Skip to content

fix: use correct sha digest to fix docker build #150

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pranavjain97 merged 2 commits into from
Nov 13, 2025
Merged

fix: use correct sha digest to fix docker build #150

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3a30b78
feat: add docker build job
louib Nov 13, 2025
356cbb4
fix: use correct sha digest for base image
pranavjain97 Nov 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions .github/workflows/pull_request.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,3 +17,27 @@ jobs:
uses: ./.github/workflows/build-and-test.yaml
secrets:
fossa-api-key: ${{ secrets.FOSSA_API_KEY }}

build-docker-image:
name: Build the Docker Image
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Build and push Docker image
uses: docker/build-push-action@v6
with:
context: .
push: false
tags: |
ghcr.io/bitgo/advanced-wallets:${{ github.sha }}
build-args: |
BUILD_VERSION=${{ github.sha }}
BUILD_DATE=${{ github.event.repository.updated_at }}
VCS_REF=${{ github.sha }}
cache-from: type=gha
cache-to: type=gha,mode=max
15 changes: 7 additions & 8 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,10 @@
# syntax=docker/dockerfile:1.4

# Build stage
# Using node:22-alpine with OpenSSL 3.3.2+ to address CVE-2024-6119
# Pinned to specific SHA256 digest for supply chain security and deterministic builds
# To update: podman pull node:22-alpine && podman inspect node:22-alpine --format '{{index .RepoDigests 0}}'
# Last updated: 2025-10-24
FROM node:22-alpine@sha256:d31216005bd330aa47f848822d4f269f6c79f0905b60cca1d87577149519daa6 AS builder
# Using node:22.1.0-alpine with OpenSSL 3.3.2+ to address CVE-2024-6119
# Pinned to AMD64-specific SHA256 digest for supply chain security and deterministic builds
# To update: docker pull --platform linux/amd64 node:22.1.0-alpine && docker inspect --format='{{index .RepoDigests 0}}' node:22.1.0-alpine
FROM node:22.1.0-alpine@sha256:487dc5d5122d578e13f2231aa4ac0f63068becd921099c4c677c850df93bede8 AS builder

# Set build-time variables for reproducibility
ARG NODE_ENV=development
Expand Down Expand Up @@ -55,9 +54,9 @@ COPY . .
RUN npm run build

# Production stage
# Using node:22-alpine with OpenSSL 3.3.2+ to address CVE-2024-6119
# Pinned to specific SHA256 digest for supply chain security and deterministic builds
FROM node:22-alpine@sha256:d31216005bd330aa47f848822d4f269f6c79f0905b60cca1d87577149519daa6 AS production
# Using node:22.1.0-alpine with OpenSSL 3.3.2+ to address CVE-2024-6119
# Pinned to AMD64-specific SHA256 digest for supply chain security and deterministic builds
FROM node:22.1.0-alpine@sha256:487dc5d5122d578e13f2231aa4ac0f63068becd921099c4c677c850df93bede8 AS production

# Declare build arguments in production stage
ARG PORT=3081
Expand Down