fix: harden image builds:

[012xx]

Overview

Hardened image builds by pinning base image digests and replacing same-source checksum verification with pinned checksums for downloaded artifacts.

[012xx]

@pddg
Is this fix what you had in mind?
I have found that it seems difficult to specify both a "tag" and a "digest" as variables simultaneously in the FROM line of a Dockerfile, such as FROM ghcr.io/cybozu/ubuntu-minimal:${TAG_MINIMAL}@${DIGEST_MINIMAL}. Therefore, I handled it by removing the tag (it works when hardcoded, but it seems that specifying two variables does not work).
ref. https://docs.docker.com/reference/dockerfile/#from

[pddg]

@012xx
As I understand it, it works fine. A warning is displayed, but this does not mean that the build has failed.

❯ cat ubuntu-minimal/Dockerfile 
ARG TAG_MINIMAL
ARG DIGEST_MINIMAL

FROM ubuntu:${TAG_MINIMAL}@${DIGEST_MINIMAL}

❯ docker buildx build \
  -t ghcr.io/cybozu/ubuntu-minimal:$(cat TAG_MINIMAL) \
  --build-arg TAG_MINIMAL=$(cat TAG_MINIMAL) \
  --build-arg DIGEST_MINIMAL=sha256:c4a8d5503dfb2a3eb8ab5f807da5bc69a85730fb49b5cfca2330194ebcc41c7b \
  ubuntu-minimal

[+] Building 0.1s (5/5) FINISHED                                                                                                                                                     docker:default
 => [internal] load build definition from Dockerfile                                                                                                                                           0.0s
 => => transferring dockerfile: 118B                                                                                                                                                           0.0s
 => WARN: InvalidDefaultArgInFrom: Default value for ARG ubuntu:${TAG_MINIMAL}@${DIGEST_MINIMAL} results in empty or invalid base image name (line 4)                                          0.0s
 => [internal] load metadata for docker.io/library/ubuntu:noble-20260410@sha256:c4a8d5503dfb2a3eb8ab5f807da5bc69a85730fb49b5cfca2330194ebcc41c7b                                               0.0s
 => [internal] load .dockerignore                                                                                                                                                              0.0s
 => => transferring context: 2B                                                                                                                                                                0.0s
 => CACHED [1/1] FROM docker.io/library/ubuntu:noble-20260410@sha256:c4a8d5503dfb2a3eb8ab5f807da5bc69a85730fb49b5cfca2330194ebcc41c7b                                                          0.0s
 => => resolve docker.io/library/ubuntu:noble-20260410@sha256:c4a8d5503dfb2a3eb8ab5f807da5bc69a85730fb49b5cfca2330194ebcc41c7b                                                                 0.0s
 => exporting to image                                                                                                                                                                         0.0s
 => => exporting layers                                                                                                                                                                        0.0s
 => => exporting manifest sha256:5bfeaab328c1d930a0a0069e2949ae563112bf3e0e647092d78431253c995c45                                                                                              0.0s
 => => exporting config sha256:058ba62467c8812441c2d5a4857540d9759ed4c27e5e84656e623cc9f36f61cf                                                                                                0.0s
 => => exporting attestation manifest sha256:d5d25dd1621de03d5759398cde5b8591c7d37f111493016261727881b776a86e                                                                                  0.0s
 => => exporting manifest list sha256:2f432edbc78435ac16ce3d989838d44496dadcf900bca8d14ef69dc5a09e96bf                                                                                         0.0s
 => => naming to ghcr.io/cybozu/ubuntu-minimal:noble-20260410                                                                                                                                  0.0s
 => => unpacking to ghcr.io/cybozu/ubuntu-minimal:noble-20260410                                                                                                                               0.0s

 1 warning found (use docker --debug to expand):
 - InvalidDefaultArgInFrom: Default value for ARG ubuntu:${TAG_MINIMAL}@${DIGEST_MINIMAL} results in empty or invalid base image name (line 4)

Our images have the following dependencies:

ubuntu (upstream)
↑
ghcr.io/cybozu/ubuntu-minimal
↑
ghcr.io/cybozu/ubuntu
↑
ghcr.io/cybozu/ubuntu-dev, ghcr.io/cybozu/ubuntu-debug

Since the image digests can change for each of these, we need to know three types of digests. Specifically:

• ubuntu (upstream)
• ghcr.io/cybozu/ubuntu-minimal
• ghcr.io/cybozu/ubuntu

ubuntu (upstream) is determined statically, but the rest are determined dynamically depending on the image build results.
Therefore, the workflow must be designed accordingly.

[012xx]

@pddg

As I understand it, it works fine. A warning is displayed, but this does not mean that the build has failed.

As far as I have tested, I believe it may cause a crash in the following areas.
https://github.com/cybozu/ubuntu-base/actions/runs/25152675699/job/73726763021

[pddg]

@012xx
That is a simple issue, because you are not providing TAG_MINIMAL and it is falling back to an empty string.

The Dockerfile requires TAG_MINIMAL:

ubuntu-base/24.04/ubuntu/Dockerfile

Line 1 in ce21edb

ARG TAG_MINIMAL

But you does not provide it:

ubuntu-base/.github/workflows/build.yaml

Lines 40 to 44 in ce21edb

	docker build \
	-t ghcr.io/cybozu/ubuntu:$TAG \
	--build-arg TAG=$TAG \
	--build-arg DIGEST_MINIMAL=$DIGEST_MINIMAL \
	ubuntu