Currently Dockerfile.goreleaser uses a floating tag:
A floating tag means a compromised or silently-updated base image would be pulled into new release builds without any record in git history. For a publicly distributed artifact, pinning to a digest provides reproducibility and supply-chain integrity.
Change: replace alpine:3.21 with alpine:3.21@sha256:<digest> and set up Renovate (or equivalent) to keep the digest current.
Currently
Dockerfile.goreleaseruses a floating tag:FROM alpine:3.21A floating tag means a compromised or silently-updated base image would be pulled into new release builds without any record in git history. For a publicly distributed artifact, pinning to a digest provides reproducibility and supply-chain integrity.
Change: replace
alpine:3.21withalpine:3.21@sha256:<digest>and set up Renovate (or equivalent) to keep the digest current.