What problem does your feature solve?
Today, the immutability of published image tags (:<cli>, :<cli>-rust<rust>, per-arch tags, etc.) is enforced only inside the publish workflow — see the "skip-with-warning, not fail-on-overwrite" behavior added in #3. That is workflow-side protection: it depends on the workflow being the only thing that ever pushes to this repo, and on that check never being bypassed (e.g. by a maintainer running docker push locally, by a future change to the workflow that drops the check, or by a compromised CI credential).
We should enforce the same property at the registry itself, so the trust property — "this tag means the same content forever" — has no opt-out even if the workflow is bypassed.
Docker Hub supports this via immutable tags on the repository: once a tag is pushed, the registry refuses any subsequent push to the same tag.
What would you like to see?
Configure docker.io/stellar/stellar-cli on Docker Hub so that:
- All tags are immutable by default — once pushed, they cannot be overwritten.
- The
:latest tag is exempt — it is intentionally a moving alias that gets re-pointed each release.
Concretely, this means setting an immutable-tag rule on the repository that matches every tag except latest (e.g. via Docker Hub's tag immutability rules, with latest carved out).
Refs
https://docs.docker.com/docker-hub/repos/manage/hub-images/immutable-tags/
What problem does your feature solve?
Today, the immutability of published image tags (
:<cli>,:<cli>-rust<rust>, per-arch tags, etc.) is enforced only inside the publish workflow — see the "skip-with-warning, not fail-on-overwrite" behavior added in #3. That is workflow-side protection: it depends on the workflow being the only thing that ever pushes to this repo, and on that check never being bypassed (e.g. by a maintainer runningdocker pushlocally, by a future change to the workflow that drops the check, or by a compromised CI credential).We should enforce the same property at the registry itself, so the trust property — "this tag means the same content forever" — has no opt-out even if the workflow is bypassed.
Docker Hub supports this via immutable tags on the repository: once a tag is pushed, the registry refuses any subsequent push to the same tag.
What would you like to see?
Configure
docker.io/stellar/stellar-clion Docker Hub so that::latesttag is exempt — it is intentionally a moving alias that gets re-pointed each release.Concretely, this means setting an immutable-tag rule on the repository that matches every tag except
latest(e.g. via Docker Hub's tag immutability rules, withlatestcarved out).Refs
https://docs.docker.com/docker-hub/repos/manage/hub-images/immutable-tags/