chore: pin Dockerfile base image to SHA256 digest

[kpitapeersyst]

chore: pin Dockerfile base image to SHA256 digest

Motivation 💡

The Dockerfile pinned the Go base image by tag only (golang:1.23.8). Tags on Docker Hub are mutable: the same tag can be re-pushed with different layers by the publisher or via a supply-chain compromise, which would silently land in every image published to peersyst/exrp. Pinning by digest makes the base image content-addressed and immutable per build.

Changes 🛠

• Pinned the base stage to golang:1.23.8@sha256:ec5612bbd9e96d5b80a8b968cea06a4a9b985fe200ff6da784bf607063273c59
• Pinned the release stage to the same digest so the final image userspace and CA bundle match the build stage

Summary by CodeRabbit

• Chores
  • Enhanced build image versioning to improve reproducibility and build consistency.
  • Fixed end-of-file formatting.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3b68608d-4ac5-49ed-8219-cd175b0a7e51

📥 Commits

Reviewing files that changed from the base of the PR and between 43c1c36 and dec353c.

📒 Files selected for processing (1)

• Dockerfile

---

📝 Walkthrough

Walkthrough

The Dockerfile is updated to pin both the base and release build stages to the Go image using immutable SHA256 digests instead of mutable version tags, ensuring reproducible builds. A trailing newline is added to the file.

Changes

Cohort / File(s)	Summary
Docker Build Configuration Dockerfile	Pinned golang:1.23.8 to immutable digest (golang:1.23.8@sha256:...) in both base and release stages; added trailing newline for proper file formatting.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A digest to ensure, no mutable doubt,
Base and release both pinned, reproducible throughout!
No surprises at build time, just steady control,
The Dockerfile stands firm, predictable and whole. 📌

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: pinning the Dockerfile base image to a SHA256 digest for immutability.
Description check	✅ Passed	The description follows the template structure with Motivation and Changes sections clearly filled out, explaining the security rationale and specific changes made.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/pin-dockerfile-digest

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}