feat(ci): auto-update distroless base images and fix operator version

- Fix operator binary version embedding by correcting ldflags import path
- Add dynamic distroless version fetching from NVIDIA versions.json CDN
- Upgrade both agent and operator to v4 distroless images
  - Agent: Python 3.12 (v3.5.2 -> v4.0.1)
  - Operator: Go (v4.0.1, now auto-updates)
- Add fetch-distroless-versions job to both agent-ci and operator-ci

This ensures builds always use the latest secure base images and fixes
the issue where production operator binaries showed version: "dev"

Author: lockwobr

.github/workflows/agent-ci.yaml

@@ -35,7 +35,26 @@ on:
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
+  PYTHON_VERSION: 3.12
 jobs:
+  fetch-distroless-versions:
+    name: Fetch Latest Distroless Versions
+    runs-on: ubuntu-latest
+    outputs:
+      distroless-version: ${{ steps.fetch.outputs.distroless-version }}
+    steps:
+      - name: Fetch versions from NVIDIA CDN
+        id: fetch
+        run: |
+          # Fetch the versions.json file
+          VERSIONS_JSON=$(curl -fsSL https://developer.download.nvidia.com/distroless-oss/versions.json)
+          
+          # Extract latest Python v4 version (format: "v4.0.1" -> "4.0.1")
+          DISTROLESS_VERSION=$(echo "$VERSIONS_JSON" | jq -r ".v4.python.\"${PYTHON_VERSION}\"" | sed 's/^v//')
+          
+          echo "distroless-version=${DISTROLESS_VERSION}" >> $GITHUB_OUTPUT
+          echo "📦 Python ${PYTHON_VERSION} v4 Distroless Version: ${DISTROLESS_VERSION}"
+  
   compute-metadata:
     name: Compute Image Metadata
     runs-on: ubuntu-latest
@@ -108,7 +127,7 @@ jobs:
           cat test-summary.md >> $GITHUB_STEP_SUMMARY
   build-and-push-agent:
     runs-on: ubuntu-latest
-    needs: [test, compute-metadata] # Don't run the build and push if the unit tests fail
+    needs: [test, compute-metadata, fetch-distroless-versions] # Don't run the build and push if the unit tests fail
     # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
     permissions:
       contents: read
@@ -149,6 +168,8 @@ jobs:
           echo "🏷️  Tags: ${TAGS}"
           export REGISTRY=${REGISTRY@L}
           export BUILD_ARGS="--push"
+          export DISTROLESS_VERSION=${{ needs.fetch-distroless-versions.outputs.distroless-version }}
+          export PYTHON_VERSION=${{ env.PYTHON_VERSION }}
           make docker-build-only agent_version=${AGENT_VERSION}
           cat metadata.json
           echo "digest=$(cat metadata.json | jq -r .\"containerimage.digest\")" >> $GITHUB_OUTPUT

.github/workflows/operator-ci.yaml

@@ -45,6 +45,24 @@ env:
   PLATFORMS: linux/amd64,linux/arm64
 
 jobs:
+  fetch-distroless-versions:
+    name: Fetch Latest Distroless Versions
+    runs-on: ubuntu-latest
+    outputs:
+      go-version: ${{ steps.fetch.outputs.go-version }}
+    steps:
+      - name: Fetch versions from NVIDIA CDN
+        id: fetch
+        run: |
+          # Fetch the versions.json file
+          VERSIONS_JSON=$(curl -fsSL https://developer.download.nvidia.com/distroless-oss/versions.json)
+          
+          # Extract latest Go v4 version (format: "v4.0.1" -> "4.0.1")
+          GO_DISTROLESS_VERSION=$(echo "$VERSIONS_JSON" | jq -r '.v4.go.go' | sed 's/^v//')
+          
+          echo "go-version=${GO_DISTROLESS_VERSION}" >> $GITHUB_OUTPUT
+          echo "📦 Go v4 Distroless Version: ${GO_DISTROLESS_VERSION}"
+  
   # Test operator across supported Kubernetes versions and test suites
   tests:
     runs-on: ubuntu-latest
@@ -179,7 +197,7 @@ jobs:
   # Compute image tags and version metadata once for reuse
   compute-metadata:
     runs-on: ubuntu-latest
-    needs: [tests]
+    needs: [tests, fetch-distroless-versions]
     outputs:
       git-sha: ${{ steps.meta.outputs.git-sha }}
       version: ${{ steps.meta.outputs.version }}
@@ -217,7 +235,7 @@ jobs:
   # Build container images on native architecture runners (much faster than QEMU)
   build-operator:
     runs-on: ${{ matrix.runner }}
-    needs: [compute-metadata]
+    needs: [compute-metadata, fetch-distroless-versions]
     strategy:
       matrix:
         include:
@@ -271,6 +289,7 @@ jobs:
             --build-arg GIT_SHA=${GIT_SHA} \
             --build-arg VERSION=${VERSION} \
             --build-arg GO_VERSION=${{ env.GO_VERSION }} \
+            --build-arg DISTROLESS_VERSION=${{ needs.fetch-distroless-versions.outputs.go-version }} \
             --push \
             --platform ${{ matrix.platform }} \
             --provenance=false \

agent/Makefile

@@ -63,6 +63,8 @@ docker-build-only:
 	@echo "Building skyhook-agent $(DOCKER_CMD) image with tags: $(ACTUAL_TAGS)"
 	$(DOCKER_CMD) buildx build $(BUILD_ARGS) --build-arg AGENT_VERSION=$(AGENT_VERSION) \
 		--build-arg GIT_SHA=$(GIT_SHA) \
+		--build-arg DISTROLESS_VERSION=$(DISTROLESS_VERSION) \
+		--build-arg PYTHON_VERSION=$(PYTHON_VERSION) \
 		--platform linux/amd64,linux/arm64 $(ACTUAL_TAGS) --metadata-file=metadata.json -f ../containers/agent.Dockerfile .
 
 ##@ Vendor

containers/agent.Dockerfile

@@ -16,7 +16,7 @@
 
 FROM python:3.12-bookworm AS builder
 
-ARG AGENT_VERSION
+ARG AGENT_VERSION 
 
 COPY . /code
 WORKDIR /code
@@ -36,17 +36,24 @@ RUN make build build_version=${AGENT_VERSION}
 # Install the wheel in the builder stage
 RUN python3 -m venv venv && ./venv/bin/pip install /code/skyhook-agent/dist/skyhook_agent*.whl
 
-FROM nvcr.io/nvidia/distroless/python:3.12-v3.5.2
+ARG DISTROLESS_VERSION \
+    PYTHON_VERSION
 
-ARG AGENT_VERSION
-ARG GIT_SHA
+FROM nvcr.io/nvidia/distroless/python:${PYTHON_VERSION}-v${DISTROLESS_VERSION}
+
+ARG AGENT_VERSION \
+    GIT_SHA \
+    DISTROLESS_VERSION \
+    PYTHON_VERSION
 
 ## https://github.com/opencontainers/image-spec/blob/main/annotations.md
-LABEL org.opencontainers.image.base.name="nvcr.io/nvidia/distroless/python:3.12-v3.5.2" \
+LABEL org.opencontainers.image.base.name="nvcr.io/nvidia/distroless/python:${PYTHON_VERSION}-v${DISTROLESS_VERSION}" \
       org.opencontainers.image.licenses="Apache-2.0" \
       org.opencontainers.image.title="skyhook-agent" \
       org.opencontainers.image.version="${AGENT_VERSION}" \
       org.opencontainers.image.revision="${GIT_SHA}"
+      python.version="${PYTHON_VERSION}" \
+      distroless.version="${DISTROLESS_VERSION}"
 
 # Copy the installed packages and scripts from builder
 COPY --from=builder /code/venv/lib/python3.12/site-packages /usr/local/lib/python3.12/site-packages

containers/operator.Dockerfile

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
 #
 #
@@ -19,11 +19,11 @@ ARG GO_VERSION
 
 FROM golang:${GO_VERSION}-bookworm as builder
 
-ARG TARGETOS
-ARG TARGETARCH
-ARG VERSION
-ARG GIT_SHA
-ARG GO_VERSION
+ARG TARGETOS \
+    TARGETARCH \
+    VERSION \
+    GIT_SHA \
+    GO_VERSION
 
 WORKDIR /workspace
 
@@ -35,25 +35,28 @@ COPY ./ ./
 # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
 # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
 RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -mod=vendor \
-    -ldflags "-X github.com/NVIDIA/skyhook/internal/version.GIT_SHA=${GIT_SHA}\
-    -X github.com/NVIDIA/skyhook/internal/version.VERSION=${VERSION}" \
+    -ldflags "-X github.com/NVIDIA/skyhook/operator/internal/version.GIT_SHA=${GIT_SHA}\
+    -X github.com/NVIDIA/skyhook/operator/internal/version.VERSION=${VERSION}" \
     -a -o manager cmd/manager/main.go
 
+ARG DISTROLESS_VERSION
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless/tree/main/base for more 
-FROM nvcr.io/nvidia/distroless/go:v3.2.2
+FROM nvcr.io/nvidia/distroless/go:v${DISTROLESS_VERSION}
 
 ARG VERSION
-ARG GIT_SHA
-ARG GO_VERSION
+    GIT_SHA \
+    GO_VERSION \
+    DISTROLESS_VERSION
 
 ## https://github.com/opencontainers/image-spec/blob/main/annotations.md
-LABEL org.opencontainers.image.base.name="nvcr.io/nvidia/distroless/go:v3.2.2" \
+LABEL org.opencontainers.image.base.name="nvcr.io/nvidia/distroless/go:v${DISTROLESS_VERSION}" \
       org.opencontainers.image.licenses="Apache-2.0" \
       org.opencontainers.image.title="skyhook-operator" \
       org.opencontainers.image.version="${VERSION}" \
       org.opencontainers.image.revision="${GIT_SHA}" \
-      go.version="${GO_VERSION}"
+      go.version="${GO_VERSION}" \
+      distroless.version="${DISTROLESS_VERSION}"
 
 WORKDIR /
 COPY --from=builder /workspace/manager .