From aa274908019b20dffd880df62b526d1f2c2759fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 10 Jun 2026 15:00:18 +0200 Subject: [PATCH] kata-deploy: track distroless static base by tag, not digest MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The kata-deploy main image pinned its gcr.io/distroless/static-debian13 base by sha256 digest. distroless does not publish versioned tags, so a pinned digest just goes stale with no clear upgrade path. Track the rolling tag instead (guarded with a hadolint DL3007 ignore plus a comment explaining why), matching the kata-deploy-job-dispatcher image base. Signed-off-by: Fabiano FidĂȘncio Assisted-by: Cursor --- tools/packaging/kata-deploy/Dockerfile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tools/packaging/kata-deploy/Dockerfile b/tools/packaging/kata-deploy/Dockerfile index b5b80ff640..152c0f583d 100644 --- a/tools/packaging/kata-deploy/Dockerfile +++ b/tools/packaging/kata-deploy/Dockerfile @@ -111,7 +111,10 @@ RUN \ esac #### kata-deploy main image -FROM gcr.io/distroless/static-debian13@sha256:972618ca78034aaddc55864342014a96b85108c607372f7cbd0dbd1361f1d841 +# distroless does not publish pinned/versioned tags - only rolling ones +# (latest, nonroot, debug) - so :latest is the intended way to consume it. +# hadolint ignore=DL3007 +FROM gcr.io/distroless/static-debian13:latest ARG DESTINATION=/opt/kata-artifacts