diff --git a/crates/registry-relay/Dockerfile b/crates/registry-relay/Dockerfile index 656eeddd..b2ed827a 100644 --- a/crates/registry-relay/Dockerfile +++ b/crates/registry-relay/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1.7 # Keep the tag for humans and the digest for reproducible pulls. -FROM rust:1-bookworm@sha256:6258907abe69656e41cd992e0b705cdcfabcbbe3db374f92ed2d47121282d4a1 AS builder +FROM rust:1-bookworm@sha256:5e2214abe154fe26e39f64488952e5c991eeed1d6d6da7cc8381ae83927f0cfc AS builder WORKDIR /workspace/registry_relay COPY Cargo.toml Cargo.lock ./ @@ -33,7 +33,7 @@ RUN --mount=type=cache,target=/usr/local/cargo/registry \ chown -R 65532:65532 /workspace/runtime-root # Distroless cc keeps glibc and CA certificates while dropping shell/package tools. -FROM gcr.io/distroless/cc-debian12:nonroot@sha256:bd2899c12b335c827750ccf2359879eab09c09b206023dcebea408947d54127c AS runtime +FROM gcr.io/distroless/cc-debian12:nonroot@sha256:b0ae8e989418b458e0f25489bc3be523718938a2b70864cc0f6a00af1ddbd985 AS runtime COPY --from=builder --chown=65532:65532 /workspace/runtime-root/ / COPY --from=builder /usr/local/bin/registry-relay /usr/local/bin/registry-relay diff --git a/crates/registry-relay/Dockerfile.demo b/crates/registry-relay/Dockerfile.demo index 1e090809..f6b234a5 100644 --- a/crates/registry-relay/Dockerfile.demo +++ b/crates/registry-relay/Dockerfile.demo @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1.7 # Keep the tag for humans and the digest for reproducible pulls. -FROM rust:1-bookworm@sha256:6258907abe69656e41cd992e0b705cdcfabcbbe3db374f92ed2d47121282d4a1 AS builder +FROM rust:1-bookworm@sha256:5e2214abe154fe26e39f64488952e5c991eeed1d6d6da7cc8381ae83927f0cfc AS builder WORKDIR /workspace/registry_relay COPY Cargo.toml Cargo.lock ./ @@ -16,7 +16,7 @@ RUN --mount=type=cache,target=/usr/local/cargo/registry \ cargo build --release --locked --features spdci-api-standards,standards-cel-mapping,attribute-release && \ cp /workspace/registry_relay/target/release/registry-relay /usr/local/bin/registry-relay -FROM debian:bookworm-slim@sha256:0104b334637a5f19aa9c983a91b54c89887c0984081f2068983107a6f6c21eeb AS runtime +FROM debian:bookworm-slim@sha256:60eac759739651111db372c07be67863818726f754804b8707c90979bda511df AS runtime RUN groupadd --system --gid 10001 registry_relay && \ useradd --system --uid 10001 --gid registry_relay --home-dir /var/lib/registry-relay --shell /usr/sbin/nologin registry_relay && \ diff --git a/lab/Dockerfile.citizen-portal b/lab/Dockerfile.citizen-portal index a8d02df4..a9a8fa5c 100644 --- a/lab/Dockerfile.citizen-portal +++ b/lab/Dockerfile.citizen-portal @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1.7 -FROM node:22.13.1-bookworm-slim@sha256:83fdfa2a4de32d7f8d79829ea259bd6a4821f8b2d123204ac467fbe3966450fc AS base +FROM node:26.4.0-bookworm-slim@sha256:b16ca7b4dcfb20184e1c70f9ee30c6a75ed1da669cfafd6d2add4761b123d79f AS base LABEL org.opencontainers.image.title="Registry Lab Citizen Portal Demo" LABEL org.opencontainers.image.source="https://github.com/jeremi/registry-lab" diff --git a/lab/Dockerfile.esignet-relay b/lab/Dockerfile.esignet-relay index f6551eda..ccfa7dfe 100644 --- a/lab/Dockerfile.esignet-relay +++ b/lab/Dockerfile.esignet-relay @@ -2,7 +2,7 @@ ARG ESIGNET_BASE_IMAGE=mosipid/esignet-with-plugins:1.8.0 -FROM maven:3.9.9-eclipse-temurin-21@sha256:3a4ab3276a087bf276f79cae96b1af04f53731bec53fb2e651aca79e4b10211e AS plugin-builder +FROM maven:3.9.15-eclipse-temurin-26@sha256:029a8e2838ae68238ffb8be407cddbb3f07d4d839c60c6f26c619a69fd184531 AS plugin-builder WORKDIR /workspace/esignet-relay-authenticator COPY --from=esignet_relay_authenticator_src . . diff --git a/lab/Dockerfile.esignet-seed b/lab/Dockerfile.esignet-seed index 10651fbb..8e551b01 100644 --- a/lab/Dockerfile.esignet-seed +++ b/lab/Dockerfile.esignet-seed @@ -1,6 +1,6 @@ # SPDX-License-Identifier: Apache-2.0 -FROM python:3.12.3-slim-bookworm@sha256:afc139a0a640942491ec481ad8dda10f2c5b753f5c969393b12480155fe15a63 AS python-runtime +FROM python:3.14.6-slim-bookworm@sha256:4ff4b92a68355dbdb52584ab3391dff8d371a61d4e063468bfd0130e3189c6d9 AS python-runtime FROM postgres:bookworm@sha256:9479eac93922431e8a512b016d7362ae264f4ba139f840891b51f02931e450db diff --git a/lab/Dockerfile.registry-notary-openfn-sidecar b/lab/Dockerfile.registry-notary-openfn-sidecar index b082dff0..cc60646c 100644 --- a/lab/Dockerfile.registry-notary-openfn-sidecar +++ b/lab/Dockerfile.registry-notary-openfn-sidecar @@ -26,7 +26,7 @@ RUN --mount=type=cache,target=/usr/local/cargo/registry,sharing=locked \ CARGO_TARGET_DIR=/workspace/target cargo build --release --locked -p registry-notary-source-adapter-sidecar --bin registry-notary-source-adapter-sidecar \ && cp /workspace/target/release/registry-notary-source-adapter-sidecar /usr/local/bin/registry-notary-openfn-sidecar -FROM node:22-bookworm-slim@sha256:813a7480f28fdadac1f7f5c824bcdad435b5bc1322a5968bbbdef8d058f9dff4 AS runtime +FROM node:26-bookworm-slim@sha256:b16ca7b4dcfb20184e1c70f9ee30c6a75ed1da669cfafd6d2add4761b123d79f AS runtime RUN apt-get update \ && apt-get install -y --no-install-recommends ca-certificates curl \ diff --git a/lab/Dockerfile.registry-relay b/lab/Dockerfile.registry-relay index e8db9cc4..2f4b3cec 100644 --- a/lab/Dockerfile.registry-relay +++ b/lab/Dockerfile.registry-relay @@ -19,7 +19,7 @@ RUN --mount=type=cache,target=/usr/local/cargo/registry,sharing=locked \ /workspace/runtime-root/var/log/registry-relay && \ chown -R 65532:65532 /workspace/runtime-root -FROM gcr.io/distroless/cc-debian12:nonroot@sha256:bd2899c12b335c827750ccf2359879eab09c09b206023dcebea408947d54127c AS runtime +FROM gcr.io/distroless/cc-debian12:nonroot@sha256:b0ae8e989418b458e0f25489bc3be523718938a2b70864cc0f6a00af1ddbd985 AS runtime COPY --from=builder --chown=65532:65532 /workspace/runtime-root/ / COPY --from=builder /usr/local/bin/registry-relay /usr/local/bin/registry-relay diff --git a/lab/Dockerfile.static-metadata b/lab/Dockerfile.static-metadata index 2c7112b8..8a754029 100644 --- a/lab/Dockerfile.static-metadata +++ b/lab/Dockerfile.static-metadata @@ -48,7 +48,7 @@ RUN --mount=type=cache,target=/usr/local/cargo/registry,sharing=locked \ test -f /app/static-metadata/.well-known/registry-manifest.json && \ test -f /app/static-metadata/metadata/index.json -FROM python:3.12.3-slim-bookworm@sha256:afc139a0a640942491ec481ad8dda10f2c5b753f5c969393b12480155fe15a63 AS runtime +FROM python:3.14.6-slim-bookworm@sha256:4ff4b92a68355dbdb52584ab3391dff8d371a61d4e063468bfd0130e3189c6d9 AS runtime COPY scripts/static-metadata-server.py /usr/local/bin/static-metadata-server.py COPY --from=publisher /app/static-metadata /srv/static diff --git a/products/notary/Dockerfile b/products/notary/Dockerfile index 282074ca..89461d4f 100644 --- a/products/notary/Dockerfile +++ b/products/notary/Dockerfile @@ -3,7 +3,7 @@ # syntax=docker/dockerfile:1.7 # Keep the tag for humans and the digest for reproducible pulls. -FROM rust:1-bookworm@sha256:54152db00aafd37bc5ce1f3585aaa42f17cdd5c8e5ef9eabfbc0718b42bce312 AS builder +FROM rust:1-bookworm@sha256:5e2214abe154fe26e39f64488952e5c991eeed1d6d6da7cc8381ae83927f0cfc AS builder WORKDIR /workspace/registry-notary COPY --from=registry-platform Cargo.toml README.md LICENSE /workspace/registry-platform/ diff --git a/products/notary/Dockerfile.source-adapter-sidecar b/products/notary/Dockerfile.source-adapter-sidecar index c25fc8a9..d0ede577 100644 --- a/products/notary/Dockerfile.source-adapter-sidecar +++ b/products/notary/Dockerfile.source-adapter-sidecar @@ -7,7 +7,7 @@ # engines, so the image no longer ships Node, npm, or a worker runtime. # Keep the tag for humans and the digest for reproducible pulls. -FROM rust:1-bookworm@sha256:54152db00aafd37bc5ce1f3585aaa42f17cdd5c8e5ef9eabfbc0718b42bce312 AS builder +FROM rust:1-bookworm@sha256:5e2214abe154fe26e39f64488952e5c991eeed1d6d6da7cc8381ae83927f0cfc AS builder WORKDIR /workspace/registry-notary COPY --from=registry-platform Cargo.toml README.md LICENSE /workspace/registry-platform/ diff --git a/release/docker/Dockerfile.registry-notary-openfn-sidecar b/release/docker/Dockerfile.registry-notary-openfn-sidecar index 5e961bdb..837cca22 100644 --- a/release/docker/Dockerfile.registry-notary-openfn-sidecar +++ b/release/docker/Dockerfile.registry-notary-openfn-sidecar @@ -6,7 +6,7 @@ # engine is retired, but the historical image and binary name remain stable for # lab compatibility. -FROM node:22-bookworm-slim@sha256:813a7480f28fdadac1f7f5c824bcdad435b5bc1322a5968bbbdef8d058f9dff4 AS runtime +FROM node:26-bookworm-slim@sha256:b16ca7b4dcfb20184e1c70f9ee30c6a75ed1da669cfafd6d2add4761b123d79f AS runtime RUN apt-get update \ && apt-get install -y --no-install-recommends ca-certificates curl \ diff --git a/release/docker/Dockerfile.registry-relay b/release/docker/Dockerfile.registry-relay index fa882bce..b85d71c7 100644 --- a/release/docker/Dockerfile.registry-relay +++ b/release/docker/Dockerfile.registry-relay @@ -9,7 +9,7 @@ RUN mkdir -p \ /workspace/runtime-root/var/log/registry-relay && \ chown -R 65532:65532 /workspace/runtime-root -FROM gcr.io/distroless/cc-debian12:nonroot@sha256:bd2899c12b335c827750ccf2359879eab09c09b206023dcebea408947d54127c AS runtime +FROM gcr.io/distroless/cc-debian12:nonroot@sha256:b0ae8e989418b458e0f25489bc3be523718938a2b70864cc0f6a00af1ddbd985 AS runtime COPY --from=runtime-root --chown=65532:65532 /workspace/runtime-root/ / COPY --chmod=0755 dist/image-bin/registry-relay /usr/local/bin/registry-relay