[PR #295] [MERGED] chore: bump and digest-pin Bun base image to 1.3.14 #3019

New Issue

Closed

opened 2026-05-20 14:51:33 -05:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-05-20 14:51:33 -05:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/RayLabsHQ/gitea-mirror/pull/295
Author: @arunavo4
Created: 5/19/2026
Status: ✅ Merged
Merged: 5/19/2026
Merged by: @arunavo4

Base: main ← Head: ci/pin-bun-docker

---

📝 Commits (1)

• 03fcc57 chore: bump and digest-pin Bun base image to 1.3.14

📊 Changes

1 file changed (+2 additions, -2 deletions)

View changed files

📝 Dockerfile (+2 -2)

📄 Description

Summary

Extends the supply-chain hardening from #293 (GitHub Actions → SHA pins) to the Dockerfile.

• Bumps Bun: oven/bun:1.3.13-debian → 1.3.14-debian (released 2026-05-13)
• Pins to digest: @sha256:9dba1a1b43ce28c9d7931bfc4eb00feb63b0114720a0277a8f939ae4dfc9db6f (multi-arch manifest list, covers both linux/amd64 and linux/arm64)
• Applies to both base and runner stages so every layer derives from the exact same digest

A tag like 1.3.14-debian is mutable on Docker Hub the same way a GH Action tag is mutable on GitHub — the maintainer can re-push it to a different image at any time. Pinning to the digest means even a compromised Docker Hub account can't change what we pull on the next build.

Test plan

• Confirmed oven/bun:1.3.14-debian exists on Docker Hub and resolved its multi-arch digest
• CI's docker job pulls the new digest and builds successfully (validates the digest is correct and the image is reachable from GitHub runners)

Follow-ups not in this PR

• BUN_VERSION: "1.3.13" in e2e-tests.yml and the bare 1.3.13 literal in astro-build-test.yml — those install Bun on the runner via oven-sh/setup-bun, separate concern from the Docker base image. Worth bumping to match, but not strictly part of "pin the image."

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/RayLabsHQ/gitea-mirror/pull/295 **Author:** [@arunavo4](https://github.com/arunavo4) **Created:** 5/19/2026 **Status:** ✅ Merged **Merged:** 5/19/2026 **Merged by:** [@arunavo4](https://github.com/arunavo4) **Base:** `main` ← **Head:** `ci/pin-bun-docker` --- ### 📝 Commits (1) - [`03fcc57`](https://github.com/RayLabsHQ/gitea-mirror/commit/03fcc57c4e5d587f17ff83f1d589928fda136853) chore: bump and digest-pin Bun base image to 1.3.14 ### 📊 Changes **1 file changed** (+2 additions, -2 deletions) <details> <summary>View changed files</summary> 📝 `Dockerfile` (+2 -2) </details> ### 📄 Description ## Summary Extends the supply-chain hardening from #293 (GitHub Actions → SHA pins) to the Dockerfile. - **Bumps Bun**: `oven/bun:1.3.13-debian` → `1.3.14-debian` (released 2026-05-13) - **Pins to digest**: `@sha256:9dba1a1b43ce28c9d7931bfc4eb00feb63b0114720a0277a8f939ae4dfc9db6f` (multi-arch manifest list, covers both `linux/amd64` and `linux/arm64`) - Applies to both `base` and `runner` stages so every layer derives from the exact same digest A tag like `1.3.14-debian` is mutable on Docker Hub the same way a GH Action tag is mutable on GitHub — the maintainer can re-push it to a different image at any time. Pinning to the digest means even a compromised Docker Hub account can't change what we pull on the next build. ## Test plan - [x] Confirmed `oven/bun:1.3.14-debian` exists on Docker Hub and resolved its multi-arch digest - [ ] CI's `docker` job pulls the new digest and builds successfully (validates the digest is correct and the image is reachable from GitHub runners) ## Follow-ups not in this PR - `BUN_VERSION: "1.3.13"` in `e2e-tests.yml` and the bare `1.3.13` literal in `astro-build-test.yml` — those install Bun on the runner via `oven-sh/setup-bun`, separate concern from the Docker base image. Worth bumping to match, but not strictly part of "pin the image." --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2026-05-20 14:51:33 -05:00

GiteaMirror closed this issue 2026-05-20 14:51:34 -05:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

chore/audit-npm-overrides

chore/bump-npm-cve-overrides

fix/mirror-sync-bugs-262-263-264

v3.16.0

v3.15.12

v3.15.11

v3.15.10

v3.15.9

v3.15.8

v3.15.7

v3.15.6

v3.15.5

v3.15.4

v3.15.3

v3.15.2

v3.15.1

v3.15.0

v3.14.2

v3.14.1

v3.14.0

v3.13.4

v3.13.3

v3.13.2

v3.13.1

v3.13.0

v3.12.5

v3.12.4

v3.12.3

v3.12.2

v3.12.1

v3.12.0

v3.11.0

v3.10.1

v3.10.0

v3.9.6

v3.9.5

v3.9.4

v3.9.3

v3.9.2

v3.9.0

v3.8.11

v3.8.10

v3.8.9

v3.8.8

v3.8.7

v3.8.6

v3.8.5

v3.8.4

v3.8.3

v3.8.2

v3.8.1

v3.8.0

v3-sso

v3.7.2

v3.7.1

v3.7.0

v3.6.0

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.0

v3.3.0

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.1

v3.1.0

v3.0.1

v3.0.0

v2.22.0

v2.21.0

v2.20.1

v2.20.0

v2.18.0

v2.17.0

v2.16.3

v2.16.2

v2.16.1

v2.16.0

v2.15.0

v2.14.0

v2.13.2

v2.13.1

v2.13.0

v2.12.0

v2.11.2

v2.11.1

v2.11.0

v2.10.0

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.0

v2.7.0

v2.6.0

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.1.0

v2.0.0

v1.0.0

Labels

Clear labels

bug

documentation

enhancement

help wanted

pull-request

Mirrored from GitHub Pull Request

question

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea-mirror#3019