From 3a30b7851e888495da5a52565ca4c8bc45918c16 Mon Sep 17 00:00:00 2001
From: Louis Varin <louisvarin@bitgo.com>
Date: Thu, 13 Nov 2025 00:07:34 -0500
Subject: [PATCH 1/2] feat: add docker build job

---
 .github/workflows/pull_request.yaml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml
index d877358..c5d7f56 100644
--- a/.github/workflows/pull_request.yaml
+++ b/.github/workflows/pull_request.yaml
@@ -17,3 +17,27 @@ jobs:
     uses: ./.github/workflows/build-and-test.yaml
     secrets:
       fossa-api-key: ${{ secrets.FOSSA_API_KEY }}
+
+  build-docker-image:
+    name: Build the Docker Image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: false
+          tags: |
+            ghcr.io/bitgo/advanced-wallets:${{ github.sha }}
+          build-args: |
+            BUILD_VERSION=${{ github.sha }}
+            BUILD_DATE=${{ github.event.repository.updated_at }}
+            VCS_REF=${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

From 356cbb492c870a956fe2f01de12c9546078de89c Mon Sep 17 00:00:00 2001
From: Pranav Jain <pranavjain@bitgo.com>
Date: Thu, 13 Nov 2025 12:58:27 -0500
Subject: [PATCH 2/2] fix: use correct sha digest for base image

Ticket: WP-6774
---
 Dockerfile | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index dab7c9c..a46e09b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,11 +1,10 @@
 # syntax=docker/dockerfile:1.4
 
 # Build stage
-# Using node:22-alpine with OpenSSL 3.3.2+ to address CVE-2024-6119
-# Pinned to specific SHA256 digest for supply chain security and deterministic builds
-# To update: podman pull node:22-alpine && podman inspect node:22-alpine --format '{{index .RepoDigests 0}}'
-# Last updated: 2025-10-24
-FROM node:22-alpine@sha256:d31216005bd330aa47f848822d4f269f6c79f0905b60cca1d87577149519daa6 AS builder
+# Using node:22.1.0-alpine with OpenSSL 3.3.2+ to address CVE-2024-6119
+# Pinned to AMD64-specific SHA256 digest for supply chain security and deterministic builds
+# To update: docker pull --platform linux/amd64 node:22.1.0-alpine && docker inspect --format='{{index .RepoDigests 0}}' node:22.1.0-alpine
+FROM node:22.1.0-alpine@sha256:487dc5d5122d578e13f2231aa4ac0f63068becd921099c4c677c850df93bede8 AS builder
 
 # Set build-time variables for reproducibility
 ARG NODE_ENV=development
@@ -55,9 +54,9 @@ COPY . .
 RUN npm run build
 
 # Production stage
-# Using node:22-alpine with OpenSSL 3.3.2+ to address CVE-2024-6119
-# Pinned to specific SHA256 digest for supply chain security and deterministic builds
-FROM node:22-alpine@sha256:d31216005bd330aa47f848822d4f269f6c79f0905b60cca1d87577149519daa6 AS production
+# Using node:22.1.0-alpine with OpenSSL 3.3.2+ to address CVE-2024-6119
+# Pinned to AMD64-specific SHA256 digest for supply chain security and deterministic builds
+FROM node:22.1.0-alpine@sha256:487dc5d5122d578e13f2231aa4ac0f63068becd921099c4c677c850df93bede8 AS production
 
 # Declare build arguments in production stage
 ARG PORT=3081