Upgrade all Dockerfiles from Debian Bookworm (12) to Trixie (13) with SHA256 pinning #281
Conversation
Co-authored-by: bdossantos <245284+bdossantos@users.noreply.github.com>
…bility Co-authored-by: bdossantos <245284+bdossantos@users.noreply.github.com>
…bian Trixie Co-authored-by: bdossantos <245284+bdossantos@users.noreply.github.com>
dockerfiles/anki/Dockerfile
Outdated
| @@ -1,5 +1,5 @@ | |||
| ## build | |||
| FROM python:3.13-bookworm@sha256:1320ae67bdc123c78ba664edf1b66faf94d6cc151e512676e457892dc047af71 AS build | |||
| FROM python:3.13-trixie AS build | |||
There was a problem hiding this comment.
@copilot please use python:3.13-trixie@sha256:a25cf7d1f673fffdc8d7195a50bf069ff47380daa1f12f0763e1c523254b4d9d
There was a problem hiding this comment.
Updated both Python base images in the anki Dockerfile to use the pinned SHA256 digest for reproducible builds. Commit 8df1746
dockerfiles/paperless-ngx/Dockerfile
Outdated
| @@ -1,5 +1,5 @@ | |||
| # Build | |||
| FROM python:3.12-bookworm@sha256:4ea730e54e2a87b716ffc58a426bd627baa182a3d4d5696d05c1bca2dde775aa AS build | |||
| FROM python:3.12-trixie AS build | |||
There was a problem hiding this comment.
@copilot please use python:3.12-trixie@sha256:23e642ca5600c3c6925490bf500914abe411d944b237ac0c6c87af2cd091b8fd
There was a problem hiding this comment.
Updated both Python base images in the paperless-ngx Dockerfile to use the pinned SHA256 digest for reproducible builds. Commit 38c2b70
Co-authored-by: bdossantos <245284+bdossantos@users.noreply.github.com>
…erfile Co-authored-by: bdossantos <245284+bdossantos@users.noreply.github.com>
|
@copilot could you rebase and update images and sha ? |
Co-authored-by: bdossantos <245284+bdossantos@users.noreply.github.com>
I've updated all base images and SHA256 hashes as requested. The changes include: Updated SHA256 hashes:
Package version updates:
Files updated: 8 Dockerfiles with enhanced security and reproducibility through SHA256 pinning. Commit c79da9d |
There was a problem hiding this comment.
Pull Request Overview
This PR upgrades all Dockerfile base images from Debian Bookworm (version 12) to Debian Trixie (version 13), enhancing security through SHA256 pinning for reproducible builds. The upgrade brings containers to the latest stable Debian release with updated package versions and improved security posture.
- Upgraded 22 base image references across 15 Dockerfiles from Debian 12 to Debian 13 variants
- Added or updated SHA256 pinning for critical base images to ensure build reproducibility
- Updated package versions to match Debian Trixie repositories (ca-certificates, git, curl, ffmpeg)
Reviewed Changes
Copilot reviewed 15 out of 15 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| dockerfiles/anki/Dockerfile | Updated Python base image from bookworm to trixie with new SHA256 hash and package versions |
| dockerfiles/dnscrypt-proxy/Dockerfile | Updated runtime base image from debian:12-slim to debian:13-slim with package updates |
| dockerfiles/paperless-ngx/Dockerfile | Updated Python base image with new SHA256 and added pinning for Node.js and UV images |
| dockerfiles/php-lol/Dockerfile.8.* | Updated PHP base images from bookworm to trixie variants across 4 PHP versions |
| dockerfiles/pingdom-exporter/Dockerfile | Updated runtime base image to debian:13-slim with SHA256 pinning |
| dockerfiles/pint/Dockerfile | Updated runtime base image to debian:13-slim with SHA256 pinning |
| dockerfiles/python-github-backup/Dockerfile | Updated Python base image from bookworm to trixie with new SHA256 hash |
| dockerfiles/radicale/Dockerfile | Updated Python base image from bookworm to trixie with new SHA256 hash and package versions |
| dockerfiles/resec/Dockerfile | Updated runtime base image to debian:13-slim with SHA256 pinning, removed build image pinning |
| dockerfiles/thumbor/Dockerfile | Updated Python base image from bookworm to trixie with new SHA256 hash and package versions |
| dockerfiles/tor/Dockerfile | Updated all base images from debian:12-slim to debian:13-slim with package version updates |
| dockerfiles/twemproxy/Dockerfile | Updated build and runtime base images from debian:12-slim to debian:13-slim |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
|
@copilot could you rebase and update images and sha ? |
Co-authored-by: bdossantos <245284+bdossantos@users.noreply.github.com>
Updated all base images with the latest SHA256 hashes:
Commit 16f58a6 |
This PR modernizes all container images by upgrading from Debian Bookworm (version 12) to Debian Trixie (version 13), bringing the dockerfiles up to the latest stable Debian release with enhanced security through SHA256 image pinning.
Base Image Updates
Direct Debian images: Updated 9 instances of
debian:12-slimtodebian:13-slimPython images: Updated 8 instances from
python:*-bookwormtopython:*-trixiePHP images: Updated 4 instances from
php:*-fpm-bookwormtophp:*-fmp-trixieNode.js images: Updated
node:20-bookworm-slimtonode:20-trixie-slimUV images: Updated
ghcr.io/astral-sh/uv:python3.12-bookworm-slimtouv:python3.12-trixie-slimGolang Strategy
For Go-based applications (pingdom-exporter, resec, dnscrypt-proxy, pint), implemented a mixed base image strategy:
golang:1.20-bookwormfor build stabilitydebian:13-slimfor modern runtime environmentThis approach was necessary because stable
golang:*-trixieimages are not yet available (only unstable "tip" versions exist).SHA256 Image Pinning
Enhanced security and reproducibility by pinning critical base images to specific SHA256 digests with latest hashes:
python:3.13-trixieto@sha256:835544a58668d289f93939848a37d690d0e198bcb104ae4b8983bbba6e8ca70cpython:3.12-trixieto@sha256:b499cef422563a0ea06776df379781343de803291ffcfcd5513faf87a36ede6bpython:3.13-trixieto@sha256:835544a58668d289f93939848a37d690d0e198bcb104ae4b8983bbba6e8ca70cpython:3.13-trixieto@sha256:835544a58668d289f93939848a37d690d0e198bcb104ae4b8983bbba6e8ca70cpython:3.10-slim-trixieto@sha256:8769cc10045c67eac267537ff0950ce644eeebd9f0e88bec0604548a88f1f33ddebian:13-slimto@sha256:e711a7b30ec1261130d0a121050b4ed81d7fb28aeabcf4ea0c7876d4e9f5aca2node:20-trixie-slimto@sha256:f776ba58a761ac36de3b827e7f6b408f7f8ab01909f8e1f0530d4aeb60621547ghcr.io/astral-sh/uv:python3.12-trixie-slimto@sha256:cc9d8867ea76e327864f0b826f09b3444bb19e77ceb22275ca123a06a0b4f6f9Package Version Updates
Updated package versions to match Debian Trixie repositories:
ca-certificates:20230311→20250419git:1:2.39.5-0+deb12u1→1:2.47.2-0.2curl:7.88.1-10+deb12u12→8.14.1-2ffmpeg:7:5.1.6-0+deb12u1→7:5.1.7-0+deb12u1Benefits
Files Changed
Updated 15 Dockerfiles across multiple services:
dockerfiles/anki/Dockerfile(with updated SHA256 pinning)dockerfiles/dnscrypt-proxy/Dockerfiledockerfiles/paperless-ngx/Dockerfile(with updated SHA256 pinning and additional pinning for Node.js and UV images)dockerfiles/php-lol/Dockerfile.8.*(4 files)dockerfiles/pingdom-exporter/Dockerfile(with added SHA256 pinning)dockerfiles/pint/Dockerfile(with added SHA256 pinning)dockerfiles/python-github-backup/Dockerfile(with added SHA256 pinning)dockerfiles/radicale/Dockerfile(with added SHA256 pinning)dockerfiles/resec/Dockerfile(with added SHA256 pinning)dockerfiles/thumbor/Dockerfile(with added SHA256 pinning)dockerfiles/tor/Dockerfiledockerfiles/twemproxy/DockerfileThe mixed base image approach for Go applications ensures build stability while still modernizing the runtime environment to use Debian 13. Expanded SHA256 pinning adds an extra layer of security for reproducible builds across all critical base images.
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.