Skip to content

Harden Dockerfile external artifact pinning #28

Open
#37
Open
Harden Dockerfile external artifact pinning#28
#37
Labels
agent-readyReady for an agent or contributor to pick updependenciesPull requests that update a dependency file
@develNor

Description

@develNor
develNor
opened on Jun 12, 2026

Goal

Harden the Dockerfile supply chain by pinning externally downloaded artifacts and cloned sources, and clean up stale Dockerfile comments.

Scope

  • In scope: Dockerfile external downloads, release artifact checksums, Git clone refs, related build args, documentation/comments, and Docker/E2E validation.
  • Out of scope: changing the base image strategy unless needed to keep the existing pinned digest contract valid.

Constraints

  • Follow CONTRIBUTING.md, DEVELOPMENT_PRINCIPLES.md, and AGENTS.md.
  • Dockerfile changes require at least one fast E2E smoke test or an explanation why none is needed.
  • Downloaded external binaries should be versioned and, where practical, checksum-verified.
  • Do not weaken Docker build behavior to make checks pass.

Background

The Dockerfile pins the base image digest, which is good, but it also downloads external artifacts from Eclipse Zenoh and GitHub/Foxglove release URLs and clones a GitHub repository during build. These should be versioned and checksum-verified or pinned where practical.

Concrete direction for downloaded binaries:

ARG MCAP_CLI_VERSION=0.0.62
ARG MCAP_CLI_SHA256=<expected_sha256>
RUN curl -fsSL -o /usr/local/bin/mcap \
      "https://github.com/foxglove/mcap/releases/download/releases%2Fmcap-cli%2Fv${MCAP_CLI_VERSION}/mcap-linux-amd64" \
 && echo "${MCAP_CLI_SHA256}  /usr/local/bin/mcap" | sha256sum -c - \
 && chmod +x /usr/local/bin/mcap

Concrete direction for Git clones:

ARG NOVATEL_OEM7_REF=<commit_sha>
RUN git clone https://github.com/novatel/novatel_oem7_driver.git ${CUSTOM_WS}/src/novatel_oem7_driver \
 && cd ${CUSTOM_WS}/src/novatel_oem7_driver \
 && git checkout --detach "${NOVATEL_OEM7_REF}"

Also check for stale comments. For example, the Dockerfile says the base is ROS 2 Lyrical, while a rosdep hotfix comment references a Jazzy image. Small drift in infra-heavy repos erodes trust.

Acceptance Criteria

  • External binaries downloaded during Docker build are versioned and checksum-verified where practical.
  • Git repositories cloned during Docker build are pinned to immutable commit SHAs or another justified immutable ref.
  • Build args expose versions/checksums/refs in a maintainable way without defaulting to moving branches.
  • Stale Dockerfile comments are corrected or removed.
  • Docker build/runtime docs are updated if any public build arg or maintenance workflow changes.
  • Fast Docker E2E smoke coverage is run or a clear reason is recorded if it cannot be run.

Checks

  • just lint
  • just typecheck
  • just test-unit
  • just test-contract
  • just docs
  • just check
  • just test-e2e-fast

Final Report

  • External artifacts pinned:
  • Checksums/refs used:
  • Comments/docs changed:
  • Checks run:
  • Remaining risks or follow-up:

Metadata

Metadata

Assignees

No one assigned

    Labels

    agent-readyReady for an agent or contributor to pick updependenciesPull requests that update a dependency file

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions