chore(build): pin base Docker images

Author: azasypkin

Dockerfile

@@ -1,4 +1,4 @@
-FROM rust:1.93-slim-trixie AS builder
+FROM rust:1.93-slim-trixie@sha256:c0a38f5662afdb298898da1d70b909af4bda4e0acff2dc52aea6360a9b9c6956 AS builder
 WORKDIR /app
 
 ARG TARGETARCH
@@ -20,7 +20,7 @@ RUN --mount=type=cache,target=/app/target cargo build --release && \
     upx --best --lzma ./retrack
 
 # Check out https://gcr.io/distroless/cc-debian13:nonroot
-FROM gcr.io/distroless/cc-debian13:nonroot
+FROM gcr.io/distroless/cc-debian13:nonroot@sha256:9c4fe2381c2e6d53c4cfdefeff6edbd2a67ec7713e2c3ca6653806cbdbf27a1e
 EXPOSE 7676
 
 WORKDIR /app

Dockerfile.web-scraper

@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM node:22-slim AS builder
+FROM --platform=$BUILDPLATFORM node:22-slim@sha256:80fdb3f57c815e1b638d221f30a826823467c4a56c8f6a8d7aa091cd9b1675ea AS builder
 WORKDIR /app
 
 # Copy workspace root `package.json` and `package-lock.json` files,
@@ -12,7 +12,7 @@ COPY ["./components/retrack-web-scraper", "./components/retrack-web-scraper"]
 RUN set -x && npm test --ws
 RUN set -x && npm run build --ws
 
-FROM node:22-slim
+FROM node:22-slim@sha256:80fdb3f57c815e1b638d221f30a826823467c4a56c8f6a8d7aa091cd9b1675ea
 ENV NODE_ENV=production \
     PLAYWRIGHT_BROWSERS_PATH=/ms-playwright \
     RETRACK_WEB_SCRAPER_BROWSER_CHROMIUM_EXECUTABLE_PATH=/usr/local/bin/chromium

Dockerfile.web-scraper-camoufox

@@ -1,4 +1,4 @@
-FROM python:3.14-slim-trixie
+FROM python:3.14-slim-trixie@sha256:fb83750094b46fd6b8adaa80f66e2302ecbe45d513f6cece637a841e1025b4ca
 EXPOSE 7777
 
 ENV CAMOUFOX_PORT=7777

Makefile

@@ -2,7 +2,7 @@ COMPOSE_DB   := dev/docker/docker-compose.yml
 ENV_FILE     := .env
 CHROME_PATH  ?= /Applications/Google Chrome.app/Contents/MacOS/Google Chrome
 
-.PHONY: dev-up dev-down api scraper-setup scraper scraper-debug db-reset db-migrate test test-api test-scraper fmt clippy check docker-api docker-scraper docker-scraper-camoufox clean help
+.PHONY: dev-up dev-down api scraper-setup scraper scraper-debug db-reset db-migrate test test-api test-scraper fmt clippy check docker-api docker-scraper docker-scraper-camoufox docker-pin-digests clean help
 
 ## ---------- Development ----------
 
@@ -79,6 +79,9 @@ docker-scraper: ## Build the Web Scraper (Chromium) Docker image.
 docker-scraper-camoufox: ## Build the Web Scraper (Camoufox/Firefox) Docker image.
 	docker build --tag retrack-web-scraper-camoufox:latest -f Dockerfile.web-scraper-camoufox .
 
+docker-pin-digests: ## Re-pin base images in Dockerfiles to current SHA256 digests.
+	./dev/scripts/docker-pin-digests.sh
+
 ## ---------- Misc ----------
 
 clean: ## Remove build artifacts.

dev/scripts/docker-pin-digests.sh

@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+#
+# Re-pin base images in Retrack Dockerfiles to their current SHA256 manifest-list digests.
+# Usage: ./dev/scripts/docker-pin-digests.sh
+#
+set -euo pipefail
+
+RETRACK_ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
+
+DOCKERFILES=(
+  "$RETRACK_ROOT/Dockerfile"
+  "$RETRACK_ROOT/Dockerfile.web-scraper"
+  "$RETRACK_ROOT/Dockerfile.web-scraper-camoufox"
+)
+
+# File-based cache so subshells can share resolved digests.
+CACHE_FILE="$(mktemp)"
+trap 'rm -f "$CACHE_FILE"' EXIT
+
+get_digest() {
+  local image="$1"
+
+  # Check cache.
+  local cached
+  cached="$(grep -F "$image " "$CACHE_FILE" 2>/dev/null | head -1 | awk '{print $2}')" || true
+  if [[ -n "$cached" ]]; then
+    echo "$cached"
+    return
+  fi
+
+  echo "  Fetching digest for $image ..." >&2
+  local digest
+  digest="$(docker buildx imagetools inspect "$image" 2>/dev/null \
+    | grep -m1 '^Digest:' | awk '{print $2}')"
+
+  if [[ -z "$digest" || ! "$digest" =~ ^sha256: ]]; then
+    echo "ERROR: failed to fetch digest for $image" >&2
+    return 1
+  fi
+
+  # Strip the sha256: prefix  we add it back when rewriting.
+  digest="${digest#sha256:}"
+  echo "$image $digest" >> "$CACHE_FILE"
+  echo "$digest"
+}
+
+for dockerfile in "${DOCKERFILES[@]}"; do
+  [[ -f "$dockerfile" ]] || { echo "SKIP: $dockerfile not found"; continue; }
+
+  tmp="$(mktemp)"
+  changed=false
+
+  while IFS= read -r line; do
+    if [[ "$line" =~ ^FROM[[:space:]] ]]; then
+      # Strip any existing @sha256:... from the image reference.
+      stripped="$(echo "$line" | sed -E 's/@sha256:[0-9a-f]+//')"
+
+      # Extract the image:tag - it's the token after FROM (and optional --platform=...).
+      image_tag="$(echo "$stripped" | sed -E 's/^FROM[[:space:]]+(--platform=[^ ]+[[:space:]]+)?([^ ]+).*/\2/')"
+
+      digest="$(get_digest "$image_tag")"
+      # Insert @sha256:digest right after the image:tag in the stripped line.
+      line="$(echo "$stripped" | sed -E "s|${image_tag}|${image_tag}@sha256:${digest}|")"
+      changed=true
+    fi
+    echo "$line"
+  done < "$dockerfile" > "$tmp"
+
+  if $changed; then
+    mv "$tmp" "$dockerfile"
+    echo "Pinned: $dockerfile"
+  else
+    rm "$tmp"
+    echo "SKIP: no FROM lines in $dockerfile"
+  fi
+done