From f9e606d22d4c0ca9d1ac4eaa443dc5b4f8ae3709 Mon Sep 17 00:00:00 2001 From: SysAdmin Date: Sun, 26 Apr 2026 11:48:48 +0100 Subject: [PATCH] fix(linux/build): pin BUILDER_IMAGE to pushed registry digest (M1.1) Image built from Dockerfile.builder@36f7672 was pushed to both docker-registry:5000 (internal) and docker-registry.silverlabs.uk (external) under tags m1.1-bootstrap + latest. Both URLs serve the same registry, so the manifest digest is identical: sha256:cedef039425e0b0f5901c1023eda820c7aa38ab4b81c2bb1e12d64cadb3d6c85 Default points at the internal hostname for CI; external dev overrides via BUILDER_IMAGE env var. Co-Authored-By: Claude Opus 4.7 (1M context) --- linux/build/scripts/build.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/linux/build/scripts/build.sh b/linux/build/scripts/build.sh index d7bbcbc..df6a63a 100755 --- a/linux/build/scripts/build.sh +++ b/linux/build/scripts/build.sh @@ -27,7 +27,12 @@ cd "${REPO_ROOT}" # --- Pinned builder image --------------------------------------------------- # Bumped together with linux/build/docker/Dockerfile.builder. The digest form # is required; refusing the tag-only form is what stops a silent host drift. -BUILDER_IMAGE="${BUILDER_IMAGE:-docker-registry:5000/silvermetal-builder@sha256:REPLACE_WITH_PUSHED_DIGEST}" +# +# Default points at the internal registry hostname used by CI runners. The +# external endpoint (docker-registry.silverlabs.uk) serves the same registry +# and the same content-addressed digest, so external dev can override with: +# BUILDER_IMAGE=docker-registry.silverlabs.uk/silvermetal-builder@sha256:cedef039425e0b0f5901c1023eda820c7aa38ab4b81c2bb1e12d64cadb3d6c85 +BUILDER_IMAGE="${BUILDER_IMAGE:-docker-registry:5000/silvermetal-builder@sha256:cedef039425e0b0f5901c1023eda820c7aa38ab4b81c2bb1e12d64cadb3d6c85}" if [[ "${BUILDER_IMAGE}" != *"@sha256:"* ]]; then echo "build.sh: BUILDER_IMAGE must be pinned by digest, got: ${BUILDER_IMAGE}" >&2