From 6d286faabdc93c1120f9acdd34f82c4158aab1a6 Mon Sep 17 00:00:00 2001
From: user <user@Mac.lan guest wan>
Date: Fri, 20 Feb 2026 10:45:58 -0800
Subject: [PATCH] fix: pin Docker images and Go tool versions (closes #118)

- Pin golang:1.25-alpine to sha256:f6751d823c26342f9506c03797d2527668d095b0a15f1862cddb4d927a7a4ced
- Pin alpine:3.19 to sha256:6baf43584bcb78f2e5847d1de515f23499913ac9f12bdf834811a3145eb11ca1
- Pin golangci-lint to v2.10.1 (was @latest)
- Pin goimports to v0.42.0 (was @latest)

Go module verification via go.sum provides cryptographic hash checking,
so version pinning is sufficient for go install commands.
---
 Dockerfile | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 4f425ea..dddd797 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,11 +1,11 @@
 # Build stage
-FROM golang:1.25-alpine AS builder
+FROM golang:1.25-alpine@sha256:f6751d823c26342f9506c03797d2527668d095b0a15f1862cddb4d927a7a4ced AS builder
 
 RUN apk add --no-cache git make gcc musl-dev
 
 # Install golangci-lint v2
-RUN go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
-RUN go install golang.org/x/tools/cmd/goimports@latest
+RUN go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.10.1
+RUN go install golang.org/x/tools/cmd/goimports@v0.42.0
 
 WORKDIR /src
 COPY go.mod go.sum ./
@@ -20,7 +20,7 @@ RUN make check
 RUN make build
 
 # Runtime stage
-FROM alpine:3.19
+FROM alpine:3.19@sha256:6baf43584bcb78f2e5847d1de515f23499913ac9f12bdf834811a3145eb11ca1
 
 RUN apk add --no-cache ca-certificates tzdata git openssh-client docker-cli