version instead of
@latest. - WHEN Renovate is configured, THE SYSTEM SHALL be able to update pinned digests and versioned tool installs without manual drift.
- IF a dependency cannot be pinned by digest, THEN THE SYSTEM SHALL document the exception and compensating controls.
- WHEN the Go toolchain shim is installed via
golang.org/dl/goX.Y.Z@latest, THE SYSTEM SHALL allow this as an explicit exception and SHALL enforce compensating controls. - WHEN CI builds a self-hosted image, THE SYSTEM SHALL capture the resulting digest and propagate it to downstream jobs and tests.
- WHEN CI starts the E2E compose stack, THE SYSTEM SHALL default to a digest-pinned image from workflow outputs while allowing a tag override for local runs.