From 82bd9081c8de3fbe44278332e46de51a60dd22dd Mon Sep 17 00:00:00 2001
From: Dan C Williams <dan.github@mail.threatfax.com>
Date: Thu, 26 Feb 2026 11:53:35 -0600
Subject: [PATCH] Pin base image digests and add Renovate for automated updates

Renovate will open PRs automatically when debian:bookworm-slim or
debian:sid-slim receive updates (e.g. security patches), keeping the
container current without relying solely on scheduled rebuilds.
---
 .github/workflows/build.yaml |  4 ++--
 build/Dockerfile             |  4 ++--
 renovate.json                | 15 +++++++++++++++
 3 files changed, 19 insertions(+), 4 deletions(-)
 create mode 100644 renovate.json

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index a269aa0..c36a933 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -98,9 +98,9 @@ jobs:
           echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
           # debian:bookworm-slim has no riscv64 image; fall back to sid-slim for that platform
           if [ "$platform" = "linux/riscv64" ]; then
-            echo "RUNTIME_IMAGE=debian:sid-slim" >> $GITHUB_ENV
+            echo "RUNTIME_IMAGE=debian:sid-slim@sha256:a145cf2bc72431523b8f5d152e9cbcc20cfaeccdb7626802f5ce6fb31a6f58bb" >> $GITHUB_ENV
           else
-            echo "RUNTIME_IMAGE=debian:bookworm-slim" >> $GITHUB_ENV
+            echo "RUNTIME_IMAGE=debian:bookworm-slim@sha256:74a21da88cf4b2e8fde34558376153c5cd80b00ca81da2e659387e76524edc73" >> $GITHUB_ENV
           fi
 
       - name: Set version
diff --git a/build/Dockerfile b/build/Dockerfile
index 7cd6a27..9fb2029 100644
--- a/build/Dockerfile
+++ b/build/Dockerfile
@@ -1,10 +1,10 @@
 # ARG before any FROM is global and available in FROM instructions.
 # debian:bookworm-slim is the default; the workflow overrides to debian:sid-slim for riscv64
 # since bookworm has no riscv64 image.
-ARG RUNTIME_IMAGE=debian:bookworm-slim
+ARG RUNTIME_IMAGE=debian:bookworm-slim@sha256:74a21da88cf4b2e8fde34558376153c5cd80b00ca81da2e659387e76524edc73
 
 # debian:sid-slim is required for the build stage to support riscv64 (golang:bookworm does not).
-FROM debian:sid-slim AS build
+FROM debian:sid-slim@sha256:a145cf2bc72431523b8f5d152e9cbcc20cfaeccdb7626802f5ce6fb31a6f58bb AS build
 
 ARG version
 
diff --git a/renovate.json b/renovate.json
new file mode 100644
index 0000000..fad92a0
--- /dev/null
+++ b/renovate.json
@@ -0,0 +1,15 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["config:recommended"],
+  "docker": {
+    "pinDigests": true
+  },
+  "packageRules": [
+    {
+      "matchManagers": ["dockerfile"],
+      "matchPackageNames": ["debian"],
+      "commitMessageTopic": "debian base image",
+      "schedule": ["at any time"]
+    }
+  ]
+}