Remove adding sha256 sum for CI container images

[danpawlik]

Each time when there is added new feature to this project, the SHA256 sum needs to be updated just to pass the CI. The digest is taken also from "latest" container image, so there is no need to pin digest to an image which disappear after a while.

Summary by CodeRabbit

• Chores
  • Updated container base image reference to use the latest matching version instead of a pinned digest, allowing automatic updates to the base image when building containers.

[coderabbitai]

Walkthrough

The Containerfile base image reference was updated to use a tag-only reference instead of a pinned digest. The specific digest from quay.io/centos/centos:stream9@sha256:... was removed, leaving quay.io/centos/centos:stream9. No other build steps, logic, or labels were modified.

Changes

Cohort / File(s)	Summary
Base image reference update oci/Containerfile	Removed the specific image digest from the base image reference, changing from a pinned digest to tag-only resolution

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• Update CentOS 9 stream container SHA-256 #204: Also modifies the base image reference in the Containerfile, though it updates to a different digest rather than removing the digest entirely.

Poem

🐰 The digest takes flight, let the tag find its way,
Flexibility blooms when specifics don't stay,
Stream9 flows free, no hash to constrain,
Container delight in simplicity's reign! 📦✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The pull request title "Remove adding sha256 sum for CI container images" accurately and concisely describes the main change in the changeset. The modification removes the SHA256 digest from the container image reference in the Containerfile, changing from a pinned digest format to a tag-only format. The title is specific enough to convey the primary change, avoiding vague language while remaining brief and clear. It directly aligns with both the file-level changes and the PR's stated objective of eliminating the need to maintain SHA256 digests for CI container images.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f6ed2f2 and f6ff8a1.

📒 Files selected for processing (1)

• oci/Containerfile (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: build (macOS-latest, 1.20)
• GitHub Check: build (ubuntu-latest, 1.20)
• GitHub Check: build-and-push-image

🔇 Additional comments (1)

oci/Containerfile (1)

15-15: Reconsider removing digest pinning for security and reproducibility.

Removing the SHA256 digest degrades security posture by allowing the base image to change between builds without explicit control. This reduces build reproducibility and opens a potential supply chain attack vector if the stream9 tag is updated with compromised content.

The claim that "the digest may disappear over time" is inaccurate—digests are immutable references and more stable than tags. Additionally, this creates an inconsistency with the builder stage (line 1), which still uses digest pinning.

Regarding Renovate automation: Renovate can manage Docker base image digests with explicit configuration like "pinDigests": true or packageRules with matchDatasources: ["docker"]. However, the local renovate.json does not currently show Docker base image management enabled. Verify whether the shared config (github>platform-engineering-org/.github) includes Docker manager configuration; if not, explicitly add "pinDigests": true and Docker packageRules to renovate.json to enable digest management for base images.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cfergeau]

Looks good to me