Dockerfile digest pinning

[Perseus985]

Closes #70

Summary

• Pins all four external FROM references in the multi-stage Dockerfile to their SHA256 manifest-list digests (tag@sha256:... form), eliminating the risk of tag mutation substituting a different image layer silently
• Adds a dockerfile packageRule to renovate.json so Renovate keeps the pinned digests up to date via PRs automatically

Note
Pls Note that the Digests pin to the Index of the Multiarch Images. So you can verify it via:

docker buildx imagetools inspect gcr.io/distroless/static:nonroot
docker buildx imagetools inspect golang:1.26.3

<!-- This is an auto-generated comment: release notes by coderabbit.ai -->

## Summary by CodeRabbit

* **Chores**
  * Pinned container base images to specific digests across all build and runtime stages.
  * Updated dependency automation configuration to enforce automated digest pinning for container images in future updates.

<!-- review_stack_entry_start -->

[![Review Change Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/opendefensecloud/dependency-controller/pull/71?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

[coderabbitai]

Warning

Rate limit exceeded

@Perseus985 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 51 minutes and 34 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 28045ee1-1967-4c73-9dd2-6a424647f5f9

📥 Commits

Reviewing files that changed from the base of the PR and between ebaae78 and c3abae2.

📒 Files selected for processing (1)

• renovate.json

📝 Walkthrough

Walkthrough

This PR pins all four external base image references in the Dockerfile to specific SHA256 digests and configures Renovate to automate future digest updates. The Go builder stage and three distroless runtime stages now use immutable digest references instead of mutable tags.

Changes

Container image digest pinning and automation

Layer / File(s)	Summary
Dockerfile image digest pinning Dockerfile	The builder stage's Go image and the three runtime stages (controller, webhook, combined image) update from tag-only references to tag@sha256 digest-pinned images, ensuring immutable base image selection.
Renovate digest management configuration renovate.json	A new packageRules entry matches the dockerfile manager and enables pinDigests: true, automating the discovery and update of new base image digests in future Renovate runs.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A rabbit's ode to digest pins,
Where SHA dances, security wins,
No floating tags shall pass our gate,
With Renovate's care, we seal our fate,
Build walls strong and containers neat! 🏗️✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Dockerfile digest pinning' accurately and concisely describes the main change: pinning Dockerfile base image references to SHA256 digests.
Linked Issues check	✅ Passed	The pull request fulfills all coding requirements from issue #70: Dockerfile FROM lines are pinned with sha256 digests, renovate.json includes dockerfile packageRule with pinDigests: true, and both local builds and Renovate config validation are confirmed to pass.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the objectives in issue #70: Dockerfile digest pinning and Renovate configuration updates for digest management. No extraneous modifications are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/pinned-deps-docker

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[the-vas]

good improvement