Skip to content

Commit 6f35c32

Browse files
BeryJuBeryJu
authored
root: use hashes for dockerfile FROM (#17795)
* root: use hashes for dockerfile from Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix website dockerfile not being updated Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update golang bookworm to trixie Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update outpost runtime to trixie Signed-off-by: Jens Langhammer <jens@goauthentik.io> * node slim -> trixie slim Signed-off-by: Jens Langhammer <jens@goauthentik.io> * nginx -> trixie Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
1 parent 88affcc commit 6f35c32

File tree

7 files changed

+18
-16
lines changed

7 files changed

+18
-16
lines changed

.github/dependabot.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -142,7 +142,9 @@ updates:
142142
labels:
143143
- dependencies
144144
- package-ecosystem: docker
145-
directory: "/"
145+
directories:
146+
- /
147+
- /website
146148
schedule:
147149
interval: daily
148150
time: "04:00"

Dockerfile

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
# syntax=docker/dockerfile:1
22

33
# Stage 1: Build webui
4-
FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-slim AS node-builder
4+
FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-trixie-slim@sha256:45babd1b4ce0349fb12c4e24bf017b90b96d52806db32e001e3013f341bef0fe AS node-builder
55

66
ARG GIT_BUILD_HASH
77
ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
@@ -26,7 +26,7 @@ RUN npm run build && \
2626
npm run build:sfe
2727

2828
# Stage 2: Build go proxy
29-
FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.25.3-bookworm AS go-builder
29+
FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.25.3-trixie@sha256:7534a6264850325fcce93e47b87a0e3fddd96b308440245e6ab1325fa8a44c91 AS go-builder
3030

3131
ARG TARGETOS
3232
ARG TARGETARCH
@@ -63,7 +63,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
6363
go build -o /go/authentik ./cmd/server
6464

6565
# Stage 3: MaxMind GeoIP
66-
FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.1 AS geoip
66+
FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.1@sha256:faecdca22579730ab0b7dea5aa9af350bb3c93cb9d39845c173639ead30346d2 AS geoip
6767

6868
ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
6969
ENV GEOIPUPDATE_VERBOSE="1"
@@ -76,9 +76,9 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
7676
/bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
7777

7878
# Stage 4: Download uv
79-
FROM ghcr.io/astral-sh/uv:0.9.5 AS uv
79+
FROM ghcr.io/astral-sh/uv:0.9.5@sha256:f459f6f73a8c4ef5d69f4e6fbbdb8af751d6fa40ec34b39a1ab469acd6e289b7 AS uv
8080
# Stage 5: Base python image
81-
FROM ghcr.io/goauthentik/fips-python:3.13.9-slim-trixie-fips AS python-base
81+
FROM ghcr.io/goauthentik/fips-python:3.13.9-slim-trixie-fips@sha256:700fc8c1e290bd14e5eaca50b1d8e8c748c820010559cbfb4c4f8dfbe2c4c9ff AS python-base
8282

8383
ENV VENV_PATH="/ak-root/.venv" \
8484
PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \

ldap.Dockerfile

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
# syntax=docker/dockerfile:1
22

33
# Stage 1: Build
4-
FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.25.3-bookworm AS builder
4+
FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.25.3-trixie@sha256:7534a6264850325fcce93e47b87a0e3fddd96b308440245e6ab1325fa8a44c91 AS builder
55

66
ARG TARGETOS
77
ARG TARGETARCH
@@ -31,7 +31,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
3131
go build -o /go/ldap ./cmd/ldap
3232

3333
# Stage 2: Run
34-
FROM ghcr.io/goauthentik/fips-debian:bookworm-slim-fips
34+
FROM ghcr.io/goauthentik/fips-debian:trixie-slim-fips@sha256:9b4cedf932e97194f1825124830f2eec14254d90162dad28f97e505971543115
3535

3636
ARG VERSION
3737
ARG GIT_BUILD_HASH

proxy.Dockerfile

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ COPY web .
1717
RUN npm run build-proxy
1818

1919
# Stage 2: Build
20-
FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.25.3-bookworm AS builder
20+
FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.25.3-trixie@sha256:7534a6264850325fcce93e47b87a0e3fddd96b308440245e6ab1325fa8a44c91 AS builder
2121

2222
ARG TARGETOS
2323
ARG TARGETARCH
@@ -47,7 +47,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
4747
go build -o /go/proxy ./cmd/proxy
4848

4949
# Stage 3: Run
50-
FROM ghcr.io/goauthentik/fips-debian:bookworm-slim-fips
50+
FROM ghcr.io/goauthentik/fips-debian:trixie-slim-fips@sha256:9b4cedf932e97194f1825124830f2eec14254d90162dad28f97e505971543115
5151

5252
ARG VERSION
5353
ARG GIT_BUILD_HASH

rac.Dockerfile

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
# syntax=docker/dockerfile:1
22

33
# Stage 1: Build
4-
FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.25.3-bookworm AS builder
4+
FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.25.3-trixie@sha256:7534a6264850325fcce93e47b87a0e3fddd96b308440245e6ab1325fa8a44c91 AS builder
55

66
ARG TARGETOS
77
ARG TARGETARCH
@@ -31,7 +31,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
3131
go build -o /go/rac ./cmd/rac
3232

3333
# Stage 2: Run
34-
FROM ghcr.io/goauthentik/guacd:v1.6.0-fips
34+
FROM ghcr.io/goauthentik/guacd:v1.6.0-fips@sha256:1d99572b0260924149b8c923c021a32016f885fcea6d5cc8d58f718dfdc7a2dd
3535

3636
ARG VERSION
3737
ARG GIT_BUILD_HASH

radius.Dockerfile

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
# syntax=docker/dockerfile:1
22

33
# Stage 1: Build
4-
FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.25.3-bookworm AS builder
4+
FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.25.3-trixie@sha256:7534a6264850325fcce93e47b87a0e3fddd96b308440245e6ab1325fa8a44c91 AS builder
55

66
ARG TARGETOS
77
ARG TARGETARCH
@@ -31,7 +31,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
3131
go build -o /go/radius ./cmd/radius
3232

3333
# Stage 2: Run
34-
FROM ghcr.io/goauthentik/fips-debian:bookworm-slim-fips
34+
FROM ghcr.io/goauthentik/fips-debian:trixie-slim-fips@sha256:9b4cedf932e97194f1825124830f2eec14254d90162dad28f97e505971543115
3535

3636
ARG VERSION
3737
ARG GIT_BUILD_HASH

website/Dockerfile

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-slim AS docs-builder
1+
FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-trixie-slim@sha256:45babd1b4ce0349fb12c4e24bf017b90b96d52806db32e001e3013f341bef0fe AS docs-builder
22

33
ENV NODE_ENV=production
44

@@ -21,6 +21,6 @@ COPY ./SECURITY.md /work/
2121

2222
RUN npm run build
2323

24-
FROM docker.io/library/nginx:1.29.0
24+
FROM docker.io/library/nginx:1.29-trixie@sha256:b619c34a163ac12f68c1982568a122c4953dbf3126b8dbf0cc2f6fdbfd85de27
2525

2626
COPY --from=docs-builder /work/website/docs/build /usr/share/nginx/html

0 commit comments

Comments
 (0)