GO_VERSION is used as a build-arg in the release workflow (it passes only the version extracted from go.mod). That overrides this default tag@digest value, so CI/release builds will end up using an unpinned golang:1.25.9 base and the digest pinning here won’t actually take effect for published images. Consider either (a) passing tag@digest from the workflow, (b) splitting version and digest into separate args (or hardcoding digest in FROM), or (c) removing the workflow override if you want Dockerfile-controlled pinning.
ARG GO_VERSION=1.25.9
ARG GO_IMAGE_DIGEST=sha256:7a00384194cf2cb68924bbb918d675f1517357433c8541bac0ab2f929b9d5447
FROM golang:${GO_VERSION}@${GO_IMAGE_DIGEST} AS build
ref: #1997 (comment)
GO_VERSIONis used as a build-arg in the release workflow (it passes only the version extracted from go.mod). That overrides this defaulttag@digestvalue, so CI/release builds will end up using an unpinnedgolang:1.25.9base and the digest pinning here won’t actually take effect for published images. Consider either (a) passingtag@digestfrom the workflow, (b) splitting version and digest into separate args (or hardcoding digest inFROM), or (c) removing the workflow override if you want Dockerfile-controlled pinning.ref: #1997 (comment)