From 7803d229eb9220dab735a65beaafc6772c9344dd Mon Sep 17 00:00:00 2001 From: Savannah Savings Date: Sat, 6 Jun 2026 02:26:54 +0000 Subject: [PATCH] fix(auth): pin base image to node 22.22.2 digest (CAR-1279 Phase 2) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pin both build and runtime stages of auth/Dockerfile to node:22-alpine@sha256:8ea2348b068a9544dae7317b4f3aafcdc032df1647bb7d768a05a5cad1a7683f — the Docker Hub manifest digest for node:22.22.2-alpine (verified against the registry by CTO). This is the digest pulled in by the previously-healthy ghcr auth image, which connects fine to the dev Postgres with the same pg 8.20.0 driver and byte-identical source. The Gitea-built image, which bundles node 22.22.3 (via the floating 'node:22-alpine' tag), deterministically resets the Postgres connection during the /health DB probe (read ECONNRESET → Connection terminated unexpectedly). Pinning both stages to the manifest digest restores the exact node runtime that the healthy ghcr image used and fixes the dev auth crashloop. The 'RUN apk update && apk upgrade --no-cache' lines are kept as-is per task spec. Refs CAR-1279, CAR-1276 (CAR-1287) --- auth/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/auth/Dockerfile b/auth/Dockerfile index 0b88089..388fd9d 100644 --- a/auth/Dockerfile +++ b/auth/Dockerfile @@ -1,4 +1,4 @@ -FROM node:22-alpine AS builder +FROM node:22-alpine@sha256:8ea2348b068a9544dae7317b4f3aafcdc032df1647bb7d768a05a5cad1a7683f AS builder RUN apk update && apk upgrade --no-cache WORKDIR /app COPY package.json package-lock.json* ./ @@ -7,7 +7,7 @@ COPY tsconfig.json ./ COPY src/ src/ RUN npm run build -FROM node:22-alpine +FROM node:22-alpine@sha256:8ea2348b068a9544dae7317b4f3aafcdc032df1647bb7d768a05a5cad1a7683f RUN apk update && apk upgrade --no-cache WORKDIR /app ENV NODE_ENV=production