Improve documentation around labels and use in CI

elopez · elopez · commit d0a5dfdedacc · 2024-12-18T13:02:13.000+01:00
diff --git a/README.md b/README.md
@@ -96,7 +96,20 @@ v14.21.3
 A variant of the image is published on GitHub Container Registry as
 [`ghcr.io/trailofbits/eth-security-toolbox/ci`](https://github.com/trailofbits/eth-security-toolbox/pkgs/container/eth-security-toolbox%2Fci).
 This variant is meant to be slightly lighter, and better suited for its use in
-CI contexts such as [GitHub workflow jobs](https://docs.github.com/en/actions/writing-workflows/choosing-where-your-workflow-runs/running-jobs-in-a-container).
+CI contexts such as [GitHub workflow jobs](https://docs.github.com/en/actions/writing-workflows/choosing-where-your-workflow-runs/running-jobs-in-a-container):
+
+
+```yaml
+# workflow triggers, ...
+
+jobs:
+  tests:
+    runs-on: ubuntu-latest
+    container: ghcr.io/trailofbits/eth-security-toolbox/ci:nightly
+    steps:
+      # other steps ...
+      - run: medusa fuzz # or any tool from the image
+```
 
 The main differences are:
  * The container does not have a dedicated non-root user. All tools are
@@ -106,6 +119,31 @@ The main differences are:
    install any binaries you may need.
  * pyevmasm and the building secure contracts repository are not included.
 
+## Container image labels
+
+Both `eth-security-toolbox` and `eth-security-toolbox/ci` use the following
+label convention:
+
+| Label              | Description
+|--------------------|--------------------------------------------------------
+| `nightly-YYYYMMDD` | Image built from the code in `master` on day YYYY-MM-DD
+| `nightly`          | Alias for the latest `nightly-YYYYMMDD` container image
+| `testing-BRANCH`   | Image built when the tip of `BRANCH` was last updated
+| `edge`             | Alias for `testing-master`
+| `TAG`              | Image built when `TAG` was tagged
+| `latest`           | Alias for the latest `TAG` container image
+
+To keep tooling in CI predictable, we recommend picking a `nightly-YYYYMMDD`
+image and pinning it by hash on your workflow file. Then, establish a process
+to review the changes and update the container reference on a regular cadence,
+so that you can continue to benefit from tool improvements. The following
+snippet shows the syntax used to pin the image on a GitHub Actions workflow;
+the hashes may be obtained from the [container registry page](https://github.com/orgs/trailofbits/packages?repo_name=eth-security-toolbox).
+
+```yaml
+container: ghcr.io/trailofbits/eth-security-toolbox/ci:nightly-YYYYMMDD@sha256:HASH_GOES_HERE
+```
+
 ## Getting Help
 
 Feel free to stop by our [Slack channel](https://slack.empirehacking.nyc/) for
