PR: #55 (feat/27-docker-compose)
Files: deploy/compose/docker-compose.yml alloy image line
image: grafana/alloy:v1.4.3
Semantic version tags on Docker Hub are not immutable by default — maintainers can push a new image under the same tag. A docker compose pull on the Hetzner host will silently pull a new image under v1.4.3 if the digest has changed, with no diff visible in the repository. While Grafana generally practices tag immutability, this is convention not enforcement.
This is consistent with the base-image pinning problem in the Dockerfile (separate issue). The production stack should have uniform supply-chain hygiene across all images.
Suggested fix:
image: grafana/alloy:v1.4.3@sha256:<digest>
Retrieve the current digest:
docker pull grafana/alloy:v1.4.3
docker inspect grafana/alloy:v1.4.3 --format '{{index .RepoDigests 0}}'
Refs #55
PR: #55 (feat/27-docker-compose)
Files: deploy/compose/docker-compose.yml alloy image line
Semantic version tags on Docker Hub are not immutable by default — maintainers can push a new image under the same tag. A
docker compose pullon the Hetzner host will silently pull a new image underv1.4.3if the digest has changed, with no diff visible in the repository. While Grafana generally practices tag immutability, this is convention not enforcement.This is consistent with the base-image pinning problem in the Dockerfile (separate issue). The production stack should have uniform supply-chain hygiene across all images.
Suggested fix:
Retrieve the current digest:
Refs #55