Pin Go builder image in Dockerfile by digest

[coderabbitai]

Summary

Track a follow-up hardening change to pin the Go builder image in Dockerfile by digest instead of using only the mutable docker.io/library/golang:1.26.3 tag.

Rationale

The current build stage image reference is tag-only, which makes rebuilds less reproducible and weakens supply-chain hardening. The repository already uses digest-pinned base images in related container definitions (for example, Dockerfile.dist), so this would align the main Dockerfile with that pattern.

Affected area

• Dockerfile

Requested change

Update the build stage FROM instruction to pin the Go image by digest, e.g.:

• from: docker.io/library/golang:1.26.3
• to: docker.io/library/golang:1.26.3@sha256:<resolved-digest>

Keep the change localized to the builder FROM line unless additional supporting updates are required.

Acceptance criteria

• The Go builder image in Dockerfile is pinned by digest.
• The referenced digest matches the intended golang:1.26.3 image variant used by this build.
• The change is made in a follow-up commit or PR, not as part of Konflux task refs and other dependency updates (main) #3357.

Backlinks

• Follow-up requested by @simonbaird
• PR: Konflux task refs and other dependency updates (main) #3357
• Review comment: Konflux task refs and other dependency updates (main) #3357 (comment)

[fullsend-ai-triage]

🤖 Finished Triage · ✅ Success · Started 2:15 PM UTC · Completed 2:17 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-triage]

Triage Summary

This is a straightforward supply-chain hardening follow-up. The Dockerfile build stage currently references the Go builder image by tag only, while Dockerfile.dist already pins both its base images by digest.

Problem: Tag-only image references are mutable — the same tag can point to different image contents over time, reducing build reproducibility.

Recommended fix: Update the FROM line in the Dockerfile build stage to include a @sha256:<digest> suffix, matching the pattern already established in Dockerfile.dist. The correct digest can be resolved via docker manifest inspect or skopeo inspect.

Proposed test case:

1. Build the container image with the updated Dockerfile
2. Verify the build succeeds and produces a working binary
3. Confirm the pinned digest matches the intended Go image tag
   by independently resolving the tag (e.g. skopeo inspect)
4. Verify no other FROM instructions in the Dockerfile need
   similar treatment

This is a good-first-issue candidate given the clear scope and existing pattern to follow.

---

Labels: Docker-related enhancement for supply-chain hardening, small scope suitable for newcomers.