cli: lock container image digests

[endersonmaia]

➜  cartesi-dev --services=explorer --dry-run | grep "image:"
WARNING: default block is set to 'latest', production configuration will likely use 'finalized'
    image: docker.io/cartesi/sdk:0.12.0-alpha.25@sha256:406e35fdabf189be2ffc3b47c23ad31b4864cf24f012db01e04d6b254e1e57f4
    image: docker.io/cartesi/rollups-database:0.12.0-alpha.25@sha256:b179de07c32894407e3e1eff060899a462d31d4fe6892e0f075daff74f83ebd9
    image: docker.io/cartesi/rollups-explorer:1.3.3@sha256:20f7787f055f3a96fe7c44cd654662aa4effb7a8fc7a632ccc5306fdd87d7424
    image: docker.io/cartesi/rollups-explorer-api:1.0.0@sha256:2a0bd852dd811033eccc714bcfc6e98af16838de35b79ad06bdce115bbea6a66
    image: docker.io/traefik:v3.5.4@sha256:fa528d4565c8c279328c12d466325ee0f65804a75bcdbef737290664ad971d68
    image: docker.io/cartesi/rollups-runtime:0.12.0-alpha.25@sha256:6b198f746762f93d61e2c127628e0c92b4424d2ff7c2f9161c8a47c04ab407f4
    image: docker.io/cartesi/rollups-explorer-api:1.0.0@sha256:2a0bd852dd811033eccc714bcfc6e98af16838de35b79ad06bdce115bbea6a66

➜ cartesi run --services=explorer --runtime-version=0.12.0-alpha.25 --dry-run | grep "image:"
WARNING: default block is set to 'latest', production configuration will likely use 'finalized'
    image: docker.io/cartesi/sdk:0.12.0-alpha.25
    image: docker.io/cartesi/rollups-database:0.12.0-alpha.25
    image: docker.io/cartesi/rollups-explorer:1.3.3@sha256:20f7787f055f3a96fe7c44cd654662aa4effb7a8fc7a632ccc5306fdd87d7424
    image: docker.io/cartesi/rollups-explorer-api:1.0.0@sha256:2a0bd852dd811033eccc714bcfc6e98af16838de35b79ad06bdce115bbea6a66
    image: docker.io/traefik:v3.5.4@sha256:fa528d4565c8c279328c12d466325ee0f65804a75bcdbef737290664ad971d68
    image: docker.io/cartesi/rollups-runtime:0.12.0-alpha.25
    image: docker.io/cartesi/rollups-explorer-api:1.0.0@sha256:2a0bd852dd811033eccc714bcfc6e98af16838de35b79ad06bdce115bbea6a66

---

This pull request updates the way container images are referenced and managed for the CLI and Docker Compose files, ensuring more robust and secure deployments by using pinned image digests and environment variables. It also improves SDK version handling by making the runtime version optional and updating how defaults are set. The most important changes are grouped below:

Container Image Pinning and Environment Variable Usage

• Docker Compose files (docker-compose-database.yaml, docker-compose-explorer.yaml, docker-compose-node.yaml, docker-compose-proxy.yaml) now use environment variables for image names and tags, and images are referenced by their full registry URLs and pinned SHA256 digests for improved security and reproducibility. [1] [2] [3] [4] [5] [6]
• The CLI code (exec/rollups.ts) determines which image (with or without digest) to use based on whether a runtime version is specified, preferring pinned digests when not specified. [1] [2]

SDK Version and Image Configuration

• Default SDK image configuration is now split into name, tag, and digest constants in config.ts, and the default SDK image reference uses these values. [1] [2] [3] [4]
• The runtimeVersion option in CLI commands and environment setup is now optional (string | undefined), and the default value for the CLI option is set to undefined instead of a specific version. [1] [2]

Minor Cleanup

• Removed unused imports and updated references to match new configuration structure.

These changes make the deployment process more flexible, secure, and maintainable by centralizing image configuration and using digest-pinned images.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 56b8525

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[github-actions]

Coverage Report for ./apps/cli

Status	Category	Percentage	Covered / Total
🔵	Lines	23.69%	287 / 1211
🔵	Statements	23.58%	292 / 1238
🔵	Functions	24.5%	50 / 204
🔵	Branches	19.78%	112 / 566

File Coverage

File	Stmts	Branches	Functions	Lines	Uncovered Lines
Changed Files
apps/cli/src/config.ts	89.67%	77.22%	94.11%	89.5%	66-67, 231, 239, 249, 269, 282, 292, 295, 305, 346, 357-361, 373, 557, 579-584
apps/cli/src/commands/run.ts	0%	0%	0%	0%	25-317
apps/cli/src/exec/rollups.ts	0%	0%	0%	0%	53-577

Generated in workflow #677 for commit 56b8525 by the Vitest Coverage Report Action

[Copilot]

Pull Request Overview

This PR refactors Docker image configuration to support pinned SHA256 digests for reproducible builds. The main goal is to ensure consistent image versions across deployments by allowing the use of digest-pinned images when a runtime version is not explicitly specified.

• Expanded SDK image configuration from a single constant to separate name, tag, and SHA256 digest constants for SDK, database, and runtime images
• Modified environment setup to conditionally use digest-pinned images or version tags based on whether a runtime version is specified
• Updated Docker Compose files to use fully qualified image references with SHA256 digests for third-party and Cartesi images

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
apps/cli/src/config.ts	Adds separate constants for image names, tags, and SHA256 digests for SDK, database, and runtime images; missing semicolons on export statements
apps/cli/src/exec/rollups.ts	Implements conditional logic to use digest-pinned images when runtime version is undefined; updates environment variable setup
apps/cli/src/commands/run.ts	Changes runtime version default from explicit version to undefined, enabling digest-pinned images by default
apps/cli/src/compose/docker-compose-proxy.yaml	Pins traefik image to specific version with SHA256 digest
apps/cli/src/compose/docker-compose-node.yaml	Replaces version-based environment variable with configurable runtime image variable
apps/cli/src/compose/docker-compose-explorer.yaml	Pins explorer-related images to specific versions with SHA256 digests
apps/cli/src/compose/docker-compose-database.yaml	Replaces version-based environment variable with configurable database image variable

Comments suppressed due to low confidence (3)

apps/cli/src/config.ts:83

• Avoid automated semicolon insertion (90% of all statements in the enclosing script have an explicit semicolon).

export const DEFAULT_SDK_IMAGE_SHA256_DIGEST = "406e35fdabf189be2ffc3b47c23ad31b4864cf24f012db01e04d6b254e1e57f4"

apps/cli/src/config.ts:86

• Avoid automated semicolon insertion (90% of all statements in the enclosing script have an explicit semicolon).

export const DEFAULT_SDK_DATABASE_IMAGE_SHA256_DIGEST = "b179de07c32894407e3e1eff060899a462d31d4fe6892e0f075daff74f83ebd9"

apps/cli/src/config.ts:89

• Avoid automated semicolon insertion (90% of all statements in the enclosing script have an explicit semicolon).

export const DEFAULT_SDK_RUNTIME_IMAGE_SHA256_DIGEST = "6b198f746762f93d61e2c127628e0c92b4424d2ff7c2f9161c8a47c04ab407f4"

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.