From c3a4bba87494b59e1a618871f175c608abb6194f Mon Sep 17 00:00:00 2001 From: bussyjd Date: Tue, 12 May 2026 14:12:23 +0800 Subject: [PATCH] security(frontend): digest-pin obol-stack-front-end v0.1.23 Switch the frontend image reference from tag-only ("v0.1.23") to tag+digest ("v0.1.23@sha256:950b887e1cbaca9f928ff7b449b5602ed9777b629b4ee1b9c4c91fac2d74c2f2"). The tag stays for human readability; the digest is authoritative. Eliminates the mutable-tag attack surface flagged as a non-blocking follow-up by the supply-chain review of v0.10.0-rc2. Multi-arch index digest covers linux/amd64 and linux/arm64. Renders to a valid OCI reference via the obol/obol-app chart "obol-app.image" helper (verified locally with helm template). --- .../embed/infrastructure/values/obol-frontend.yaml.gotmpl | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/internal/embed/infrastructure/values/obol-frontend.yaml.gotmpl b/internal/embed/infrastructure/values/obol-frontend.yaml.gotmpl index e81d2ab0..58b2c55c 100644 --- a/internal/embed/infrastructure/values/obol-frontend.yaml.gotmpl +++ b/internal/embed/infrastructure/values/obol-frontend.yaml.gotmpl @@ -44,7 +44,10 @@ image: repository: obolnetwork/obol-stack-front-end pullPolicy: IfNotPresent - tag: "v0.1.23" + # Digest-pinned: tag is informational, sha256 is authoritative. Eliminates + # the mutable-tag attack surface called out by the v0.10.0-rc2 supply-chain + # review. Multi-arch index digest for v0.1.23 (linux/amd64 + linux/arm64). + tag: "v0.1.23@sha256:950b887e1cbaca9f928ff7b449b5602ed9777b629b4ee1b9c4c91fac2d74c2f2" service: type: ClusterIP