Pin Go builder image in Dockerfile by digest

[coderabbitai]

Summary

Track a follow-up hardening change to pin the Go builder image in Dockerfile by digest instead of using only the mutable docker.io/library/golang:1.26.3 tag.

Rationale

The current build stage image reference is tag-only, which makes rebuilds less reproducible and weakens supply-chain hardening. The repository already uses digest-pinned base images in related container definitions (for example, Dockerfile.dist), so this would align the main Dockerfile with that pattern.

Affected area

• Dockerfile

Requested change

Update the build stage FROM instruction to pin the Go image by digest, e.g.:

• from: docker.io/library/golang:1.26.3
• to: docker.io/library/golang:1.26.3@sha256:<resolved-digest>

Keep the change localized to the builder FROM line unless additional supporting updates are required.

Acceptance criteria

• The Go builder image in Dockerfile is pinned by digest.
• The referenced digest matches the intended golang:1.26.3 image variant used by this build.
• The change is made in a follow-up commit or PR, not as part of Konflux task refs and other dependency updates (main) #3357.

Backlinks

• Follow-up requested by @simonbaird
• PR: Konflux task refs and other dependency updates (main) #3357
• Review comment: Konflux task refs and other dependency updates (main) #3357 (comment)

[simonbaird]

Dupe of #3358 .

[fullsend-ai-triage]

🤖 Finished Triage · ✅ Success · Started 2:15 PM UTC · Completed 2:16 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-triage]

This issue appears to be a duplicate of #3358, which tracks the same request to pin the Go builder image in Dockerfile by digest. A maintainer has also confirmed this in the comments. Closing in favor of the existing issue.