From cb5078bf7150e9302a8ed4a6eb86ea07254ca99e Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Mon, 5 Aug 2024 14:14:58 +0200 Subject: [PATCH] update readme --- README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/README.md b/README.md index d44ea2f..b684754 100644 --- a/README.md +++ b/README.md @@ -28,6 +28,8 @@ The images are available on: To ensure the propagation of security fixes from upstream projects, all supported tags are mutable and undergo periodic rebuilding. +#### Pin by digest + The suggested approach is to pin the sha256 digest for best reproducibility in your `Dockerfile`, for example: @@ -53,6 +55,17 @@ alfresco/alfresco-base-java jre17-rockylinux9 sha256:b749868ceb42bd6f58ae2f1 This configuration approach is compatible with [Dependabot](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#docker). +#### Pin by immutable tags + +Additional tags are being pushed for master releases, following the pattern +`$tag-YYMMDDHHMM`. Those tags are never overwritten and can be used as a more +intuitive approach. You can still use it in combination with digest for +increased security. + +> Quay.io doesn't retain previous images when a tag is overwritten, so using an +> immutable tag is mandatory in order to avoid getting `Manifest not found` +> error once a mutable tag get updated. + ## Development While any docker installation will produce valid images, building with