Merge pull request #150 from BitGo/WP-00000-fix-ghcr-release

pranavjain97 · web-flow · commit d50d407e2045 · 2025-11-13T14:03:30.000-05:00
fix: use correct sha digest to fix docker build
diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml
@@ -17,3 +17,27 @@ jobs:
     uses: ./.github/workflows/build-and-test.yaml
     secrets:
       fossa-api-key: ${{ secrets.FOSSA_API_KEY }}
+
+  build-docker-image:
+    name: Build the Docker Image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: false
+          tags: |
+            ghcr.io/bitgo/advanced-wallets:${{ github.sha }}
+          build-args: |
+            BUILD_VERSION=${{ github.sha }}
+            BUILD_DATE=${{ github.event.repository.updated_at }}
+            VCS_REF=${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/Dockerfile b/Dockerfile
@@ -1,11 +1,10 @@
 # syntax=docker/dockerfile:1.4
 
 # Build stage
-# Using node:22-alpine with OpenSSL 3.3.2+ to address CVE-2024-6119
-# Pinned to specific SHA256 digest for supply chain security and deterministic builds
-# To update: podman pull node:22-alpine && podman inspect node:22-alpine --format '{{index .RepoDigests 0}}'
-# Last updated: 2025-10-24
-FROM node:22-alpine@sha256:d31216005bd330aa47f848822d4f269f6c79f0905b60cca1d87577149519daa6 AS builder
+# Using node:22.1.0-alpine with OpenSSL 3.3.2+ to address CVE-2024-6119
+# Pinned to AMD64-specific SHA256 digest for supply chain security and deterministic builds
+# To update: docker pull --platform linux/amd64 node:22.1.0-alpine && docker inspect --format='{{index .RepoDigests 0}}' node:22.1.0-alpine
+FROM node:22.1.0-alpine@sha256:487dc5d5122d578e13f2231aa4ac0f63068becd921099c4c677c850df93bede8 AS builder
 
 # Set build-time variables for reproducibility
 ARG NODE_ENV=development
@@ -55,9 +54,9 @@ COPY . .
 RUN npm run build
 
 # Production stage
-# Using node:22-alpine with OpenSSL 3.3.2+ to address CVE-2024-6119
-# Pinned to specific SHA256 digest for supply chain security and deterministic builds
-FROM node:22-alpine@sha256:d31216005bd330aa47f848822d4f269f6c79f0905b60cca1d87577149519daa6 AS production
+# Using node:22.1.0-alpine with OpenSSL 3.3.2+ to address CVE-2024-6119
+# Pinned to AMD64-specific SHA256 digest for supply chain security and deterministic builds
+FROM node:22.1.0-alpine@sha256:487dc5d5122d578e13f2231aa4ac0f63068becd921099c4c677c850df93bede8 AS production
 
 # Declare build arguments in production stage
 ARG PORT=3081
