Bump distroless Docker base images to Debian 13 by Copilot · Pull Request #834 · ironcore-dev/ceph-provider

Copilot · 2026-02-13T13:10:51Z

Proposed Changes

Updated gcr.io/distroless/static:nonroot → gcr.io/distroless/static-debian13:nonroot@sha256:01e550fdb7ab79ee7be5ff440a563a58f1fd000ad9e0c532e65c3d23f917f1c5 to explicitly pin Debian version and digest
Updated gcr.io/distroless/base-debian12 → gcr.io/distroless/base-debian13:latest@sha256:8c8b7cf2a01e2d1c683128b2488d77139fa90ec8cb807f0ae260d57f7022dedd (pinned to specific digest)
Both base images are now pinned to specific SHA256 digests for reproducible builds
Base image uses :latest tag to enable root permissions during build stage for directory creation operations
Runtime images explicitly set USER 65532:65532 to maintain nonroot security posture

Original prompt

This section details on the original issue you should resolve

<issue_title>Bump distroless docker base images</issue_title>
<issue_description># Summary

Our Dockerfile uses distroless as base image in two places:

https://github.com/ironcore-dev/ceph-provider/blob/main/Dockerfile#L73

https://github.com/ironcore-dev/ceph-provider/blob/main/Dockerfile#L83

They should be updated to debian 13. See here for an overview of available images.

Motivation

Our base image gcr.io/distroless/static:nonroot is not tagged to a debian release. According to GoogleContainerTools/distroless#1851 (comment) this is not safe. We should make the debian 13 explicit.

The other base image gcr.io/distroless/base-debian12 is still using debian 12 and should be bumped to 13.
</issue_description>

<agent_instructions>Bump the docker base images as instructed in the issue. In addition, apply an explicit tag to the gcr.io/distroless/base-debian13 image.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

Fixes Bump distroless docker base images #832

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Dockerfile

Co-authored-by: gonzolino <3019505+gonzolino@users.noreply.github.com>

Copilot AI assigned Copilot and gonzolino Feb 13, 2026

github-project-automation bot added this to Storage Feb 13, 2026

Copilot started work on behalf of gonzolino February 13, 2026 13:11 View session

Copilot AI changed the title ~~[WIP] Update distroless docker base images to debian 13~~ Bump distroless Docker base images to Debian 13 Feb 13, 2026

Copilot AI requested a review from gonzolino February 13, 2026 13:13

Copilot finished work on behalf of gonzolino February 13, 2026 13:13

gonzolino moved this to In Progress in Storage Feb 13, 2026

github-actions bot added the size/XS label Feb 13, 2026

gonzolino added ok-to-image enhancement New feature or request and removed size/XS labels Feb 13, 2026

gonzolino requested changes Feb 13, 2026

View reviewed changes

Dockerfile Outdated Show resolved Hide resolved

Copilot started work on behalf of gonzolino February 13, 2026 13:47 View session

Copilot AI requested a review from gonzolino February 13, 2026 13:49

Copilot finished work on behalf of gonzolino February 13, 2026 13:49

hardikdr added the area/storage Storage solutions and related concerns. label Feb 14, 2026

hardikdr added this to Roadmap Feb 14, 2026

gonzolino reviewed Feb 16, 2026

View reviewed changes

Dockerfile Outdated Show resolved Hide resolved

Copilot started work on behalf of gonzolino February 16, 2026 13:18 View session

Copilot AI requested a review from gonzolino February 16, 2026 13:20

Copilot finished work on behalf of gonzolino February 16, 2026 13:20

github-actions bot added the size/XS label Feb 16, 2026

gonzolino added the integration-tests label Feb 16, 2026

gonzolino marked this pull request as ready for review February 16, 2026 13:29

gonzolino requested a review from a team as a code owner February 16, 2026 13:29

Copilot AI and others added 2 commits February 16, 2026 14:46

Bump distroless Docker base images to Debian 13

b693359

Co-authored-by: gonzolino <3019505+gonzolino@users.noreply.github.com>

Pin base-debian13:latest and static-debian13:nonroot to specific digest

9786170

Co-authored-by: gonzolino <3019505+gonzolino@users.noreply.github.com>

gonzolino force-pushed the copilot/bump-distroless-docker-images branch from 4c509ee to 9786170 Compare February 16, 2026 13:50

gonzolino approved these changes Feb 16, 2026

View reviewed changes

gonzolino merged commit 81733f8 into main Feb 16, 2026
10 checks passed

gonzolino deleted the copilot/bump-distroless-docker-images branch February 16, 2026 13:56

github-project-automation bot moved this to Done in Roadmap Feb 16, 2026

github-project-automation bot moved this from In Progress to Done in Storage Feb 16, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump distroless Docker base images to Debian 13#834

Bump distroless Docker base images to Debian 13#834
gonzolino merged 2 commits intomainfrom
copilot/bump-distroless-docker-images

Copilot AI commented Feb 13, 2026 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

Copilot AI commented Feb 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Proposed Changes

Motivation

Comments on the Issue (you are @copilot in this section)

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Copilot AI commented Feb 13, 2026 •

edited

Loading