Skip to content

fix(ci): deploy container images by digest, not mutable tags#305

Merged
peteroden merged 1 commit intomainfrom
fix/299-image-digest-deploy
Mar 16, 2026
Merged

fix(ci): deploy container images by digest, not mutable tags#305
peteroden merged 1 commit intomainfrom
fix/299-image-digest-deploy

Conversation

@peteroden
Copy link
Owner

@peteroden peteroden commented Mar 16, 2026

What

Capture GHCR image digest after push and use it for immutable ACR import and ACA deployment.

Why

GHCR→ACR import and ACA deployment used mutable image tags. A compromised GHCR image with the same tag could be deployed without detection.

Changes

  • .github/workflows/deploy.yml:
    • Capture digest after docker push via docker inspect
    • Validate digest format (sha256:<64 hex>) before proceeding
    • Pass image_digest to Terraform apply
  • infra/variables-apps.tf:
    • New image_digest variable with format validation
  • infra/container-apps.tf:
    • ACR import uses @digest as source (immutable pull from GHCR)
    • Trigger changed from image_tag to image_digest
    • acr_image uses tag@digest format (tag for readability, digest for integrity)

Design decisions

  • tag@digest format: Valid OCI spec, supported by ACA/containerd. Tag provides human readability in Azure Portal; digest is authoritative.
  • Unconditional validation: Workflow fails fast if digest extraction returns garbage.

How to test

  1. cd infra && terraform init -backend=false && terraform validate
  2. Deploy workflow: verify digest appears in GITHUB_OUTPUT
  3. After apply: verify ACR image was imported by digest, ACA container uses digest reference

Review notes

  • OWASP review: addressed LOW finding (added validation regex)
  • Cross-vendor code review: addressed HIGH finding (added digest extraction error handling)

Closes #299

@peteroden peteroden added the security Security hardening label Mar 16, 2026
@peteroden peteroden force-pushed the fix/299-image-digest-deploy branch from 3203b91 to 6e21558 Compare March 16, 2026 15:35
fix(ci): deploy container images by digest, not mutable tags
52bddda 
Capture image digest after GHCR push and pass it through to Terraform.
ACR import now uses digest as the source reference for immutable pulls.
ACA deployment uses tag@digest format for both readability and integrity.

Closes #299

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@peteroden peteroden force-pushed the fix/299-image-digest-deploy branch from 6e21558 to 52bddda Compare March 16, 2026 15:40
@peteroden peteroden merged commit 5667ae9 into main Mar 16, 2026
11 checks passed
@peteroden peteroden deleted the fix/299-image-digest-deploy branch March 16, 2026 15:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

security Security hardening

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Import and deploy container images by digest, not mutable tags

1 participant

@peteroden